LoadMaster Military

1 Introduction

The KEMP Virtual LoadMaster (VLM) is an Application Delivery Controller (ADC) that provides load balancing and Secure Sockets Layer (SSL) offloading. The VLM is certified under the Department of Defense (DoD) Unified Capabilities Approved Products List (UC APL) program in the Cyber Security Tools (CST) area. The VLM is available for all common hypervisor and cloud computing environments. All KEMP LoadMasters operate using the same LoadMaster Operating System (LMOS) and this guide is relevant for securing all LoadMaster platforms.

Introduction.png

In accordance with DoD security guidelines and the specific UC APL implementation guidelines, the KEMP VLM appliance has two approved means of access. The first access method (hypervisor virtual Console Access) is typically used to setup the initial IP address for the management interface on the VLM. The second access method, the Web User Interface (WUI), is used to manage and configure the VLM. You can also use the Console Access method to restore the VLM to a default state. All VLM management should be originated from a Security Technical Implementation Guide (STIG) compliant management workstation. The hypervisor virtual Console method is used to configure the VLM to communicate with other components and to be accessible using Internet Protocol (IP) addressing using Hypertext Transfer Protocol Secure (HTTPS). After you complete the initial configuration, the VMware client session is disconnected, and you can perform all administrative tasks using a web browser using HTTPS.

1.1 Document Purpose

KEMP provides this document to meet the Conditions of Fielding (CoF) as depicted within the Information Assurance Assessment Report (IAAR) for KEMP Technologies Virtual LoadMaster, Software Release 7.2, Tracking Number 1512701; specifically, this document is the required "KEMP Technologies Virtual LoadMaster, Software Release 7.2.43, Military Unique Features Deployment Guide" and updated based on addition of CAC/PIV/LDAPS/OCSP login functionality. This document provides instructions on how to configure and set various options in the VLM to meet the UC APL requirements.

For detailed, step-by-step instructions on some of the VLM features mentioned in this document, refer to the individual Feature Description documents, for example:

1.2 Intended Audience

Network administrators who need to configure a VLM to meet UC APL requirements.

1.3 Document Feedback

If you have any comments about this document, forward them to KM@kemptechnologies.com.

2 Minimum Requirements

The following security measures (at a minimum) must be in place to ensure an acceptable level of risk:

  • LMOS version 7.2.43 with patch 16247 or newer.
  • Network Time Protocol v3 (NTPv3) with appropriate Federal Information Processing Standards (FIPS) algorithms is required.
  • Connection to a Syslog device for auditing purposes.
  • Administrative user authentication with use CAC/PIV (x509v3 certificates)
  • Administrative accounts must be managed by an external AAA service (in this case an LDAPS-enabled Active Directory (AD) service).
  • Certificates are validated using Online Certificate Status Protocol (OCSP).
  • Administrative role-based authorization uses a combination of AD account group membership and authorization groups on the LoadMaster.
  • With the exception of one emergency administrative account, all local user accounts must be deleted on the device after initial setup and configuration.
  • Ensure the emergency administrative account meets all Department of Defense (DoD) user identification (ID) and password requirements.
  • Place the password for the emergency administrative account under two-man control by splitting the password and storing in separate approved security containers, both of which are not accessible by any one individual, and procedures are implemented to log all access and usage.
  • Ensure that all unused open ports are closed.
  • Ensure the LoadMaster “Call Home” functionality is disabled.
  • Limit management access to an authorized Common Access Card (CAC)-enabled workstation located in a physically secured area and connected to a restricted management Virtual Local Area Network (VLAN) behind a firewall.
  • Ensure that management interfaces for Secure Shell (SSH) and web services Application Programming Interface (API) are disabled.
  • If using Simple Network Management Protocol (SNMP), ensure SNMPv3 is used with appropriate FIPS algorithms

Instructions on how to meet these minimum requirements are provided throughout the remainder of this document.

3 Installation

3.1 Minimum Requirements for the VLM

The LMOS version must be version 7.2.43 or newer.

Each KEMP VLM must be allocated a minimum of:

  • 2 vCPUs
  • 2 GB RAM
  • 32 GB disk space

The KEMP license defines the throughput and SSL Transactions Per Second (TPS) performance levels for the VLM.

