Checklist Summary:

The F5 BIG-IP Security Technical Implementation Guide (STIG) provides security policy and technical configuration requirements for deploying the appliance in the Department of Defense (DOD) networking environment. The BIG-IP appliance provides integrated application delivery services that work together on the same hardware. These services include load balancing, application delivery, SSL off-loading, access control, firewall, virtual private network (VPN), and name resolution services. The F5 BIG-IP STIG includes the following: • BIG-IP Network Device Management (NDM) STIG. • BIG-IP Advanced Firewall Manager (AFM) STIG. • BIG-IP Application Layer Gateway (ALG) STIG. • BIG-IP Virtual Private Network (VPN) STIG • BIG-IP Domain Name System (DNS) STIG. The core technology for the BIG-IP appliance is the Traffic Management Operating System (TMOS) and logical software modules run within TMOS. Modules within the scope of this STIG include the Local Traffic Manager (LTM), Access Policy Manager (APM), AFM, Advanced Web Application Firewall (AWAF), and DNS. The BIG-IP LTM provides traffic management for rapid deployment, optimization, load balancing, and off-loading of sessions between users and application servers. This module is the core for all BIG-IP deployments, and all other modules are used to define profiles and policies that are applied to virtual servers defined in the LTM. The BIG-IP APM protects public-facing application by providing secure, policy-based, and context-aware access control. It centralizes and simplifies authentication, authorization, and accounting (AAA) management and covers the Authentication Gateway Service (AGS) requirements to support Federated Single Sign-On (SSO). The BIG-IP AFM is a stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network. The STIG security requirements ensure firewall policies are implemented to monitor and secure the applications they are configured to protect. Depending on the organization’s needs, users may prefer to put all active rules in a single policy applied at the global context or apply firewall policies for specific virtual servers. The latter allows for application-specific policies to be developed and applied only where required. When processing policies and rules on a virtual server, only those specific to the application are processed. The BIG-IP AWAF is a web application firewall that protects critical applications and their data by defending against application-specific attacks that bypass conventional firewalls. It protects applications with comprehensive, policy-based web application security that blocks attacks and scales to ensure performance.

Checklist Role:

• Multi-Functional Peripherals

Known Issues:

Not provided.

Target Audience:

Parties within the DOD and federal government’s computing environments can obtain the applicable STIG from the DOD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DOD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Initial Submission as Candidate - 12/30/2024
Changed Status to Final - 03/24/2025

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 03/24/2025