Details

A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the ‘root certificate’ or ‘trust anchor’ such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.

Deploying the ALG with TLS enabled may require the CA certificates for each proxy to be used for TLS traffic decryption/encryption. The installation of these certificates in each trusted root certificate store is used by proxied applications and browsers on each client.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If intermediary services for TLS are provided, configure the BIG-IP Core to validate certificates used for TLS functions by constructing a certification path with status information to an accepted trust anchor.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_11-x_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system F5.

References

• 800-53|IA-5(2)(a)
• CAT|II
• CCI|CCI-000185
• Rule-ID|SV-215762r557356_rule
• STIG-ID|F5BI-LT-000083
• STIG-Legacy|SV-74735
• STIG-Legacy|V-60305
• Vuln-ID|V-215762

Source

• Tenable.com/audits