KEMP recommends that 2 vCPUs and 2 GB RAM be added to the VLM Virtual Machine for each additional Gbps throughput required.

3.2 Install and License the VLM

Instructions on installing, initially configuring, and licensing the VLM are available in the KEMP Installation Guides which can be found on the KEMP Documentation page: http://kemptechnologies.com/documentation.

For detailed licensing instructions, refer to the Licensing, Feature Description document which is also located on the KEMP Documentation page: http://kemptechnologies.com/documentation.

4 Configuration

The sections below provide instructions on how to configure the VLM and guidance on any other configuration needed to meet the UC APL requirements.

The LoadMaster supports security headers on WUI pages.

4.1 Network Time Service (NTP) v3

Using the System Configuration > System Administration > Date/Time menu in the WUI, configure NTP services. To enable NTPv3, select the Show NTP Authentication Parameters check box.

Network Time Service NTP v3.png

Ensure the NTP Key Type is set to SHA-1. The screenshot above shows an example of a configured NTP entry.

4.2 Host Name and DNS Configuration

Using the System Configuration > Network Setup > Host & DNS Configuration menu, set up the host name for the LoadMaster and various DNS settings. This screen is also where you enable the DNSSEC client on the LoadMaster.

157.png

  • Enter the Hostname (for example, LB26).
  • Enter the IP Address, or addresses, for your DNS Server (up to three IP addresses can be entered (space-separated)).
  • Enter the DNS Search Domain (minimum of your domain name (for example, kempptech.biz).
  • Select the Enable DNSSEC Resolver check box.
  • You can also add IP addresses and a Host FQDN for local DSN resolution. Entries here take precedence over entries in your DNS server.

4.3 SNMP v3

If SNMP is used, select the Enable SNMP V3 check box and configure the options. This is available in the System Configuration > Logging Options > SNMP Options menu in the WUI.

158.png

Also, ensure SHA and AES are selected as the Authentication protocol and the Privacy protocol.

4.4 Configure Syslog Hosts

To meet requirements for persistent log storage and integration with Security Event and Incident Management (SEIM) systems, it is important to configure a syslog connection to a log collector.

159.png

Using the System Configuration > Logging Options > Syslog Options menu, enter an IP address, or addresses, and select the severity level. Six different error message levels are defined, and each message level may be sent to a different server. Notice messages are sent for information only; Emergency messages normally require immediate user action.

 

Up to ten individual IP addresses can be specified for each of the Syslog fields. The IP addresses must be differentiated using a space-separated list.

Examples of the type of message that you may see after setting up a Syslog server are below:

  • Emergency: Kernel-critical error messages
  • Critical: Unit one has failed and unit two is taking over as master (in a High Availability (HA) setup)
  • Error: Authentication failure for root from 192.168.1.1
  • Warn: Interface is up/down
  • Notice: Time has been synced
  • Info: Local advertised ethernet address

One point to note about syslog messages is they cascade in an upwards direction. Therefore, if a host is set to receive WARN messages, the message file includes message from all levels above WARN but none for levels below. 

KEMP recommends not setting all six levels for the same host because multiple messages for the same error will be sent to the same host.

To enable a syslog process on a remote Linux server to receive syslog messages from the VLM, the syslog must be started with the “-r” flag.

4.5 Enable a Minimum of Two Ethernet Interfaces

To meet requirements related to management traffic restrictions to only dedicated management networks, it is necessary to configure at least two network interfaces and dedicate a network or VLAN to management. Ensure the hypervisor has allocated two virtual interfaces to the Virtual Machine created for the KEMP VLM and then follow the steps below using the VLM WUI to add the second interface. Using the System Configuration > Network Setup menu, follow the steps below:

1. In the Interfaces section, click eth1.

Enable a Minimum of Two Ethernet.png

2. Enter the Interface Address (address[/prefix]).

3. Click Set Address.

4. Configure any other settings as needed.

4.6 Set an Alternate Interface for Management

The DoD requires all management to be performed on a dedicated interface connected to a closed DoD management VLAN. To change the default eth port for management, follow the steps below in the VLM WUI.

Set an Alternate Interface.png

1. Using the Certificates & Security > Remote Access menu, select the relevant interface, for example eth1, in the Allow Web Administrative Access drop-down list.

2. Enter the IP address of the desired default gateway in the Admin Default Gateway text box. Click Set Administrative Access.

3. When this is done, you must reconnect your web browser to the new IP address enabled as the management interface for the VLM.

These settings are not applied until Set Administrative Access is clicked.

4.7 Enable Alternate Gateway Support

The management interface (possibly eth1) must be connected to the closed DoD Management VLAN.

Enable Alternate Gateway Support.png

To enable alternate gateway support, using the System Configuration > Miscellaneous Options > Network Options menu, ensure that the Enable Alternate GW support check box is selected.

4.8 Request and Install an Administrative SSL Certificate

Follow the steps below to request and install an administrative SSL certificate:

1. From an authorized Certificate Authority (CA), request a Web Server (SSL) certificate and install it on the LoadMaster.

2. Generate the Certificate Service Request (CSR) using the Certificates & Security > Generate CSR menu.

3. Copy the Certificate Request into a text file (use a basic editor like Notepad).

4. Copy the Private Key into another text file.

5. Send the CSR to your certificate authority and they will return the certificate (public) part of your server certificate to you.

6. Using the Certificates & Security > SSL Certificates menu, select the certificate file from your CA and the key file which you had previously saved, type a Certificate Identifier (friendly name) and click Save.

4.9 Install Intermediate Certificates

Using the Certificates & Security > Intermediate Certs menu, install the root and intermediate certificate authority certificates for the CA that issued you the administrative certificate. Also, install the root and intermediate certificates for the CA that issued your Active Directory-based LDAP server its certificate.

On the management workstation, install the same root and intermediate certificates. 

4.10 Enable Use of the New Administrative Certificate

To enable use of the new administrative certificate, follow the steps below:

1. Using the Certificates & Security > SSL Certificates menu, under the Administrative Certificates section, select the new administrative certificate and click Use Certificate.

Ensure the FQDN for the LoadMaster is registered in your DNS service (for example, lb26.kemptech.biz). This must match the Administrative SSL Certificate you requested above.

2. Log out of the VLM WUI and fully close your browser on the management workstation.

3. Open the browser and log back into the VLM WUI using the FQDN for the VLM.

4. Verify that there are no TLS errors in the connection and verify that the WUI connection is using the administrative certificate.  

Do not proceed until the above is verified.

4.11 Ensure Passwords are Encrypted Using SHA-2

If your LoadMaster is not running LMOS 7.2.43 or newer, you must upgrade the firmware by following the steps in the Updating the LoadMaster Software, Technical Note document on the KEMP Documentation Page.

After upgrading, change all local account passwords (including the default administrative bal account). This ensures all passwords are protected using SHA-256.

1. To change the bal account password, log in to the LoadMaster using the bal account and go to System Configuration > System Administration > User Management in the main menu of the LoadMaster WUI.

Ensure Passwords are Encrypted.png

2. Enter the Current Password for the bal user.

3. Enter a new, complex password.

4. Re-enter the new, complex password.

5. Click Set Password.

6. Seal the complex password into an envelope and store it in an approved security container.

Follow DoD and local standards when setting and storing the complex password.

4.12 Configure WUI Access Options

Configure WUI Access Options.png

Using the Certificates & Security > Admin WUI Access menu, under WUI Access Options, ensure SSLv3 and TLS1.0 are not selected. Ensure the WUI Cipher set is set to FIPS

Under WUI Session Management, ensure Enable Session Management is selected and Require Basic Authentication is not selected. KEMP recommends leaving Failed Login Attempts at 3 and setting the Idle Session Timeout (seconds) to the value your organization requires. You can also limit concurrent logins.

Set the Pre-auth Click Through Banner that is displayed before the LoadMaster WUI login page. Users are not permitted to log in until they click Accept. This field can contain plain text or HTML code. The field cannot contain JavaScript. For security purposes, you cannot use the ‘ (single quote) and “ (double-quote) characters. This field accepts up to 5,000 characters.

