Title

The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates. (Cat III impact)

Discussion

DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it is feasible.

Check Content

The reviewer will, with the assistance of the IAO/NSO, verify fabric switches are protected by DOD PKI. View the installed device certificates. Verify a DoD -approved certificate is loaded. If any of the certificates have the name or identifier of a non-DoD- approved source in the Issuer field, this is a finding.

Fix Text

Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet.

Additional Identifiers

Rule ID: SV-6768r2_rule

Vulnerability ID: V-6634

Group Title: SAN Switch encryption and DOD PKI

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.