Kemp Technologies Virtual LoadMaster Software Release 7.2.43 (or Newer) Tracking Number 1512701 Military Unique Features - Deployment Guide
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Kemp Technologies Virtual LoadMaster Software Release 7.2.43 (or Newer) Tracking Number 1512701 Military Unique Features Deployment Guide VERSION: 3.0 UPDATED: 17 February 2020
Kemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Copyright Notices
Copyright © 2002-2020 Kemp Technologies, Inc. All rights reserved. Kemp Technologies and the
Kemp Technologies logo are registered trademarks of Kemp Technologies, Inc.
Kemp Technologies, Inc. reserves all ownership rights for the LoadMaster and Kemp 360 product
line including software and documentation.
Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912,
7,346,695, 7,287,084 and 6,970,933
kemp.ax 2 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Table of Contents
1 Introduction 5
1.1 Document Purpose 6
1.2 Intended Audience 6
1.3 Document Feedback 6
2 Minimum Requirements 7
3 Installation 8
3.1 Minimum Requirements for the VLM 8
3.2 Install and License the VLM 8
4 Configuration 9
4.1 Network Time Service (NTP) v3 9
4.2 Host Name and DNS Configuration 9
4.3 SNMP v3 10
4.4 Configure Syslog Hosts 11
4.5 Enable a Minimum of Two Ethernet Interfaces 12
4.6 Set an Alternate Interface for Management 13
4.7 Enable Alternate Gateway Support 13
4.8 Request and Install an Administrative SSL Certificate 14
4.9 Install Intermediate Certificates 15
4.10 Enable Use of the New Administrative Certificate 15
4.11 Ensure Passwords are Encrypted Using SHA-2 15
4.12 Configure WUI Access Options 16
kemp.ax 3 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
4.13 Configure OCSP 17
4.14 Configure LDAP 18
4.15 Configure Remote User Groups for LDAP 20
4.16 Configure WUI Authorization 21
4.17 Configure Remote Access 21
4.18 Add a Firewall Block for alsi.kemptechnologies.com 23
4.19 Configure Security Event and Incident Management (SEIM) 23
4.20 Conditions of Fielding from DoD IAAR 23
References 28
Last Updated Date 29
Document History 30
kemp.ax 4 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
1 Introduction
The Kemp Virtual LoadMaster (VLM) is an Application Delivery Controller (ADC) that provides load
balancing and Secure Sockets Layer (SSL) offloading. The VLM is certified under the Department of
Defense (DoD) Unified Capabilities Approved Products List (UC APL) program in the Cyber Security
Tools (CST) area. The VLM is available for all common hypervisor and cloud computing
environments. All Kemp LoadMasters operate using the same LoadMaster Operating System (LMOS)
and this guide is relevant for securing all LoadMaster platforms.
kemp.ax 5 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
In accordance with DoD security guidelines and the specific UC APL implementation guidelines, the
Kemp VLM appliance has two approved means of access. The first access method (hypervisor
virtual Console Access) is typically used to setup the initial IP address for the management
interface on the VLM. The second access method, the Web User Interface (WUI), is used to manage
and configure the VLM. You can also use the Console Access method to restore the VLM to a default
state. All VLM management should be originated from a Security Technical Implementation Guide
(STIG) compliant management workstation. The hypervisor virtual Console method is used to
configure the VLM to communicate with other components and to be accessible using Internet
Protocol (IP) addressing using Hypertext Transfer Protocol Secure (HTTPS). After you complete the
initial configuration, the VMware client session is disconnected, and you can perform all
administrative tasks using a web browser using HTTPS. As of LMOS 7.2.49, the LoadMaster meets
DoD requirements for verification of software updates.
1.1 Document Purpose
Kemp provides this document to meet the Conditions of Fielding (CoF) as depicted within the
Information Assurance Assessment Report (IAAR) for Kemp Virtual LoadMaster, Software Release
7.2, Tracking Number 1512701; specifically, this document is the required "Kemp Virtual
LoadMaster, Software Release 7.2.43 (or newer), Military Unique Features Deployment Guide" and
updated based on addition of CAC/PIV/LDAPS/OCSP login functionality. This document provides
instructions on how to configure and set various options in the VLM to meet the UC APL
requirements.
For detailed, step-by-step instructions on some of the VLM features mentioned in this document,
refer to the individual Feature Description documents, for example:
l User Management, Feature Description
l DoD Common Access Card Authentication, Feature Description
l Kerberos Constrained Delegation, Feature Description
1.2 Intended Audience
Network administrators who need to configure a VLM to meet UC APL requirements.
1.3 Document Feedback
If you have any comments about this document, forward them to KM@kemptechnologies.com.
kemp.ax 6 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
2 Minimum Requirements
The following security measures (at a minimum) must be in place to ensure an acceptable level of
risk:
l LMOS version 7.2.43 (or newer) with patch 16247 or newer.
l Connection to a Network Time Protocol v3 (NTPv3) service for secure time synchronization.
l Connection to a Syslog device for long term log retention.
l Connection to an Online Certificate Status Protocol (OCSP) service for certificate validation.
l Connection to an external AAA service (in this case an LDAPS-enabled Active Directory (AD)
service) for administrative account management.
l Use a combination of AD account group membership and LoadMaster authorization groups
to enable role-based access controls for administrative accounts.
l Removal of all local user accounts after initial setup and configuration, with the exception
of one emergency administrative account.
l Ensure the emergency administrative account meets all Department of Defense (DoD) user
identification (ID) and password requirements.
l Place the password for the emergency administrative account under two-man control by
splitting the password and storing in separate approved security containers, both of which
are not accessible by any one individual, and procedures are implemented to log all access
and usage.
l Ensure that all unused open ports are closed.
l Ensure the LoadMaster “Call Home” functionality is disabled.
l Limit management access to an authorized Common Access Card (CAC)-enabled workstation
located in a physically secured area and connected to a restricted management Virtual
Local Area Network (VLAN) behind a firewall.
l Ensure that management interfaces for Secure Shell (SSH) and web services Application
Programming Interface (API) are disabled.
l If using Simple Network Management Protocol (SNMP), ensure SNMPv3 is used with
appropriate FIPS algorithms
l Ensure the Display Verify Update Option is selected in the System Configuration >
Miscellaneous Options > WUI Settings screen.
Instructions on how to meet these minimum requirements are provided throughout the remainder
of this document.
kemp.ax 7 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
3 Installation
3.1 Minimum Requirements for the VLM
The LMOS version must be version 7.2.43 or newer.
Each Kemp VLM must be allocated a minimum of:
l 2 vCPUs
l 2 GB RAM
l 32 GB disk space
The Kemp license defines the throughput and SSL Transactions Per Second (TPS) performance
levels for the VLM.
Kemp recommends that 2 vCPUs and 2 GB RAM be added to the VLM Virtual Machine for each
additional Gbps throughput required.
3.2 Install and License the VLM
Instructions on installing, initially configuring, and licensing the VLM are available in the Kemp
Installation Guides which can be found on the Kemp Documentation page:
http://kemptechnologies.com/documentation.
For detailed licensing instructions, refer to the Licensing, Feature Description document which is
also located on the Kemp Documentation page: http://kemptechnologies.com/documentation.
kemp.ax 8 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
4 Configuration
The sections below provide instructions on how to configure the VLM and guidance on any other
configuration needed to meet the UC APL requirements.
The LoadMaster supports security headers on WUI pages.
4.1 Network Time Service (NTP) v3
Using the System Configuration > System Administration > Date/Time menu in the WUI, configure
NTP services. To enable NTPv3, select the Show NTP Authentication Parameters check box.
Ensure the NTP Key Type is set to SHA-1. The screenshot above shows an example of a configured
NTP entry.
4.2 Host Name and DNS Configuration
Using the System Configuration > Network Setup > Host & DNS Configuration menu, set up the host
name for the LoadMaster and various DNS settings. This screen is also where you enable the
DNSSEC client on the LoadMaster.
kemp.ax 9 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
l Enter the Hostname (for example, LB26).
l Enter the IP Address, or addresses, for your DNS Server (up to three IP addresses can be
entered (space-separated)).
l Enter the DNS Search Domain (minimum of your domain name (for example, kempptech.biz).
l Select the Enable DNSSEC Resolver check box.
l You can also add IP addresses and a Host FQDN for local DSN resolution. Entries here take
precedence over entries in your DNS server.
