The A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.

From A10 Networks ADC ALG Security Technical Implementation Guide

Part of SRG-NET-000364-ALG-000122

Associated with: CCI-002403

SV-82491r1_rule The A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.

Vulnerability discussion

Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.The URI White List defines acceptable destination URIs allowed for incoming requests. The White List Check compares the URI of an incoming request against the rules contained in the URI White List policy file. Connection requests are accepted only if the URI matches a rule in the URI White List. Note: A URI Black List can also be configured, which takes priority over a URI White List. However, since deny-all, permit by exception is a fundamental principle, a URI White List is necessary.

Check content

If the device is not used to load balance web servers, this is not applicable. Review the device configuration. The following command displays WAF templates: show slb template waf If the configured WAF template does not have the "uri-wlistcheck" option configured, this is a finding.

Fix text

If the device is used to load balance web servers, configure the URI White List. The following commands configure the ADC to compare incoming traffic against the URI White List: slb template waf [template-name] uri-wlistcheck [file-name]

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer