Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

IPSec VPN Gateway Security Technical Implementation Guide

V1R10 · · · Released 23 Oct 2015 · 85 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

IPSec VPN Gateway Security Technical Implementation Guide
Digest of Updates vs. V1R7 · 25 Oct 2013 ✎ 60

Comparison against the immediately-prior release (V1R7). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 60

  • V-14667 Low descriptioncheckfix Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration exceeding 180 days.
  • V-14669 Medium descriptioncheck Network devices must have BSDr commands disabled.
  • V-14671 Medium descriptioncheckfix Network devices must authenticate all NTP messages received from NTP servers and peers.
  • V-14672 Low descriptioncheckfix The network device must use its loopback or OOB management interface address as the source address when originating authentication services traffic.
  • V-14673 Low descriptioncheckfix The network device must use its loopback or OOB management interface address as the source address when originating syslog traffic.
  • V-14674 Low descriptioncheckfix The network device must use its loopback or OOB management interface address as the source address when originating NTP traffic.
  • V-14675 Low descriptioncheckfix The network device must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
  • V-14676 Low descriptioncheckfix The network device must use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.
  • V-14677 Low descriptioncheck The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
  • V-14681 Low descriptioncheckfix The network device must use its loopback interface address as the source address for all iBGP peering sessions.
  • V-14717 Medium checkfix The network device must not allow SSH Version 1 to be used for administrative access.
  • V-15432 Medium checkfix Network devices must use two or more authentication servers for the purpose of granting administrative access.
  • V-15434 High descriptioncheck The emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
  • V-17821 Medium descriptioncheckfix The network devices OOBM interface must be configured with an OOBM network address.
  • V-17822 Medium descriptioncheckfix The network devices management interface must be configured with both an ingress and egress ACL.
  • V-17823 Low descriptioncheck The management interface must be configured as passive for the IGP instance deployed in the managed network.
  • V-19188 Medium descriptioncheck The network device must have control plane protection enabled.
  • V-23747 Low descriptioncheckfix Network devices must use at least two NTP servers to synchronize time.
  • V-3000 Low check The network device must log all interface access control lists (ACL) deny statements.
  • V-3012 High descriptioncheckfix Network devices must be password protected.
  • V-3013 Medium descriptioncheckfix Network devices must display the DoD-approved logon banner warning.
  • V-3014 Medium descriptioncheckfix The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
  • V-3020 Low descriptioncheck Network devices must have DNS servers defined if it is configured as a client resolver.
  • V-3021 Medium checkfix Network devices must only allow SNMP access from addresses belonging to the management network.
  • V-3034 Medium descriptioncheck Network devices must authenticate all IGP peers.
  • V-3043 Medium checkfix The network device must use different SNMP community names or groups for various levels of read and write access.
  • V-3056 High check Group accounts must not be configured for use on the network device.
  • V-3057 Medium description Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
  • V-3058 Medium check Unauthorized accounts must not be configured for access to the network device.
  • V-3062 High descriptioncheckfix Network devices must be configured to ensure passwords are not viewable when displaying configuration information.
  • V-3069 Medium check Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
  • V-3070 Low check Network devices must log all attempts to establish a management connection for administrative access.
  • V-3072 Low check The running configuration must be synchronized with the startup configuration after changes have been made and implemented.
  • V-3078 Low check Network devices must have TCP and UDP small servers disabled.
  • V-3079 Low descriptioncheckfix Network devices must have the Finger service disabled.
  • V-3080 Medium descriptioncheckfix The Configuration auto-loading feature must be disabled.
  • V-3081 Medium check IP source routing must be disabled.
  • V-3083 Low descriptioncheckfix IP directed broadcast must be disabled on all layer 3 interfaces.
  • V-3085 Medium check Network devices must have HTTP service for administrative access disabled.
  • V-3086 Low descriptioncheckfix BOOTP services must be disabled.
  • V-31285 Medium descriptioncheckfix Network devices must authenticate all BGP peers within the same or between autonomous systems (AS).
  • V-3143 High descriptioncheckfix Network devices must not have any default manufacturer passwords.
  • V-3160 Medium checkfix Network devices must be running a current and supported operating system with all IAVMs addressed.
  • V-3175 High check The network device must require authentication prior to establishing a management connection for administrative access.
  • V-3196 High checkfix The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
  • V-3210 High descriptioncheck The network device must not use the default or well-known SNMP community strings public and private.
  • V-3966 Medium descriptioncheckfix In the event the authentication server is down or unavailable, there must only be one local account of last resort created for emergency use.
  • V-3967 Medium descriptioncheck The network devices must time out access to the console port at 10 minutes or less of inactivity.
  • V-3969 Medium check Network devices must only allow SNMP read-only access.
  • V-4582 High check The network device must require authentication for console access.
  • V-4584 Low checkfix The network device must log all messages except debugging and send all log data to a syslog server.
  • V-5611 Medium descriptioncheck The network devices must only allow management connections for administrative access from hosts residing in the management network.
  • V-5612 Medium descriptioncheckfix The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
  • V-5613 Medium checkfix The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
  • V-5614 Low checkfix Network devices must have the PAD service disabled.
  • V-5615 Low descriptioncheckfix Network devices must have TCP Keep-Alives enabled for TCP sessions.
  • V-5616 Low checkfix Network devices must have identification support disabled.
  • V-5618 Medium descriptioncheckfix Gratuitous ARP must be disabled.
  • V-5646 Medium descriptioncheck The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
  • V-7011 Low check The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
Sort by
a
The network device must log all interface access control lists (ACL) deny statements.
Low - V-3000 - SV-3000r4_rule
RMF Control
Severity
L
CCI
Version
NET1020
Vuln IDs
  • V-3000
Rule IDs
  • SV-3000r4_rule
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, attempted to be done, and by whom in order to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack, or identify a configuration mistake on the device.Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
Checks: C-3947r6_chk

