Free DISA STIG and SRG Library | Vaulted

V-4512

CSS DNS does not cryptographically authenticate APP sessions.

Finding ID
DNS0915
Rule ID
SV-4512r1_rule
Severity
Cat I
CCE
(None)
Group Title
CSS DNS does not cryptographically authenticate.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The risk to the CSS DNS in this situation is the CSS DNS peers do not authenticate each other, the sending and receiving of APP session data and peer communication may be with an adversary rather than the intended peer, thereby sending sensitive network architecture data and receiving ill intended zone data. To protect against this possibility, the CSS DNS peers must cryptographically authenticate each other.

Fix Text

The command, show app session, displays that the authentication type is not set to authChallenge and the encryption type is not set to encryptMd5hash.

Check Content

In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show app session Confirm the authentication type is set to “authChallenge” and the encryption type is set to “encryptMd5hash.” This will confirm APP CHAP authentication and MD5 hashing features for APP sessions are configured between peers, if this is not the case, then this is a finding. The only exception would be if the CSS DNS administrator uses an IPSEC VPN between each peer couple. Review the IPSEC VPN with the CSS DNS administrator and validate the IPSEC VPN is configured between peers, if this is not the case, then this is a finding.

Responsibility

System Administrator

IA Controls

DCNR-1