Check: RCKS-NDM-000500
RUCKUS ICX NDM STIG:
RCKS-NDM-000500
(in version v1 r1)
Title
The RUCKUS ICX device must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. (Cat I impact)
Discussion
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000156-NDM-000250, SRG-APP-000172-NDM-000259, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331, SRG-APP-000880-NDM-000290
Check Content
Verify the FIPS module has been enabled. Router#fips show Cryptographic Module Version: FI-IP-CRYPTO FIPS mode: Administrative status ON: Operational status ON Common-Criteria: Administrative status ON: Operational status ON System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server: Disabled Telnet client: Disabled TFTP client: Disabled SNMP Access to security objects: Disabled Critical security Parameter updates across FIPS boundary: Protocol Shared secret and host passwords: Clear Password Display: Disabled Certificate Specific: HTTPS RSA Host Keys and Signature: Clear SSH DSA Host keys: Clear SSH RSA Host keys: Clear CC Enable AAA Server Any: Retain If the fips show command does not output "FIPS mode: Administrative status ON: Operational status ON", this is a finding.
Fix Text
Configure the network device to use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. Use a console session directly attached to the ICX switch to log in: device(config)#configuration terminal device(config)# fips enable common-criteria device# fips zeroize all device# write memory device# reload
Additional Identifiers
Rule ID: SV-273808r1111022_rule
Vulnerability ID: V-273808
Group Title: SRG-APP-000179-NDM-000265
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000197 |
For password-based authentication, transmit passwords only over cryptographically-protected channels. |
| CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
| CCI-002890 |
Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
| CCI-003123 |
Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
| CCI-004192 |
Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. |