Free DISA STIG and SRG Library | Vaulted

V-35381

The application server must beensure configuredauthentication toof mutuallyboth authenticateclient connectingand proxies,server applicationduring serversthe orentire gatewayssession.

Finding ID
SRG-APP-000219-AS-000147
Rule ID
SV-46668r4_rule46668r3_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000219-AS-000147
CCI
CCI-001184
Target Key
(None)
Documentable
No
Discussion

ApplicationThis architecturecontrol mayfocuses sometimeson requirecommunications aprotection configurationat wherethe ansession, applicationversus serverpacket islevel. placedAt behindthe aapplication web proxylayer, ansession applicationIDs gatewayare ortokens communicatesgenerated directlyby withweb anotherapplications applicationto server.uniquely Inidentify thosean instances,application theuser's applicationsession. serverWeb hostingapplications theutilize service/applicationsession istokens consideredor thesession server.IDs Thein applicationorder server,to proxyestablish or application gatewayuser consumingidentity. theProper hosteduse serviceof issession consideredIDs aaddresses client.man-in-the-middle Authenticationattacks, isincluding accomplishedsession viahijacking theor useinsertion of certificatesfalse andinformation protocolsinto sucha assession. TLSApplication mutualservers authentication. Authentication must beprovide performed when the proxycapability isto exposedperform tomutual anauthentication. untrustedMutual networkauthentication oris when databoth protection requirements specified in the systemclient securityand plan mandate the need to establish the identity of the connecting application server, proxyauthenticate oreach application gatewayother.

Fix Text

Configure the application server to mutually authenticate proxyduring servers,the otherentire applicationsession serversas andrequired by application gatewaysdesign asand specifiedpolicy.

Check Content

Review the application server documentation,configuration system security plan and applicationdocumentation data protection requirements. If the connected web proxy is exposed to anensure untrusted network or if data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxyprovides ormutual applicationauthentication gatewaycapabilities. andIf the application server isdoes not configuredprovide tothe mutuallyability authenticatefor theapplications applicationto server,utilize proxymutual server or gatewayauthentication, this is a finding.