The resulting screen should look like the screenshot above.

4.13 Configure OCSP

Configure OCSP.png

Using the Certificates & Security > OCSP Configuration menu, enter the IP address (or multiple addresses using spaces to separate each entry) of the OCSP service associated with the certificates you are going to use to log in to the LoadMaster. Ensure you click Set Address, Set Port, and Set Path (if needed) to apply the settings. Select the Allow Access on Server Failure check box. The results should look like the screenshot above.

4.14 Configure LDAP

To configure LDAP, follow the steps below:

1. Using the Certificates & Security > LDAP Configuration menu, enter a friendly name in the Add new LDAP Endpoint text box and click Add. This brings up a configuration menu.

Configure LDAP.png

2. Enter the IP address (or addresses) for the LDAPS server (or servers) in the LDAP Server(s) text box and click LDAP Server(s).

3. In the LDAPS Protocol drop-down list, select LDAPS.

4. Unless necessary, leave the Validation Interval and Referral Count text boxes as the default values.

5. In the Admin User text box, enter an AD account in the format account@domain and click Set Admin User. This account does not need elevated rights; a Domain User is acceptable.

6. In the Admin User Password text box, enter the password for that user and click Set Admin User Password. Normally, you would create a service account for this Admin User account and you would use a very long random password for the account to minimize risk.

The result for the configuration box should look like the screenshot above.

4.15 Configure User Management

Configure User Management.png

Using the System Configuration > User Management menu, create Remote Access Groups and assign rights to these groups. The group names you use here need to exactly match Active Directory (AD) group names you will use to map rights.

The following characters are permitted in the group name: alphanumeric characters, spaces, or the following special symbols: =~^._+#,@/-.

Once you have created the Remote User Groups and assigned them rights on the LoadMaster, go to your Active Directory system and ensure these groups are available (or create them). By now you should know the certificates (CAC/PIV/other) that you will use to manage the LoadMaster. Ensure accounts are created in AD where the Principal Name on the certificate matches the user in Active Directory. Add these users to the appropriate groups. Once users are assigned to groups in AD and these users match the Principal Name on the certificates you will use to manage the LoadMaster, you are ready to enable Certificate login to the LoadMaster. The user management menu should look like the screenshot above.

4.16 Configure WUI Authorization

In the Certificates & Security > Remote Access menu, click WUI Authorization Options.

160.png

1. Ensure Local Users Use ONLY if other AAA Services fail is not selected.

2. Ensure the Local Users Authentication check box is not selected.

3. Add an LDAP Endpoint from the drop-down list.

4. Add Remote User Groups using the Select groups button.

5. Enter the full Domain name and click Set Domain.

6. Ensure the LDAP Authentication check box is selected.

7. Ensure the RADIUS Authentication and Authorization check boxes are not selected.

The WUI Authentication and Authorization screen should look like the screenshot above.

4.17 Configure Remote Access

Using the Certificates & Security > Remote Access menu:

1. Disable Allow Remote SSH Access.

2. Enable Allow Web Administrative Access. Select from the network interface to manage the LoadMaster from the Using drop-down list. Per STIG/SRG, this should be a dedicated management network/VLAN.

3. Enter the Admin Default Gateway (if management interface is not on eth0) and click Set Administrative Access.

4. The Allow Multi Interface Access check box should normally be disabled to force management traffic to only the management network.

5. Disable the Enable API Interface check box.

6. Disable the Allow Update Checks check box. This stops the LoadMaster from attempting to use the “call home” functionality.

7. To enable strict FIPS mode, click Enable Software FIPS mode.

Here is some additional information on FIPS:

LMOS includes an embedded FIPS 140-2 Level 1 certified encryption module. To enable strict FIPS mode on a LoadMaster it is first necessary to enable Session Management (this is enabled by default on new installs of LMOS 7.2.43). Once FIPS mode is enabled, it cannot be disabled. It is recommended that you verify all workloads you are planning to load balance support FIPS algorithms before enabling strict FIPS mode. You can select FIPS options separately for each management function as well as each Virtual Service (if you chose not to enable strict FIPS mode).

161.png

To enable certificate login to the LoadMaster, you need to select the Admin Login Method. The only option that includes OCSP validation as well as LDAPS validation is Client certificate required (Verify via OCSP). All other options that include certificate authentication connect to LDAPS for validation; however, they do not connect to OCSP to check for certificate revocation. To meet DoD guidance, select Client certificate required (Verify via OCSP).

An example of a configured Remote Access screen is above.

In FIPS mode, LDAPS uses FIPS OpenSSL.

4.18 Add a Firewall Block for alsi.kemptechnologies.com

In the Configure Remote Access section, we disabled the "call home" feature. To add an extra layer of security, you can block our licensing server alsi.kemptechnologies.com and alsi2.kemptechnologies.com in the external firewall. Refer to the third-party firewall documentation for instructions on how to do this.

4.19 Configure Security Event and Incident Management (SEIM)

While not specifically required by DoD, there are several areas related to alerting that are appropriate for enterprise-level monitoring and would benefit from connecting the KEMP LoadMaster to an enterprise SEIM. KEMP can export log data using syslog to a log collector connected to the SEIM. This enables the SIEM to look for:

  • Successive logins without associated logout events to identify potential misuse in this area
  • Suspicious activity in audit logs to identify potential misuse
  • Authorization changes such as creation or modification of VLM groups
  • Account changes such as adding or removing users from KEMP groups within Active Directory
  • Authorization policy changes such as changes to WUI Authorization Options in the VLM

For further information on how to configure SEIM, refer to the relevant third-party product documentation.

4.20 Conditions of Fielding from DoD IAAR

The following is provided as a direct quote from the “INFORMATION ASSURANCE ASSESSMENT REPORT FOR KEMP Technologies Virtual LoadMaster, Software Release 7.2 (Tracking Number 1512701)”.

CONDITION OF FIELDING. When the system is deployed to an operational environment, the following security measures (at a minimum) must be implemented to ensure an acceptable level of risk for the sites’ Designated Approving Authority:

a. The system will use CAC with AD with LDAPS to authenticate administrative users. Otherwise, the following findings are incorporated into the site’s architecture:

  • Application Security and Development STIG:

i. APP3320, CAT II, Virtual LoadMaster

  • Network Device Management SRG:

i. SRG-APP-000023-NDM-000205, CAT II, Virtual LoadMaster

ii. SRG-APP-000025-NDM-000207, CAT II, Virtual LoadMaster

iii. SRG-APP-000026-NDM-000208, CAT II, Virtual LoadMaster

iv. SRG-APP-000027-NDM-000209, CAT II, Virtual LoadMaster

v. SRG-APP-000028-NDM-000210, CAT II, Virtual LoadMaster

vi. SRG-APP-000079-NDM-000219, CAT II, Virtual LoadMaster

vii. SRG-APP-000029-NDM-000211, CAT II, Virtual LoadMaster

viii. SRG-APP-000091-NDM-000223, CAT II, Virtual LoadMaster

ix. SRG-APP-000148-NDM-000246, CAT II, Virtual LoadMaster

x. SRG-APP-000163-NDM-000251, CAT II, Virtual LoadMaster

xi. SRG-APP-000164-NDM-000252, CAT II, Virtual LoadMaster

xii. SRG-APP-000165-NDM-000253, CAT II, Virtual LoadMaster

xiii. SRG-APP-000166-NDM-000254, CAT II, Virtual LoadMaster

xiv. SRG-APP-000167-NDM-000255, CAT II, Virtual LoadMaster

xv. SRG-APP-000168-NDM-000256, CAT II, Virtual LoadMaster

xvi. SRG-APP-000169-NDM-000257, CAT II, Virtual LoadMaster

xvii. SRG-APP-000170-NDM-000329, CAT II, Virtual LoadMaster

xviii. SRG-APP-000173-NDM-000260, CAT II, Virtual LoadMaster

xix. SRG-APP-000174-NDM-000261, CAT II, Virtual LoadMaster

xx. SRG-APP-000389-NDM-000306, CAT II, Virtual LoadMaster

xxi. SRG-APP-000495-NDM-000318, CAT II, Virtual LoadMaster

xxii. SRG-APP-000499-NDM-000319, CAT II, Virtual LoadMaster

b. The site will use a Syslog device for auditing purposes. Otherwise, the following findings are incorporated into the site’s architecture:

  • Application Security and Development STIG:

i. APP3650, CAT II, Virtual LoadMaster

  • Network Device Management SRG:

i. SRG-APP-000118-NDM-000235, CAT II, Virtual LoadMaster

ii. SRG-APP-000125-NDM-000241, CAT II, Virtual LoadMaster

iii. SRG-APP-000126-NDM-000242, CAT II, Virtual LoadMaster

iv. SRG-APP-000359-NDM-000294, CAT II, Virtual LoadMaster

  • Network Other Devices STIG:

i. NET0386, CAT III, Virtual LoadMaster

  • Web Server SRG:

i. SRG-APP-000357-WSR-000150, CAT II, Virtual LoadMaster

ii. SRG-APP-000359-WSR-000065, CAT II, Virtual LoadMaster

c. The site will ensure that the hypervisor used to run the VLM is configured according to the appropriate STIG (including DoD banner and multifactor authentication).

If the hypervisor doesn't support the DoD banner, the following findings will be incorporated into the site's architecture against the VLM's console interface:

  • Application Security and Development STIG:

i. APP3440, CAT II, Virtual LoadMaster

  • Network Other Devices STIG:

i. NET0340, CAT III, Virtual LoadMaster

If the hypervisor doesn't support the multifactor authentication, the following findings will be incorporated into the site's architecture against the VLM's console interface:

  • Network Device Management SRG:

i. SRG-APP-000151-NDM-000248, CAT II, Virtual LoadMaster

d. The site must use role-based security for user access and management of the vendor’s device.

e. The site must delete all local user accounts on the device after initial setup and configuration with the exception of one emergency administrative account. The site will also disable local authentication of administrative users.

f. The site will ensure that the emergency administrative account’s userid and password are locked up in separate safes, both of which are not accessible by any one individual, and procedures are implemented to log all access and usage.

g. The site must ensure the emergency administrative account meets all DoD user identification (ID) and password requirements.

h. The site will ensure all unused open ports are closed.

i. The device will have management access limited to an authorized Common Access Card (CAC)-enabled workstation located in a physically secured area and connected to the management Virtual Local Area Network (VLAN) behind a firewall.

j. The site will ensure Telnet, http web service, and SNMPv1 and 2c are disabled.

k. The site will ensure Secure Shell (SSH) is disabled. Otherwise, the following findings are incorporated into the site’s architecture:

  • Application Security and Development STIG:

i. APP3440, CAT II, Virtual LoadMaster

  • Network Device Management SRG:

i. SRG-APP-000075-NDM-000217, CAT II, Virtual LoadMaster

ii. SRG-APP-000076-NDM-000218, CAT II, Virtual LoadMaster

iii. SRG-APP-000076-NDM-000219, CAT II, Virtual LoadMaster

iv. SRG-APP-000149-NDM-000247, CAT II, Virtual LoadMaster

v. SRG-APP-000516-NDM-000332, CAT II, Virtual LoadMaster

vi. SRG-APP-000516-NDM-000344, CAT II, Virtual LoadMaster

  • Network Other Devices STIG:

i. NET0340, CAT II, Virtual LoadMaster

ii. NET1645, CAT II, Virtual LoadMaster

iii. NET1646, CAT II, Virtual LoadMaster

l. The configuration must be in compliance with the “KEMP Technologies Virtual LoadMaster, Software Release 7.2.43, Tracking Number 1512701, Military Unique Features Deployment Guide”.

m. The site must register the system in the Systems Networks Approval Process Database <https://snap.dod.mil/index.cfm> as directed by the Defense IA Security Accreditation Working Group and Program Management Office.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

User Management, Feature Description

DoD Common Access Card Authentication, Feature Description

Kerberos Constrained Delegation, Feature Description

Licensing, Feature Description

Web User Interface (WUI), Configuration Guide

Updating the LoadMaster Software, Technical Note

Last Updated Date

This document was last updated on 20 June 2018.

Was this article helpful?

0 out of 0 found this helpful

Comments