Review the network device interface ACLs to verify all deny statements are logged. If deny statements are not logged, this is a finding.

Fix: F-3025r4_fix

Configure interface ACLs to log all deny statements.

c
Network devices must be password protected.
High - V-3012 - SV-3012r4_rule
RMF Control
Severity
H
CCI
Version
NET0230
Vuln IDs
  • V-3012
Rule IDs
  • SV-3012r4_rule
Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network device. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network device providing opportunity for intruders to compromise resources within the network infrastructure.Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
Checks: C-3456r6_chk

Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.

Fix: F-3037r6_fix

Configure the network devices so it will require a password to gain administrative access to the device.

b
Network devices must display the DoD-approved logon banner warning.
Medium - V-3013 - SV-3013r4_rule
RMF Control
Severity
M
CCI
Version
NET0340
Vuln IDs
  • V-3013
Rule IDs
  • SV-3013r4_rule
All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required logon warning banner prior to logon attempts will limit DoD's ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA's ability to monitor the device's usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of "notice and consent" banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, "Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.Information Assurance OfficerECWM-1
Checks: C-3474r10_chk

Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.

Fix: F-3038r8_fix

Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."

b
The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
Medium - V-3014 - SV-3014r4_rule
RMF Control
Severity
M
CCI
Version
NET1639
Vuln IDs
  • V-3014
Rule IDs
  • SV-3014r4_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network device and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device as well as reduce the risk of a management session from being hijacked. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance OfficerECSC-1
Checks: C-3540r6_chk

Review the management connection for administrative access and verify the network device is configured to time-out the connection at 10 minutes or less of inactivity. If the device does not terminate inactive management connections at 10 minutes or less, this is a finding.

Fix: F-3039r5_fix

Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.

a
Network devices must have DNS servers defined if it is configured as a client resolver.
Low - V-3020 - SV-3020r3_rule
RMF Control
Severity
L
CCI
Version
NET0820
Vuln IDs
  • V-3020
Rule IDs
  • SV-3020r3_rule
The susceptibility of IP addresses to spoofing translates to DNS host name and IP address mapping vulnerabilities. For example, suppose a source host wishes to establish a connection with a destination host and queries a DNS server for the IP address of the destination host name. If the response to this query is the IP address of a host operated by an attacker, the source host will establish a connection with the attacker's host, rather than the intended target. The user on the source host might then provide logon, authentication, and other sensitive data.Information Assurance OfficerECSC-1
Checks: C-3584r5_chk

Review the device configuration to ensure DNS servers have been defined if it has been configured as a client resolver (name lookup). If the device is configured as a client resolver and DNS servers are not defined, this is a finding.

