An error occurred:

Check: WSDP-AG-000050

IBM DataPower ALG STIG: WSDP-AG-000050 (in version v1 r1)

Title

The DataPower Gateway must invalidate session identifiers upon user logout or other session termination. (Cat II impact)

Discussion

Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the network element must terminate the user session to minimize the potential for an attacker to hijack that particular user session. ALGs act as an intermediary for application; therefore, session control is part of the function provided. This requirement focuses on communications protection at the application session, versus network packet level.

Check Content

From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status. Then, verify that the session identifiers (TIDs) in the System Log are random; Status >> View Logs >> Systems Logs. If the device is not set to FIPS 140-2 Level 1, this is a finding.

Fix Text

From the DataPower command line, enter "use-fips on" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use "Set Cryptographic Mode" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to "FIPS 140-2 Level 1" mode. This will achieve NIST SP800-131a compliance.

Additional Identifiers

Rule ID: SV-79725r1_rule

Vulnerability ID: V-65235

Group Title: SRG-NET-000231-ALG-000114

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001185

The information system invalidates session identifiers upon user logout or other session termination.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23 (1)

Invalidate Session Identifiers At Logout