The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-266168	SRG-NET-000230-ALG-000113	F5BI-AP-300157	SV-266168r1024400_rule	2024-09-20	1

Description
The "Restrict to Single Client IP” is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Profiles. This setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, this may result in false positives or rejection of legitimate connections. Users behind a shared proxy address may be denied access. Thus, sites must test this setting within their network prior to implementing to determine if there are operational impacts that prevent the use of this setting. If so, the site must document the impacts and get approval from the authorizing official (AO) if this required setting will not be implemented.

Description

The "Restrict to Single Client IP” is a safeguard against session hijacking or cookie theft. Even if an attacker manages to steal a session cookie, the cookie cannot be used from a different source IP address that the address used to initiate the session. This security measure is set within the APM Access Profiles. This setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, this may result in false positives or rejection of legitimate connections. Users behind a shared proxy address may be denied access. Thus, sites must test this setting within their network prior to implementing to determine if there are operational impacts that prevent the use of this setting. If so, the site must document the impacts and get approval from the authorizing official (AO) if this required setting will not be implemented.

ℹ️ Check
If the site has documented an adverse operational impact and has AO approval, this is not a finding. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, verify "Restrict to Single Client IP" is checked. If the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.

ℹ️ Check

If the site has documented an adverse operational impact and has AO approval, this is not a finding. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, verify "Restrict to Single Client IP" is checked. If the BIG-IP appliance is not configured to limit authenticated client sessions to initial session source IP, this is a finding.

✔️ Fix
Note: Setting must be tested. If there are operational impacts that prevent the use of this setting, document the impacts, and obtain approval from the AO if this requirement will not be implemented. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, check "Restrict to Single Client IP". Note: If the box is grayed out, check the box all the way to the right of the setting first and then check the box. 7. Click "Update". 8. Click "Apply Access Policy".

✔️ Fix

Note: Setting must be tested. If there are operational impacts that prevent the use of this setting, document the impacts, and obtain approval from the AO if this requirement will not be implemented. From the BIG-IP GUI: 1. System. 2. Access. 3. Profiles/Policies. 4. Access Profiles. 5. Click the access profile name. 6. Under Settings, check "Restrict to Single Client IP". Note: If the box is grayed out, check the box all the way to the right of the setting first and then check the box. 7. Click "Update". 8. Click "Apply Access Policy".