The CA API Gateway must not have unnecessary services and functions enabled.

From CA API Gateway ALG Security Technical Implementation Guide

Part of SRG-NET-000131-ALG-000085

Associated with: CCI-000381

SV-85967r1_rule The CA API Gateway must not have unnecessary services and functions enabled.

Vulnerability discussion

Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.The primary function of an ALG is to provide application-specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities that are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server).Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions that have traditionally been separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly, with no current definitive industry standard.The CA API Gateway must not enable unnecessary services unless required by a Registered Service to be used in accordance with organizational requirements.

Check content

Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports". If the Listen ports or firewall rules are not configured in accordance with organizational requirements for disabling unnecessary services, this is a finding.

Fix text

Open the CA API Gateway - Policy Manager, select "Tasks" from the main menu, and chose "Manage Listen Ports". Update the Listen ports and firewall rules in accordance with organizational requirements for disabling unnecessary services.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer