UC-APL Compliant (Military Unique)

 

1Introduction

The KEMP Virtual LoadMaster (VLM) is an Application Delivery Controller (ADC) that provides load balancing and Secure Sockets Layer (SSL) offloading. The VLM is certified under the DoD Unified Capabilities Approved Products List (UC APL) program as an Information Assurance (IA) tool.

Figure 1‑1: KEMP VLM Typical Deployment

In accordance with DoD security guidelines and the specific UC APL implementation guidelines, the KEMP VLM appliance has two approved means of access. The first access method (hypervisor virtual Console Access) is typically used to setup the initial IP address for the management interface on the VLM. The second access method, Web User Interface (WUI) is used to manage and configure the VLM. The Console Access method can also be used to restore the VLM to a default state. All VLM management should be originated from a Security Technical Implementation Guide (STIG)-compliant management workstation. The hypervisor virtual Console method is used to configure the VLM to communicate with other components and to be accessible via Internet Protocol (IP) addressing using Hypertext Transfer Protocol Secure (HTTPS). After the initial configuration is completed, the VMware client session is disconnected, and all administrative tasks are performed using a web browser using HTTPS.

1.1Document Purpose

This document is provided to meet the Conditions of Fielding (para 4.16 h.), specifically this document is the required "KEMP Technologies Virtual LoadMaster, Software Release 7.0-10, Tracking Number 1512701, Military Unique Features Deployment Guide". This document provides instructions on how to configure and set various options in the VLM in order to meet the Unified Capabilities Approved Products List (UC-APL) requirements.

For detailed, step-by-step instructions on some of the VLM features mentioned in this document, please refer to the individual Feature Description documents, for example:

1.2Intended Audience

This document is intended to be read by a network administrator who needs to configure a VLM to meet UC-APL requirements.

1.3Document Feedback

If you have any comments about this document, please forward them to KM@kemptechnologies.com.

2Minimum Requirements

The following security measures (at a minimum) must be implemented to ensure an acceptable level of risk:

  • The system will use a RADIUS server integrated with Active Directory (AD) to authenticate users.
  • The system will use a Syslog device for auditing purposes.
  • Role-based security must be used for user access and management of the vendor’s device.
  • All local user accounts must be deleted on the device after initial setup and configuration, with the exception of one emergency administrative account. The site will also disable local authentication of administrative users.
  • Ensure that the emergency administrative account’s username and password are locked up in separate safes, both of which are not accessible by any one individual, and procedures are implemented to log all access and usage.
  • Ensure the emergency administrative account meets all Department of Defence (DoD) user identification (ID) and password requirements.
  • Ensure that all unused open ports are closed.
  • The device will have management access limited to an authorized Common Access Card (CAC)-enabled workstation which is located in a physically secured area and connected to the management Virtual Local Area Network (VLAN) behind a firewall.
  • Ensure that Telnet, HTTP web service, and SNMPv1 and 2c are disabled.
  • Ensure that Secure Shell (SSH) is disabled.

Instructions on how to meet these minimum requirements are provided throughout the remainder of this document.

3Installation

3.1Minimum Requirements for the VLM

Each KEMP VLM must be allocated a minimum of:

  • 2 vCPUs
  • 2 GB RAM
  • 32 GB disk space

The KEMP license defines the throughput and SSL Transactions Per Second (TPS) performance levels for the VLM.

KEMP recommends that 2vCPUs and 2 GB RAM be added to the VLM Virtual Machine for each additional Gbps throughput required.

3.2Install the VLM

Instructions on installing, initially configuring and licensing the VLM are available in the KEMP Installation Guides which can be found on the KEMP Documentation page: http://kemptechnologies.com/documentation.

For detailed licensing instructions, please refer to the Licensing, Feature Description document which is also located on the KEMP Documentation page: http://kemptechnologies.com/documentation.

4Configuration

The sections below provide instructions on how to configure the VLM and guidance on any other configuration needed in order to meet the UC-APL requirements.

The LoadMaster supports security headers on WUI pages.

4.1Enable FIPS 140-2 Level 1 Mode

Session Management must be enabled in order to enable FIPS 140-2 Level 1 Mode. To enable Session Management, go to Certificates & Security > Admin WUI Access and tick the Enable Session Management check box. For further information on Session Management, refer to the Web User Interface (WUI), Configuration Guide.

To enable FIPS 140-2 Level 1 Mode, follow the steps below in the VLM Web User Interface (WUI):

  1. Go to Certificates & Security > Remote Access.

Figure 4‑1: Enable FIPS mode

  1. Click the Enable Software FIPS mode button.
  2. A number of warnings will appear, proceed through those warnings to enable FIPS mode.

In FIPS mode, LDAPS uses FIPS OpenSSL.

4.2Configure the WUI Access Options

Refer to the sections below to configure the various WUI access options.

4.2.1Enable Client Certificate WUI Authentication

For detailed, step-by-step instructions on how to configure client certificate WUI authentication, refer to the User Management, Feature Description.

4.2.2Disable LDAP

To disable LDAP, follow the steps below in the VLM WUI:

  1. Go to Certificates & Security > Remote Access.

Figure 4‑2: WUI Authorization Options

  1. Click the WUI Authorization Options button.

Figure 4‑3: Disable LDAP

  1. Uncheck the LDAP checkbox.

4.2.3Delete and Disable Local Accounts

To delete and disable local accounts, follow the steps below in the VLM WUI:

  1. In the main menu, go to System Configuration > User Management.

Figure 4‑4: Delete

  1. If any local users are listed, click Delete to remove them. Click OK to the confirmation message.

By default, there are no other local users. Bal is the default administrative user. The bal user should exist locally. Please follow DoD safekeeping practices for treating the bal user as an emergency account.

4.2.4Set a Complex Password for the Bal User

As mentioned in the previous section, bal is the default administrative user. Please follow the steps below to set a complex password for the bal user:

  1. In the main menu of the VLM WUI, go to System Configuration > System Administration > User Management.

Figure 4‑5: Change Password

  1. Enter the Current Password for the bal user.
  2. Enter a new complex password.
  3. Re-enter the new complex password.
  4. Click Set Password.
  5. Seal the complex password into an envelope and store it in an approved security container.

Please follow DoD and local standards when setting and storing the complex password.

4.3Enable an NTP Service

To enable a Network Time Protocol (NTP) Service, follow the steps below in the VLM WUI:

  1. In the main menu, go to System Configuration > System Administration > Date/Time.

Figure 4‑6: Set NTP host

  1. In the NTP host(s) text box, specify the host(s) from which the VLM will set its time. Click Set NTP host.

Multiple hosts can be specified in a space-separated list. The time will be set from the first host that returns a valid answer.

4.4Configure Syslog Hosts

The VLM can produce various warning and error messages using the syslog protocol. These messages are normally stored locally. It is also possible to configure the VLM to transmit these error messages to a remote syslog server. To configure this, follow the steps below in the VLM WUI:

  1. In the main menu, go to System Configuration > Logging Options > Syslog Options.

Figure 4‑7: Hosts

  1. Enter the hosts that will receive the events.

Six different error message levels are defined and each message level may be sent to a different server. Notice messages are sent for information only; Emergency messages normally require immediate user action.

Up to ten individual IP addresses can be specified for each of the Syslog fields. The IP addresses must be differentiated using a space separated list.

Examples of the type of message that may be seen after setting up a Syslog server are below:

  • Emergency: Kernel-critical error messages
  • Critical: Unit one has failed and unit two is taking over as master (in a HA setup)
  • Error: Authentication failure for root from 192.168.1.1
  • Warn: Interface is up/down
  • Notice: Time has been synced
  • Info: Local advertised Ethernet address

One point to note about syslog messages is they are cascading in an upwards direction. Therefore, if a host is set to receive WARN messages, the message file will include message from all levels above WARN but none for levels below.

KEMP recommends not setting all six levels for the same host because multiple messages for the same error will be sent to the same host.

To enable a syslog process on a remote Linux server to receive syslog messages from the VLM, the syslog must be started with the “-r” flag.

4.5Disable SNMP

To disable SNMP, follow the steps below in the VLM WUI:

  1. In the main menu, go to System Configuration > Logging Options > SNMP Options.

Figure 4‑8: Disable SNMP

  1. Remove the tick from the Enable SNMP check box.

4.6Disable API Access

To disable Application Program Interface (API) access to the VLM, follow the steps below in the VLM WUI:

  1. In the main menu, go to Certificates & Security > Remote Access.

Figure 4‑9: Disable the API interface

  1. Ensure that the Enable API Interface check box is not ticked.

4.7Disable SSH Access

To disable SSH access to the VML, follow the steps below in the VLM WUI:

  1. In the main menu, go to Certificates & Security > Remote Access.

Figure 4‑10: Disable SSH Access

  1. Remove the tick from the Allow Remote SSH Access check box.
  2. Click OK to the warning message.

4.8Upload the DoD Certificate

KEMP VLM appliances come with a self-signed certificate. This is not sufficient to meet DoD requirements and additional DoD Public Key Infrastructure (PKI) issued certificates need to be loaded on the KEMP VLM for the purpose of managing the appliance as well as for the purpose of performing SSL acceleration (decryption) by the appliance. To upload the DoD certificates to the VLM, follow the steps below in the VLM WUI:

  1. In the main menu, go to Certificates & Security > SSL Certificates.

Figure 4‑11: Import Certificate

  1. Click the Import Certificate button.

Figure 4‑12: Import Certificate

  1. Click Choose File in the Certificate File section.
  2. Browse to and select the relevant DoD certificate file.
  3. Upload the Key File, if needed.
  4. Enter the Pass Phrase for the certificate.
  5. Enter a recognizable name for the certificate.
  6. Click Save.

Figure 4‑13: Administrative Certificates

  1. After uploading the DoD certificate intended to manage the VLM, select this certificate as the Administrative Certificate to be used to manage the VLM.

Please upload any additional DoD certificates as needed to support load-balanced SSL offloading.

4.9Enable CAC Authentication for WUI Access

KEMP is releasing CAC enabled login functionality in the 7.1-30 software release of the VLM. A number of steps are involved in enabling CAC authentication for WUI access. For step-by-step instructions, refer to Section 3 in the DoD Common Access Card Authentication.

4.10Enable a Minimum of Two Ethernet Interfaces

In order to dedicate an interface for management and connection to the DoD Management VLAN, a minimum of two Ethernet interfaces must be enabled. Ensure the hypervisor has allocated two virtual interfaces to the Virtual Machine created for the KEMP VLM and then follow the steps below using the VLM WUI to add the second interface:

  1. In the main menu, go to System Configuration > Network Setup.
  2. In the Interfaces section, click eth1.

Figure 4‑14: Configure the Interface

  1. Enter the Interface Address (address[/prefix]).
  2. Click Set Address.
  3. Configure any other settings as needed.

4.11Set an Alternate Interface for Management

DoD requires all management be performed on a dedicated interface connected to a closed DoD management VLAN. To change the default eth port for management, follow the steps below in the VLM WUI:

  1. In the main menu, go to Certificates & Security > Remote Access.

Figure 4‑15: Administrator Access

  1. Select the relevant interface, for example eth1, in the Allow Web Administrative Access drop-down list.
  1. Enter the IP address of the desired default gateway in the Admin Default Gateway text box.
  2. Click Set Administrative Access.

These settings will not be applied until the Set Administrative Access button is clicked.

  1. Once this is done, you will need to reconnect your web browser to the new IP address established and enabled as the management interface for the VLM.

4.12Enable Alternate Gateway Support

The management interface (possibly eth1) needs to be connected to the closed DoD Management VLAN. To enable alternate gateway support, follow the steps below in the VLM WUI:

  1. In the main menu, go to System Configuration > Miscellaneous Options > Network Options.

Figure 4‑16: Enable Alternate GW support

  1. Ensure that the Enable Alternate GW support check box is ticked.

4.13Enable DNSSEC Capabilities

DNSSEC works with the following utilities in the LoadMaster:

  • Vipdump
  • Ping and ping6
  • Syslog
  • SNMP
  • Wget
  • NTP
  • SMTP

By default, the LoadMaster DNSSEC client is disabled. Only enable this option if needed. In some circumstances, the DNSSEC validation can take a significant amount of time to fail. This can cause the LoadMaster to appear to freeze or hang.

At least one Nameserver must be added before DNSSEC can be enabled. To enable DNSSEC capabilities on the LoadMaster, follow the steps below:

The LoadMaster must be rebooted in order to apply a change to the DNSSEC option.

When using HA – the DNSSEC option must be configured on both devices separately.

  1. In the LoadMaster WUI, navigate to System Configuration > Network Setup > Host & DNS Configuration.

Table 4‑1: DNSSEC options

  1. Tick the Enable DNSSEC Client check box.

Table 4‑2: Pop-up

  1. Click OK to the pop-up message.

Table 4‑3: Reboot Now

  1. Click Reboot Now.

4.14Add a Firewall Block for alsi.kemptechnologies.com

Block alsi.kemptechnologies.com in the external firewall. Refer to the third party firewall documentation for instructions on how to do this.

4.15Configure Security Event and Incident Management (SEIM)

The VLM does not have built in alerting capabilities. As a result of this, KEMP recommends that DoD tools that analyse syslogd files, for example ArcSight, be tuned to:

  • Look for successive logins without associated logout events to identify potential misuse in this area. ArcSight will provide an alert for unsuccessful login attempts.
  • Look for suspicious activity in audit logs to identify potential misuse.
  • Send an alert when a new account is created on the VLM.
  • Review log data from AD and VLM and generate alerts based on any account changes associated with VLM administrative accounts.
  • Send an alert when a VLM account is deleted.

The SEIM, for example ArcSight, should be configured to use syslogd information and report the results to the Security Manger. For further information on how to configure SEIM, refer to the relevant third party product documentation.

4.16Conditions of Fielding from DoD IAAR

The following is provided as a direct quote from the “INFORMATION ASSURANCE ASSESSMENT REPORT FOR KEMP Technologies Virtual LoadMaster, Software Release 7.0-10 (Tracking Number 1512701)”.

CONDITIONS OF FIELDING. When the system is deployed into an operational environment, the following security measures (at a minimum) must be implemented to ensure an acceptable level of risk for the site's Designated Approving Authority:

a.The system will use a RADIUS server integrated with AD to authenticate users. Otherwise, the following findings are incorporated into the site's architecture:

.Application Security and Development STIG:

i.APP3320, CAT II, Virtual LoadMaster

.Network Device Management SRG:

i.SRG-APP-000023-NDM-000205, CAT II, Virtual LoadMaster

ii.SRG-APP-000025-NDM-000207, CAT II, Virtual LoadMaster

iii.SRG-APP-000026-NDM-000208, CAT II, Virtual LoadMaster

iv.SRG-APP-000027-NDM-000209, CAT II, Virtual LoadMaster

v.SRG-APP-000028-NDM-000210, CAT II, Virtual LoadMaster

vi.SRG-APP-000029-NDM-000211, CAT II, Virtual LoadMaster

vii.SRG-APP-000091-NDM-000223, CAT II, Virtual LoadMaster

viii.SRG-APP-000148-NDM-000246, CAT II, Virtual LoadMaster

ix.SRG-APP-000163-NDM-000251, CAT II, Virtual LoadMaster

x.SRG-APP-000164-NDM-000252, CAT II, Virtual LoadMaster

xi.SRG-APP-000165-NDM-000253, CAT II, Virtual LoadMaster

xii.SRG-APP-000166-NDM-000254, CAT II, Virtual LoadMaster

xiii.SRG-APP-000167-NDM-000255, CAT II, Virtual LoadMaster

xiv.SRG-APP-000168-NDM-000256, CAT II, Virtual LoadMaster

xv.SRG-APP-000169-NDM-000257, CAT II, Virtual LoadMaster

xvi.SRG-APP-000170-NDM-000329, CAT II, Virtual LoadMaster

xvii. SRG-APP-000173-NDM-000260, CAT II, Virtual LoadMaster

xviii. SRG-APP-000174-NDM-000261, CAT II, Virtual LoadMaster

xix.SRG-APP-000389-NDM-000306, CAT II, Virtual LoadMaster

xx.SRG-APP-000495-NDM-000318, CAT II, Virtual LoadMaster

xxi.SRG-APP-000499-NDM-000319, CAT II, Virtual LoadMaster

b.The site will use a Syslog device for auditing purposes. Otherwise, the following findings are incorporated into the site's architecture:

