The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

From CA API Gateway ALG Security Technical Implementation Guide

Part of SRG-NET-000019-ALG-000018

Associated with: CCI-001414

SV-85911r1_rule The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Vulnerability discussion

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.This requirement applies to the flow of information between the CA API Gateway when used as a gateway or boundary device that allows traffic flow between interconnected networks of differing security policies.The CA API Gateway should be installed and configured to restrict or block information flows based on guidance in the Ports, Protocols, and Services Management (PPSM) regarding restrictions for boundary crossing for ports, protocols, and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.The CA API Gateway policies securing the Registered Services should include rules to control the flow of information between systems and networks with policy filters (e.g., rules that parse the Request Message attributes and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message filtering based on message content.

Check content

Open the CA API Gateway - Policy Manager. Double-click all Registered Services required to restrict or block harmful or suspicious traffic. Verify the policies include the proper logic and flow based on the information derived from parsing the attributes of the message request. The policy should be configured to do comparisons and provide logical groupings of assertions using the "At least one..." and "All..." assertions so multiple checks can be performed on various attributes to control access to resources. If it has not, this is a finding.

Fix text

Open the CA API Gateway - Policy Manager. Double-click all Registered Services required to restrict or block harmful or suspicious traffic. Add /update the policy with the appropriate Assertions and include the proper logic and flow based on the information derived from parsing the attributes of a message request to the API in accordance with organizational requirements. The policy should be configured to do comparisons and provide logical groupings of assertions using the "At least one..." and "All..." assertions so multiple checks can be performed on various attributes to control access to resources.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer