The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251013 | MOIS-AL-000180 | SV-251013r1028178_rule | Medium |
| Description |
| SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks which exploit vulnerabilities in this protocol. |
| STIG | Date |
| Ivanti Sentry 9.x ALG Security Technical Implementation Guide | 2024-09-25 |
Details
| Check Text (C-54448r1004763_chk) |
| Verify the Sentry is configured to implement the applicable required TLS settings in NIST PUB SP 800-52. 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. For each of the following configurations, follow the step 4 procedure: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL configuration d. Access SSL configuration 4. Verify only TLS 1.2 is selected. If any other protocol is selected, this is a finding. For more information, go to the "Sentry 9.8.0 guide for Core" and refer the main section "Standalone Sentry Settings", which includes subsections on how TLS 1.2 is set as the default protocol: 1. Incoming SSL configuration 2. Outgoing SSL configuration 3. UEM SSL configuration 4. Access SSL configuration Sentry conforms to the NIST SP 800-52 TLS settings by setting TLS 1.2 by default. |
| Fix Text (F-54402r1004764_fix) |
| Configure the Sentry to comply with applicable required TLS settings in NIST PUB SP 800-52. 1. Log in to Sentry. 2. Go to Settings >> Services >> Sentry. 3. For each of the following configurations, follow the step 4 procedure: a. Incoming SSL configuration b. Outgoing SSL configuration c. UEM SSL configuration d. Access SSL configuration 4. Select only TLS 1.2 and remove others if selected. 5. Click "Apply". |