Fix: F-3045r2_fix

Configure the device to include DNS servers or disable domain lookup.

b
Network devices must only allow SNMP access from addresses belonging to the management network.
Medium - V-3021 - SV-3021r3_rule
RMF Control
Severity
M
CCI
Version
NET0890
Vuln IDs
  • V-3021
Rule IDs
  • SV-3021r3_rule
Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and possibly gain access to network devices.Information Assurance OfficerECSC-1
Checks: C-3586r8_chk

Review the device configuration and verify it is configured to only allow SNMP access from addresses belonging to the management network. If the device is not configured to filter SNMP from the management network only, this is a finding.

Fix: F-3046r4_fix

Configure the network devices to only allow SNMP access from only addresses belonging to the management network.

b
Network devices must authenticate all IGP peers.
Medium - V-3034 - SV-3034r3_rule
RMF Control
Severity
M
CCI
Version
NET0400
Vuln IDs
  • V-3034
Rule IDs
  • SV-3034r3_rule
A rogue router could send a fictitious routing update to convince a site's premise router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information of the site's network, or merely used to disrupt the network's ability to effectively communicate with other networks.Information Assurance OfficerECSC-1
Checks: C-3489r4_chk

Review the device configuration to determine if authentication is configured for all IGP peers. If authentication is not configured for all IGP peers, this is a finding.

Fix: F-3059r3_fix

Configure authentication for all IGP peers.

b
The network device must use different SNMP community names or groups for various levels of read and write access.
Medium - V-3043 - SV-3043r4_rule
RMF Control
Severity
M
CCI
Version
NET1675
Vuln IDs
  • V-3043
Rule IDs
  • SV-3043r4_rule
Numerous vulnerabilities exist with SNMP; therefore, without unique SNMP community names, the risk of compromise is dramatically increased. This is especially true with vendors default community names which are widely known by hackers and other networking experts. If a hacker gains access to these devices and can easily guess the name, this could result in denial of service, interception of sensitive information, or other destructive actions.Information Assurance OfficerECSC-1
Checks: C-3825r7_chk

Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.

Fix: F-3068r4_fix

Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.

c
Group accounts must not be configured for use on the network device.
High - V-3056 - SV-3056r7_rule
RMF Control
Severity
H
CCI
Version
NET0460
Vuln IDs
  • V-3056
Rule IDs
  • SV-3056r7_rule
Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.Information Assurance OfficerIAIA-1, IAIA-2
Checks: C-3503r11_chk

Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.

Fix: F-3081r9_fix

Configure individual user accounts for each authorized person then remove any group accounts.

b
Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
Medium - V-3057 - SV-3057r5_rule
RMF Control
Severity
M
CCI
Version
NET0465
Vuln IDs
  • V-3057
Rule IDs
  • SV-3057r5_rule
By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.Information Assurance OfficerECSC-1
Checks: C-3504r6_chk

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the greatest privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Fix: F-3082r5_fix

Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.

b
Unauthorized accounts must not be configured for access to the network device.
Medium - V-3058 - SV-3058r5_rule
RMF Control
Severity
M
CCI
Version
NET0470
Vuln IDs
  • V-3058
Rule IDs
  • SV-3058r5_rule
A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that is no longer needed to access the device. Denial of Service, interception of sensitive information, or other destructive actions could potentially take place if an unauthorized account is configured to access the network device.Information Assurance OfficerECSC-1, IAAC-1
Checks: C-3505r5_chk

Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.

Fix: F-3083r5_fix

Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.

c
Network devices must be configured to ensure passwords are not viewable when displaying configuration information.
High - V-3062 - SV-3062r4_rule
RMF Control
Severity
H
CCI
Version
NET0600
Vuln IDs
  • V-3062
Rule IDs
  • SV-3062r4_rule
Many attacks on information systems and network devices are launched from within the network. Hence, it is imperative that all passwords are encrypted so they cannot be intercepted by viewing the console or printout of the configuration.Information Assurance OfficerECSC-1
Checks: C-3508r5_chk

Review the network devices configuration to determine if passwords are viewable. If passwords are viewable in plaintext, this is a finding.

Fix: F-3087r7_fix

Configure the network devices to ensure passwords are not viewable when displaying configuration information.

b
Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
Medium - V-3069 - SV-3069r5_rule
RMF Control
Severity
M
CCI
Version
NET1638
Vuln IDs
  • V-3069
Rule IDs
  • SV-3069r5_rule
Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network device account and password information. With this intercepted information they could gain access to the router and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.Information Assurance OfficerDCNR-1, ECSC-1
Checks: C-3532r8_chk

Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS using TLS If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.

