Details
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication. Factors include:
1) Something you know (e.g., password/PIN);
2) Something you have (e.g., cryptographic, identification device, token); and
3) Something you are (e.g., biometric).
Non-privileged accounts are not authorized on the network element regardless of configuration.
Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
This requirement applies to ALGs that provide user authentication intermediary services.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If user authentication intermediary services are provided, configure the BIG-IP Core as follows:
Configure a policy in the BIG-IP APM module to use multifactor authentication for network access to non-privileged accounts.
Apply APM policy to the applicable Virtual Server(s) in BIG-IP LTM module to use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system F5.
References
- 800-53|IA-2(2)
- CAT|II
- CCI|CCI-000766
- Rule-ID|SV-215761r557356_rule
- STIG-ID|F5BI-LT-000079
- STIG-Legacy|SV-74733
- STIG-Legacy|V-60303
- Vuln-ID|V-215761