4.3 SNMP v3
If SNMP is used, select the Enable SNMP V3 check box and configure the options. This is available
in the System Configuration > Logging Options > SNMP Options menu in the WUI.
kemp.ax 10 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Also, ensure SHA and AES are selected as the Authentication protocol and the Privacy protocol.
4.4 Configure Syslog Hosts
To meet requirements for persistent log storage and integration with Security Event and Incident
Management (SEIM) systems, it is important to configure a syslog connection to a log collector.
Using the System Configuration > Logging Options > Syslog Options menu, enter an IP address, or
addresses, and select the severity level. Six different error message levels are defined, and each
message level may be sent to a different server. Notice messages are sent for information only;
Emergency messages normally require immediate user action.
Up to ten individual IP addresses can be specified for each of
the Syslog fields. The IP addresses must be differentiated using
a space-separated list.
Examples of the type of message that you may see after setting up a Syslog server are below:
l Emergency: Kernel-critical error messages
l Critical: Unit one has failed and unit two is taking over as master (in a High Availability (HA)
setup)
l Error: Authentication failure for root from 192.168.1.1
kemp.ax 11 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
l Warn: Interface is up/down
l Notice: Time has been synced
l Info: Local advertised ethernet address
One point to note about syslog messages is they cascade in an
upwards direction. Therefore, if a host is set to receive WARN
messages, the message file includes message from all levels
above WARN but none for levels below.
Kemp recommends not setting all six levels for the same host because multiple messages for the
same error will be sent to the same host.
To enable a syslog process on a remote Linux server to receive syslog messages from the VLM, the
syslog must be started with the “-r” flag.
4.5 Enable a Minimum of Two Ethernet Interfaces
To meet requirements related to management traffic restrictions to only dedicated management
networks, it is necessary to configure at least two network interfaces and dedicate a network or
VLAN to management. Ensure the hypervisor has allocated two virtual interfaces to the Virtual
Machine created for the Kemp VLM and then follow the steps below using the VLM WUI to add the
second interface. Using the System Configuration > Network Setup menu, follow the steps below:
1. In the Interfaces section, click eth1.
2. Enter the Interface Address (address[/prefix]).
3. Click Set Address.
4. Configure any other settings as needed.
kemp.ax 12 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
4.6 Set an Alternate Interface for Management
The DoD requires all management to be performed on a dedicated interface connected to a closed
DoD management VLAN. To change the default eth port for management, follow the steps below in
the VLM WUI.
1. Using the Certificates & Security > Remote Access menu, select the relevant interface, for
example eth1, in the Allow Web Administrative Access drop-down list.
2. Enter the IP address of the desired default gateway in the Admin Default Gateway text
box. Click Set Administrative Access.
3. When this is done, you must reconnect your web browser to the new IP address enabled
as the management interface for the VLM.
These settings are not applied until Set Administrative Access is
clicked.
4.7 Enable Alternate Gateway Support
The management interface (possibly eth1) must be connected to the closed DoD Management
VLAN.
kemp.ax 13 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
To enable alternate gateway support, using the System Configuration > Miscellaneous Options >
Network Options menu, ensure that the Enable Alternate GW support check box is selected.
4.8 Request and Install an Administrative SSL Certificate
Follow the steps below to request and install an administrative SSL certificate:
1. From an authorized Certificate Authority (CA), request a Web Server (SSL) certificate and
install it on the LoadMaster.
2. Generate the Certificate Service Request (CSR) using the Certificates & Security >
Generate CSR menu.
3. Copy the Certificate Request into a text file (use a basic editor like Notepad).
4. Copy the Private Key into another text file.
5. Send the CSR to your certificate authority and they will return the certificate (public)
part of your server certificate to you.
6. Using the Certificates & Security > SSL Certificates menu, select the certificate file from
your CA and the key file which you had previously saved, type a Certificate Identifier
(friendly name) and click Save.
kemp.ax 14 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
4.9 Install Intermediate Certificates
Using the Certificates & Security > Intermediate Certs menu, install the root and intermediate
certificate authority certificates for the CA that issued you the administrative certificate. Also,
install the root and intermediate certificates for the CA that issued your Active Directory-based
LDAP server its certificate.
