Detections
Analytics
F5BI-LT-000079 - The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.
Information
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.Multifactor authentication uses two or more factors to achieve authentication. Factors include:
1) Something you know (e.g., password/PIN);
2) Something you have (e.g., cryptographic, identification device, token); and
3) Something you are (e.g., biometric).
Non-privileged accounts are not authorized on the network element regardless of configuration.
Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
This requirement applies to ALGs that provide user authentication intermediary services.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If user authentication intermediary services are provided, configure the BIG-IP Core as follows:Configure a policy in the BIG-IP APM module to use multifactor authentication for network access to non-privileged accounts.
Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_Y25M01_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP Local Traffic Manager STIG v2r4
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2(2), CAT|II, CCI|CCI-000766, Rule-ID|SV-215761r954210_rule, STIG-ID|F5BI-LT-000079, STIG-Legacy|SV-74733, STIG-Legacy|V-60303, Vuln-ID|V-215761
Plugin: F5
Control ID: 19ec60422b2e4ef9d1931c2ec48687a35d6d4b94b939b521131944f1345a4a37