F5BI-LT-000079 - The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.

Information

To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

Multifactor authentication uses two or more factors to achieve authentication. Factors include:

1) Something you know (e.g., password/PIN);
2) Something you have (e.g., cryptographic, identification device, token); and
3) Something you are (e.g., biometric).

Non-privileged accounts are not authorized on the network element regardless of configuration.

Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.

The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

This requirement applies to ALGs that provide user authentication intermediary services.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If user authentication intermediary services are provided, configure the BIG-IP Core as follows:

Configure a policy in the BIG-IP APM module to use multifactor authentication for network access to non-privileged accounts.

Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_Y24M01_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(2), CAT|II, CCI|CCI-000766, Rule-ID|SV-215761r557356_rule, STIG-ID|F5BI-LT-000079, STIG-Legacy|SV-74733, STIG-Legacy|V-60303, Vuln-ID|V-215761

Plugin: F5

Control ID: 30e145f8993a66cf8408911b2234a9f5daa8df0c606e66266a537d1f15c0c7ea