Home
Security Hardening
DISA F5 Big IP Local Traffic Manager 11.x STIG V2R1

DISA F5 Big IP Local Traffic Manager 11.x STIG V2R1

F5BI-LT-000193 – A BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
Details For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system...
F5BI-LT-000093 – The BIG-IP Core implementation must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.
Details Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take...
F5BI-LT-000195 – The BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.
Details For remote access to privileged accounts, the purpose of requiring a device that is separate from the information system...
F5BI-LT-000097 – The BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.
Details Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses...
F5BI-LT-000203 – The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.
Details When revocation data is unavailable from the network, the system should be configured to deny-by-default to mitigate the risk...
F5BI-LT-000139 – The BIG-IP Core implementation must be configured to activate a session lock to conceal information previously visible on the display for connections to virtual servers.
Details A session time-out lock is a temporary action taken when a user stops work and moves away from the...
F5BI-LT-000213 – The BIG-IP Core implementation must be configured to only allow the use of DoD-approved PKI-established certificate authorities for verification of the establishment of protected sessions.
Details Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to...
F5BI-LT-000215 – The BIG-IP Core implementation must be configured to protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis when providing content filtering to virtual servers.
Details If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of...
F5BI-LT-000211 – The BIG-IP Core implementation must be able to conform to FICAM-issued profiles when providing authentication to virtual servers.
Details Without conforming to Federal Identity, Credential, and Access Management (FICAM)-issued profiles, the information system may not be interoperable with...

DISA F5 Big IP Local Traffic Manager 11.x STIG V2R1

F5BI-LT-000097 – The BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.

F5BI-LT-000203 – The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.

F5BI-LT-000139 – The BIG-IP Core implementation must be configured to activate a session lock to conceal information previously visible on the display for connections to virtual servers.

F5BI-LT-000213 – The BIG-IP Core implementation must be configured to only allow the use of DoD-approved PKI-established certificate authorities for verification of the establishment of protected sessions.

F5BI-LT-000215 – The BIG-IP Core implementation must be configured to protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis when providing content filtering to virtual servers.

F5BI-LT-000211 – The BIG-IP Core implementation must be able to conform to FICAM-issued profiles when providing authentication to virtual servers.