Check: DSN13.16
Defense Switched Network (DSN) STIG:
DSN13.16
(in versions v2 r8 through v2 r7)
Title
Access to all management system workstations and administrative / management ports is NOT remotely authenticated (Cat II impact)
Discussion
Requirement: The IAO will ensure that remote authentication is used to control access to all management system workstations and administrative / management ports on any device or system. The term remote authentication refers to a system or device that communicates with a remote Authentication Authorization Accounting (AAA) server to validate the users account information before granting access. The remote server can also control user rights or permissions based on their defined roles. Systems such as RADIUS, DIAMETER, and TACACS+ typically provide this functionality for network elements. Systems such as domain controllers provide this functionality for network management workstations. The use of a centralized AAA server provides for centralized management of all network element SA’s accounts and privileges. This eliminates the need for an SA to have an individual account on each network element. This reduces the chance that an account will be compromised since the centralized server can be better protected than each network element. This also reduces the number of accounts in the network that can be easily accessed and compromised. A network consists of manu network elements that cannot be individually protected. An SA account on each multiplies the chance that an account can be compromised. Additionally, the use of a centralized AAA server supports proper password management when a SA is required to manage multiple devices. If the SA had to change his/her password on each device, the chance that a password is not changed (device missed) is greater. NOTE: This requirement supports, and is supported by, the Network Infrastructure STIG requirements that AAA servers are to be implemented in the enclave’s management network. In general the DSN system should integrate with the AAA service that already exists in the enclave’s management network if possible. This requirement is primarily focused on a group of distributed devices such as those that comprise a network (e.g., LAN switches, routers, backbone transport devices, distributed media gateways, endpoints, etc). While a system/device that is itself centralized (e.g., a telecom switch or VoIP controller); is capable of comprehensive role based AAA services such that it can stand on its own; which can protected from external access much as a centralized AAA server would be, It is still best practice to integrate such a device with a centralized AAA server particularly if multiple SAs must have access from multiple locations such as different local or remote NOCs.
Check Content
Review current configuration files of effected devices to confirm compliance.
Fix Text
Configure the system to utilize the services of a centralized AAA server. Typically this server will be the same as is implemented in the network management network where there should be a primary and a backup server. Additionally configure the system to utilize these primary and backup AAA servers. NOTE: In the event the system/device cannot reach a centralized AAA server (such as in a tactical environment) configure the system to provide comprehensive AAA services locally.
Additional Identifiers
Rule ID: SV-9057r1_rule
Vulnerability ID: V-8560
Group Title: Management access NOT remotely authenticated
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |