| Finding ID |
Severity |
Title |
Description |
|
V-273840
|
High |
The RUCKUS ICX device must be running an operating system release that is currently supported by the vendor. |
RUCKUS ICX devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
|
V-273839
|
High |
The RUCKUS ICX device must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). |
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before... |
|
V-273835
|
High |
The RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. |
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's RUCKUS ICX devices can be more readily analyzed for trends and anomalies. The... |
|
V-273809
|
High |
The RUCKUS ICX device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by... |
|
V-273808
|
High |
The RUCKUS ICX device must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. |
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2/140-3 is the current standard... |
|
V-273798
|
High |
The RUCKUS ICX device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services |
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
Network devices are capable of providing a wide variety of functions and services. Some of the... |
|
V-273784
|
High |
The RUCKUS ICX device must be configured to assign appropriate user roles or access levels to authenticated users. |
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods... |
|
V-273851
|
Medium |
The RUCKUS ICX device must be configured to compare the internal system clocks on an organization-defined frequency with two organization-defined authoritative time sources. |
Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network. |
|
V-273850
|
Medium |
The RUCKUS ICX device must be configured to synchronize system clocks within and between systems or system components. |
Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems... |
|
V-273848
|
Medium |
The RUCKUS ICX device must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization. |
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed... |
|
V-273838
|
Medium |
The RUCKUS ICX device must obtain its public key certificates from an appropriate certificate policy through an approved service provider. |
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice. |
|
V-273832
|
Medium |
The RUCKUS ICX device must off-load audit records onto a different system or media than the system being audited. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000360-NDM-000295 |
|
V-273830
|
Medium |
Security-relevant firmware updates must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error... |
|
V-273829
|
Medium |
The RUCKUS ICX device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. |
DoS is a condition that occurs when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or... |
|
V-273826
|
Medium |
The RUCKUS ICX device must authenticate Network Time Protocol sources using authentication that is cryptographically based. |
If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by... |
|
V-273825
|
Medium |
The RUCKUS ICX device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without the use of a network. A... |
|
V-273821
|
Medium |
The RUCKUS ICX device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. |
|
V-273820
|
Medium |
The RUCKUS ICX device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
To ensure network devices have a sufficient storage capacity in which to write the audit logs, they must be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined... |
|
V-273802
|
Medium |
The RUCKUS ICX device must enforce password complexity and length requirements. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
The shorter the password, the lower the number... |
|
V-273799
|
Medium |
The RUCKUS ICX device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. |
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as... |
|
V-273789
|
Medium |
The RUCKUS ICX device must generate audit records containing the full-text recording of privileged commands. |
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the... |
|
V-273788
|
Medium |
The RUCKUS ICX device must initiate session auditing upon startup. |
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Satisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228,... |
|
V-273787
|
Medium |
The RUCKUS ICX device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. |
Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users.
Satisfies: SRG-APP-000068-NDM-000215,... |
|
V-273786
|
Medium |
The RUCKUS ICX device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
|
V-273785
|
Medium |
The RUCKUS ICX device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies. |
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a... |