Ivanti Connect Secure NDM STIG Version Comparison

There are 3 differences between versions v1 r1 (Nov. 8, 2023) (the "left" version) and v2 r2 (Oct. 24, 2024) (the "right" version).

Check IVCS-NM-000015 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

The ICS must be configured to protect against known types of denial-of-service (DoS) attacks by enabling JITC mode.

Check Content

In the ICS Web UI, navigate to System >> Configuration >> Security >> Inbound SSL Options. 1. Verify "Turn on JITC mode" checkbox is enabled (checked). 2. Verify "Turn on NDcPP mode" checkbox is enabled (checked). If JITC mode is not enabled, this is a finding.

Discussion

This configuration protects the confidentiality of Web UI session and guards against DoS attacks. If JITC (DODIN APL) Mode is enabled, then the following protections are enforced: - Log support for detection and prevention of SMURF/SYN Flood/SSL Replay Attack. - Disable ICMPv6 echo response for multicast echo request. - Disable ICMPv6 destination unreachable response. - Password Strengthening. - Notification for unsuccessful admin login attempts. - Re-authentication of admin users. - Notification on admin status change. When JITC and FIPS mode is enabled, it enables DoS attacks such as flooding and replay attack audit logs inherently. JITC and FIPS mode are required for ICS use in DOD. When NDcPP option is enabled, only NDcPP allowed crypto algorithms are allowed.

Fix

In the ICS Web UI, navigate to System >> Configuration >> Security >> Inbound SSL Options. 1. Under "DOD Certification Option", check (enabled) "Turn on JITC mode" to enable the JITC mode security features. 2. Once "Turn on JITC mode" is checked, "Turn on NDcPP mode" and "Turn on FIPS mode" are also checked automatically. 3. Click "Save changes" and confirm after the web UI asks for SSL cipher configuration changes.