.Application Security and Development STIG:

i.APP3650, CAT II, Virtual LoadMaster

.Network Device Management SRG:

i.SRG-APP-000118-NDM-000235, CAT II, Virtual LoadMaster

ii.SRG-APP-000125-NDM-000241, CAT II, Virtual LoadMaster

iii.SRG-APP-000126-NDM-000242, CAT II, Virtual LoadMaster

iv.SRG-APP-000359-NDM-000294, CAT II, Virtual LoadMaster

.Network Other Devices STIG:

i.NET0386, CAT III, Virtual LoadMaster

.Web Server SRG:

i.SRG-APP-000357-WSR-000150, CAT II, Virtual LoadMaster

ii.SRG-APP-000359-WSR-000065, CAT II, Virtual LoadMaster

c.The site must use role-based security for user access and management of the vendor's device.

d.The site must delete all local user accounts on the device after initial setup and configuration with the exception of one emergency administrative account. The site will also disable local authentication of administrative users.

e.The site will ensure that the emergency administrative account's userid and password are locked up in separate safes, both of which are not accessible by any one individual, and procedures are implemented to log all access and usage.

f.The site must ensure the emergency administrative account meets all DoD user identification (ID) and password requirements.

g.The site will ensure all unused open ports are closed.

h.The device will have management access limited to an authorized Common Access Card (CAC)-enabled workstation located in a physically secured area and connected to the management Virtual Local Area Network (VLAN) behind a firewall.

i.The site will ensure Telnet, http web service, and SNMPv1 and 2c are disabled. If SNMP is enabled, the following findings are incorporated into the site's architecture:

.Network Other Devices STIG:

i.NET1660, CAT II, Virtual LoadMaster (SNMP)

j.The site will ensure Secure Shell (SSH) is disabled. Otherwise, the following findings are incorporated into the site's architecture:

.Application Security and Development STIG:

i.APP3440, CAT II, Virtual LoadMaster

.Network Device Management SRG:

i.SRG-APP-000075-NDM-000217, CAT II, Virtual LoadMaster

ii.SRG-APP-000076-NDM-000218, CAT II, Virtual LoadMaster

iii.SRG-APP-000076-NDM-000219, CAT II, Virtual LoadMaster

iv.SRG-APP-000149-NDM-000247, CAT II, Virtual LoadMaster

v.SRG-APP-000516-NDM-000332, CAT II, Virtual LoadMaster

vi.SRG-APP-000516-NDM-000344, CAT II, Virtual LoadMaster

.Network Other Devices STIG:

i.NET0340, CAT II, Virtual LoadMaster

ii.NET1645, CAT II, Virtual LoadMaster

iii.NET1646, CAT II, Virtual LoadMaster

k.The configuration must be in compliance with the "KEMP Technologies Virtual LoadMaster, Software Release 7.0-10, Tracking Number 1512701, Military Unique Features Deployment Guide".

l.The site must register the system in the Systems Networks Approval Process Database <https://snap.dod.mil/index.cfm> as directed by the Defense IA Security Accreditation Working Group and Program Management Office.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

User Management, Feature Description DoD Common Access Card Authentication, Feature Description Kerberos Constrained Delegation, Feature Description Licensing, Feature Description Web User Interface (WUI), Configuration Guide

Document History

Date

Change

Reason for Change

Version

Resp.

Oct 2015

Initial draft

First draft of document

1.0

LB

Oct 2015

Minor change

Introduction updated

2.0

LB

Dec 2015

Release updates

Updated for 7.1-32

3.0

LB

Jan 2016

Minor change

Updated

4.0

LB

Mar 2016

Minor change

Enhancements made

5.0

LB

Jan 2017

Minor change

Updated

6.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments