Detections
Analytics
F5BI-AP-000234 - The F5 BIG-IP appliance must not use the On-Demand Cert Auth VPE agent as part of the APM Policy Profiles.
Information
By requiring mutual authentication before any communication, it becomes significantly challenging for attackers to impersonate a client or server and exploit vulnerabilities. Furthermore, the encryption of all data transmitted between the client and server ensures that even if an attacker intercepts the data, it remains unintelligible without the correct keys.To ensure the use of the mutual TLS (mTLS) for session authentication, the On-Demand Cert Auth VPE agent should not be used. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. However, if On-Demand is configured, the client SSL profile skips the initial SSL handshake, and On-Demand Cert Auth action can renegotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. Setting ODCA to 'require' the client cert means the client cannot get any further in the APM VPE without providing a valid certificate. 'Request' would ask the client for a certificate, but the client could still continue if they did not provide one. Thus, the Client Certificate should be set to 'require' in the client SSL profile (F5BI-LT-000213) since removing ODCA from the VPE alone will result in the client never being prompted for a certificate.
Within the Virtual Policy Editor (VPE) of the relevant Access Profile, do not use the On-Demand Cert Auth VPE agent. Configure only the Client Certification Inspection VPE Agent. This adjustment directs the BIG-IP to scrutinize the Client Certificate during the mTLS handshake process and extract the Certificate's details into APM session variables.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Remove On-Demand Cert.From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click 'Edit' under 'Per-Session Policy' for the Access Profile.
5. Remove any 'On-Demand Cert Auth' agents in the profile.
6. Add a 'Client Cert Inspection' object in place of the previous 'On Demand Cert Auth' agent.
7. Click 'Apply Access Policy'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_Y24M01_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP Access Policy Manager STIG v2r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-23, CAT|II, CCI|CCI-001184, Rule-ID|SV-260053r947421_rule, STIG-ID|F5BI-AP-000234, Vuln-ID|V-260053
Plugin: F5
Control ID: f91f124d4c8698cc874b1e2f947bff84cbbf5a4c530a36b36856d3bcade4930d