On the management workstation, install the same root and intermediate certificates.
4.10 Enable Use of the New Administrative Certificate
To enable use of the new administrative certificate, follow the steps below:
1. Using the Certificates & Security > SSL Certificates menu, under the Administrative
Certificates section, select the new administrative certificate and click Use Certificate.
Ensure the FQDN for the LoadMaster is registered in your DNS
service (for example, lb26.kemptech.biz). This must match the
Administrative SSL Certificate you requested above.
2. Log out of the VLM WUI and fully close your browser on the management workstation.
3. Open the browser and log back into the VLM WUI using the FQDN for the VLM.
4. Verify that there are no TLS errors in the connection and verify that the WUI connection
is using the administrative certificate.
Do not proceed until the above is verified.
4.11 Ensure Passwords are Encrypted Using SHA-2
If your LoadMaster is not running LMOS 7.2.43 or newer, you must upgrade the firmware by
following the steps in the Updating the LoadMaster Software, Technical Note document on the
Kemp Documentation Page.
After upgrading, change all local account passwords (including the default administrative bal
account). This ensures all passwords are protected using SHA-256.
1. To change the bal account password, log in to the LoadMaster using the bal account
and go to System Configuration > System Administration > User Management in the main
menu of the LoadMaster WUI.
kemp.ax 15 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
2. Enter the Current Password for the bal user.
3. Enter a new, complex password.
4. Re-enter the new, complex password.
5. Click Set Password.
6. Seal the complex password into an envelope and store it in an approved security
container.
Follow DoD and local standards when setting and storing the
complex password.
4.12 Configure WUI Access Options
This section provides advice on tightening WUI access security.
kemp.ax 16 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Using the Certificates & Security > Admin WUI Access menu, under WUI Access Options, ensure
SSLv3 and TLS1.0 are not selected. Ensure the WUI Cipher set is set to FIPS.
Under WUI Session Management, ensure Enable Session Management is selected and Require Basic
Authentication is not selected. Kemp recommends leaving Failed Login Attempts at 3 and setting
the Idle Session Timeout (seconds) to the value your organization requires. You can also limit
concurrent logins.
Set the Pre-auth Click Through Banner that is displayed before the LoadMaster WUI login page.
Users are not permitted to log in until they click Accept. This field can contain plain text or HTML
code. The field cannot contain JavaScript. For security purposes, you cannot use the ‘ (single
quote) and “ (double-quote) characters. This field accepts up to 5,000 characters.
4.13 Configure OCSP
Enabling the Online Certificate Status Protocol (OCSP) increases the security of your system by
requiring LoadMaster to periodically check the revocation status of the SSL certificates being used
by virtual services.
kemp.ax 17 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Using the Certificates & Security > OCSP Configuration menu, enter the IP address (or multiple
addresses using spaces to separate each entry) of the OCSP service associated with the certificates
you are going to use to log in to the LoadMaster. Ensure you click Set Address, Set Port, and Set
Path (if needed) to apply the settings. Select the Allow Access on Server Failure check box. The
results should look like the screenshot above.
4.14 Configure LDAP
The Lightweight Directory Access Protocol (LDAP) is typically used by medium to large enterprises
to provide a central database for authenticating users to multiple devices and applications,
instead of defining local users that need to be maintained on the individual devices. This provides
a consistent authentication infrastructure that is centrally maintained, and therefore less prone to
subversion through local operator error or inconsistently applied access policies.
To configure LDAP, follow the steps below:
1. Using the Certificates & Security > LDAP Configuration menu, enter a name in the Add
new LDAP Endpoint text box. This can be any name that has meaning for you.
2. Click Add. This brings up the LDAP Endpoint configuration menu.
kemp.ax 18 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
3. Enter the IP address (or addresses) for the LDAPS server (or servers) in the LDAP Server(s)
text box and click LDAP Server(s).
4. In the LDAPS Protocol drop-down list, select LDAPS.
5. If necessary, modify the Validation Interval, Referral Count, and Server Timeout values
from the default values. Ensure you press the button to the right of the text boxes in which
you make a change.
6. In the Admin User text box, enter an LDAP account in the format account@domain and
click Set Admin User. This account does not need elevated rights; a Domain User is
acceptable.
7. In the Admin User Password text box, enter the password for that user and click Set
Admin User Password. Normally, you would create a service account for this Admin User
account and you would use a very long random password for the account to minimize risk.
kemp.ax 19 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
4.15 Configure Remote User Groups for LDAP
If you are using LDAP, configuring Remote User Groups in both the Loadmaster and via LDAP will
enhance security by providing consistent user access policies for groups of user logins.
Open the System Configuration > User Management page to create Remote User Groups and assign
rights to these groups.
The group names you use above must exactly match the LDAP group names you will use to map
rights.
The following characters are permitted in the group name:
alphanumeric characters, spaces, or the following special
symbols: =~^._+#,@/-.
kemp.ax 20 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Once you have created the Remote User Groups and assigned them rights on the LoadMaster, go to
your LDAP system and ensure these groups are available (or create them). By now you should know
the certificates (CAC/PIV/other) that you will use to manage the LoadMaster. Ensure accounts are
created in LDAP where the Principal Name on the certificate matches the LDAP user. Add these
users to the appropriate groups. Once users are assigned to groups in LDAP and these users match
the Principal Name on the certificates you will use to manage the LoadMaster, you are ready to
enable Certificate login to the LoadMaster.
4.16 Configure WUI Authorization
In the Certificates & Security > Remote Access menu, click WUI Authorization Options.
1. Ensure Local Users Use ONLY if other AAA Services fail is not selected.
2. Ensure the Local Users Authentication check box is not selected.
3. Add an LDAP Endpoint from the drop-down list.
4. Add Remote User Groups using the Select groups button.
5. Enter the full Domain name and click Set Domain.
6. Ensure the LDAP Authentication check box is selected.
7. Ensure the RADIUS Authentication and Authorization check boxes are not selected.
4.17 Configure Remote Access
Using the Certificates & Security > Remote Access menu:
1. Disable Allow Remote SSH Access.
kemp.ax 21 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
2. Enable Allow Web Administrative Access. Select from the network interface to manage
the LoadMaster from the Using drop-down list. Per STIG/SRG, this should be a dedicated
management network/VLAN.
3. Enter the Admin Default Gateway (if management interface is not on eth0) and click Set
Administrative Access.
4. The Allow Multi Interface Access check box should normally be disabled to force
management traffic to only the management network.
5. Disable the Enable API Interface check box.
6. Disable the Enable Kemp Analytics check box. This stops the LoadMaster from sending
any analytics data back to Kemp.
7. To enable strict FIPS mode, click Enable Software FIPS mode.
Here is some additional information on FIPS:
LMOS includes an embedded FIPS 140-2 Level 1 certified encryption module. To enable strict FIPS
mode on a LoadMaster it is first necessary to enable Session Management (this is enabled by
default on new installs of LMOS 7.2.43 (or newer)). Once FIPS mode is enabled, it cannot be
disabled. It is recommended that you verify all workloads you are planning to load balance
support FIPS algorithms before enabling strict FIPS mode. You can select FIPS options separately
for each management function as well as each Virtual Service (if you chose not to enable strict
FIPS mode).
To enable certificate login to the LoadMaster, you need to select the Admin Login Method. The only
option that includes OCSP validation as well as LDAPS validation is Client certificate required
kemp.ax 22 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
(Verify via OCSP). All other options that include certificate authentication connect to LDAPS for
validation; however, they do not connect to OCSP to check for certificate revocation. To meet DoD
guidance, select Client certificate required (Verify via OCSP).
An example of a configured Remote Access screen is above.
In FIPS mode, LDAPS uses FIPS OpenSSL.
4.18 Add a Firewall Block for alsi.kemptechnologies.com
In the Configure Remote Access section, we disabled the "call home" feature. To add an extra layer
of security, you can block our licensing server alsi.kemptechnologies.com and
alsi2.kemptechnologies.com in the external firewall. Refer to the third-party firewall
documentation for instructions on how to do this.
4.19 Configure Security Event and Incident Management (SEIM)
While not specifically required by DoD, there are several areas related to alerting that are
appropriate for enterprise-level monitoring and would benefit from connecting the Kemp
LoadMaster to an enterprise SEIM. Kemp can export log data using syslog to a log collector
connected to the SEIM. This enables the SIEM to look for:
l Successive logins without associated logout events to identify potential misuse in this area
l Suspicious activity in audit logs to identify potential misuse
l Authorization changes such as creation or modification of VLM groups
l Account changes such as adding or removing users from Kemp groups within Active Directory
l Authorization policy changes such as changes to WUI Authorization Options in the VLM
For further information on how to configure SEIM, refer to the relevant third-party product
documentation.
4.20 Conditions of Fielding from DoD IAAR
The following is provided as a direct quote from the “INFORMATION ASSURANCE ASSESSMENT
REPORT FOR Kemp Virtual LoadMaster, Software Release 7.2 (Tracking Number 1512701)”.
CONDITION OF FIELDING. When the system is deployed to an operational environment, the
following security measures (at a minimum) must be implemented to ensure an acceptable level of
risk for the sites’ Designated Approving Authority:
a. The system will use CAC with AD with LDAPS to authenticate administrative users. Otherwise,
the following findings are incorporated into the site’s architecture:
kemp.ax 23 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
l Application Security and Development STIG:
i. APP3320, CAT II, Virtual LoadMaster
l Network Device Management SRG:
i. SRG-APP-000023-NDM-000205, CAT II, Virtual LoadMaster
ii. SRG-APP-000025-NDM-000207, CAT II, Virtual LoadMaster
iii. SRG-APP-000026-NDM-000208, CAT II, Virtual LoadMaster
iv. SRG-APP-000027-NDM-000209, CAT II, Virtual LoadMaster
v. SRG-APP-000028-NDM-000210, CAT II, Virtual LoadMaster
vi. SRG-APP-000079-NDM-000219, CAT II, Virtual LoadMaster
vii. SRG-APP-000029-NDM-000211, CAT II, Virtual LoadMaster
viii. SRG-APP-000091-NDM-000223, CAT II, Virtual LoadMaster
ix. SRG-APP-000148-NDM-000246, CAT II, Virtual LoadMaster
x. SRG-APP-000163-NDM-000251, CAT II, Virtual LoadMaster
xi. SRG-APP-000164-NDM-000252, CAT II, Virtual LoadMaster
xii. SRG-APP-000165-NDM-000253, CAT II, Virtual LoadMaster
xiii. SRG-APP-000166-NDM-000254, CAT II, Virtual LoadMaster
xiv. SRG-APP-000167-NDM-000255, CAT II, Virtual LoadMaster
xv. SRG-APP-000168-NDM-000256, CAT II, Virtual LoadMaster
xvi. SRG-APP-000169-NDM-000257, CAT II, Virtual LoadMaster
xvii. SRG-APP-000170-NDM-000329, CAT II, Virtual LoadMaster
xviii. SRG-APP-000173-NDM-000260, CAT II, Virtual LoadMaster
xix. SRG-APP-000174-NDM-000261, CAT II, Virtual LoadMaster
xx. SRG-APP-000389-NDM-000306, CAT II, Virtual LoadMaster
xxi. SRG-APP-000495-NDM-000318, CAT II, Virtual LoadMaster
xxii. SRG-APP-000499-NDM-000319, CAT II, Virtual LoadMaster
kemp.ax 24 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
b. The site will use a Syslog device for auditing purposes. Otherwise, the following findings are
incorporated into the site’s architecture:
l Application Security and Development STIG:
i. APP3650, CAT II, Virtual LoadMaster
l Network Device Management SRG:
i. SRG-APP-000118-NDM-000235, CAT II, Virtual LoadMaster
ii. SRG-APP-000125-NDM-000241, CAT II, Virtual LoadMaster
iii. SRG-APP-000126-NDM-000242, CAT II, Virtual LoadMaster
iv. SRG-APP-000359-NDM-000294, CAT II, Virtual LoadMaster
l Network Other Devices STIG:
i. NET0386, CAT III, Virtual LoadMaster
l Web Server SRG:
i. SRG-APP-000357-WSR-000150, CAT II, Virtual LoadMaster
ii. SRG-APP-000359-WSR-000065, CAT II, Virtual LoadMaster
c. The site will ensure that the hypervisor used to run the VLM is configured according to the
appropriate STIG (including DoD banner and multifactor authentication).
If the hypervisor doesn't support the DoD banner, the following findings will be incorporated into
the site's architecture against the VLM's console interface:
l Application Security and Development STIG:
i. APP3440, CAT II, Virtual LoadMaster
l Network Other Devices STIG:
i. NET0340, CAT III, Virtual LoadMaster
If the hypervisor doesn't support the multifactor authentication, the following findings will be
incorporated into the site's architecture against the VLM's console interface:
l Network Device Management SRG:
i. SRG-APP-000151-NDM-000248, CAT II, Virtual LoadMaster
d. The site must use role-based security for user access and management of the vendor’s device.
kemp.ax 25 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
e. The site must delete all local user accounts on the device after initial setup and configuration
with the exception of one emergency administrative account. The site will also disable local
authentication of administrative users.
f. The site will ensure that the emergency administrative account’s userid and password are locked
up in separate safes, both of which are not accessible by any one individual, and procedures are
implemented to log all access and usage.
g. The site must ensure the emergency administrative account meets all DoD user identification (ID)
and password requirements.
h. The site will ensure all unused open ports are closed.
i. The device will have management access limited to an authorized Common Access Card (CAC)-
enabled workstation located in a physically secured area and connected to the management
Virtual Local Area Network (VLAN) behind a firewall.
j. The site will ensure Telnet, http web service, and SNMPv1 and 2c are disabled.
k. The site will ensure Secure Shell (SSH) is disabled. Otherwise, the following findings are
incorporated into the site’s architecture:
l Application Security and Development STIG:
i. APP3440, CAT II, Virtual LoadMaster
l Network Device Management SRG:
i. SRG-APP-000075-NDM-000217, CAT II, Virtual LoadMaster
ii. SRG-APP-000076-NDM-000218, CAT II, Virtual LoadMaster
iii. SRG-APP-000076-NDM-000219, CAT II, Virtual LoadMaster
iv. SRG-APP-000149-NDM-000247, CAT II, Virtual LoadMaster
v. SRG-APP-000516-NDM-000332, CAT II, Virtual LoadMaster
vi. SRG-APP-000516-NDM-000344, CAT II, Virtual LoadMaster
l Network Other Devices STIG:
i. NET0340, CAT II, Virtual LoadMaster
ii. NET1645, CAT II, Virtual LoadMaster
iii. NET1646, CAT II, Virtual LoadMaster
kemp.ax 26 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
l. The configuration must be in compliance with the “Kemp Virtual LoadMaster, Software Release
7.2.43 (or newer), Tracking Number 1512701, Military Unique Features Deployment Guide”.
m. The site must register the system in the Systems Networks Approval Process Database
as directed by the Defense IA Security Accreditation Working
Group and Program Management Office.
kemp.ax 27 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
References
Unless otherwise specified, the following documents can be found at
http://kemptechnologies.com/documentation.
User Management, Feature Description
DoD Common Access Card Authentication, Feature Description
Kerberos Constrained Delegation, Feature Description
Licensing, Feature Description
Web User Interface (WUI), Configuration Guide
Updating the LoadMaster Software, Technical Note
kemp.ax 28 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Last Updated Date
This document was last updated on 17 February 2020.
kemp.ax 29 Copyright 2002-2020, Kemp Technologies, All Rights ReservedKemp Technologies Virtual LoadMaster, Software Release 7.2.43
(or Newer), Tracking Number 1512701, Military Unique Features
Document History
Date Change Reason for Change Version Resp.
Sep 2018 Update Corrected version number 1.0 LB
Jan 2019 Release updates Updates for 7.2.45 release 2.0 LB
Feb 2019 Release updates Updates for 7.2.46 release 3.0 LB
Dec 2019 Release updates Updates for 7.2.49 release 4.0 LB
Feb 2020 Release updates Updates for 7.2.49.1 release 5.0 CMC
kemp.ax 30 Copyright 2002-2020, Kemp Technologies, All Rights ReservedYou can also read