Fix: F-3094r5_fix

Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.

a
Network devices must log all attempts to establish a management connection for administrative access.
Low - V-3070 - SV-3070r4_rule
RMF Control
Severity
L
CCI
Version
NET1640
Vuln IDs
  • V-3070
Rule IDs
  • SV-3070r4_rule
Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders could continue attacks against the network indefinitely. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker.Information Assurance OfficerECAT-1, ECAT-2
Checks: C-3542r6_chk

Review the configuration to verify all attempts to access the device via management connection are logged. If management connection attempts are not logged, this is a finding.

Fix: F-3095r3_fix

Configure the device to log all access attempts to the device to establish a management connection for administrative access.

a
The running configuration must be synchronized with the startup configuration after changes have been made and implemented.
Low - V-3072 - SV-3072r3_rule
RMF Control
Severity
L
CCI
Version
NET1030
Vuln IDs
  • V-3072
Rule IDs
  • SV-3072r3_rule
If the running and startup router configurations are not synchronized properly and a router malfunctions, it will not restart with all of the recent changes incorporated. If the recent changes were security related, then the routers would be vulnerable to attack.Information Assurance OfficerCOBR-1, ECSC-1
Checks: C-3636r6_chk

Review the running and boot configurations to determine if they are synchronized. IOS Procedure: With online editing, the "show running-config" command will only show the current running configuration settings, which are different from the IOS defaults. The "show startup-config" command will show the NVRAM startup configuration. Compare the two configurations to ensure they are synchronized. JUNOS Procedure: This will never be a finding. The active configuration is stored on flash as juniper.conf. A candidate configuration allows configuration changes while in configuration mode without initiating operational changes. The router implements the candidate configuration when it is committed; thereby, making it the new active configuration--at which time it will be stored on flash as juniper.conf and the old juniper.conf will become juniper.conf.1. If running configuration and boot configurations are not the same, this is a finding.

Fix: F-3097r4_fix

Add procedures to the standard operating procedure to keep the running configuration synchronized with the startup configuration.

a
Network devices must have TCP and UDP small servers disabled.
Low - V-3078 - SV-3078r3_rule
RMF Control
Severity
L
CCI
Version
NET0720
Vuln IDs
  • V-3078
Rule IDs
  • SV-3078r3_rule
Cisco IOS provides the "small services" that include echo, chargen, and discard. These services, especially their User Datagram Protocol (UDP) versions, are infrequently used for legitimate purposes. However, they have been used to launch denial of service attacks that would otherwise be prevented by packet filtering. For example, an attacker might send a DNS packet, falsifying the source address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If such a packet were sent to the Cisco's UDP echo port, the result would be Cisco sending a DNS packet to the server in question. No outgoing access list checks would be applied to this packet, since it would be considered locally generated by the router itself. The small services are disabled by default in Cisco IOS 12.0 and later software. In earlier software, they may be disabled using the commands no service tcp-small-servers and no service udp-small-servers.Information Assurance OfficerECSC-1
Checks: C-3551r5_chk

Review all Cisco device configurations to verify service udp-small-servers and service tcp-small-servers are not found. If TCP and UDP servers are not disabled, this is a finding. Note: The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later.

Fix: F-3103r4_fix

Change the device configuration to include the following IOS commands: no service tcp-small-servers and no service udp-small-servers for each device running an IOS version prior to 12.0. This is the default for IOS versions 12.0 and later (i.e., these commands will not appear in the running configuration.)

a
Network devices must have the Finger service disabled.
Low - V-3079 - SV-3079r3_rule
RMF Control
Severity
L
CCI
Version
NET0730
Vuln IDs
  • V-3079
Rule IDs
  • SV-3079r3_rule
The Finger service supports the UNIX Finger protocol, which is used for querying a host about the users that are logged on. This service is not necessary for generic users. If an attacker were to find out who is using the network, they may use social engineering practices to try to elicit classified DoD information.Information Assurance OfficerECSC-1
Checks: C-3571r5_chk

Review the device configuration to determine if Finger has been implemented. If the Finger service is enabled, this is a finding.

Fix: F-3104r4_fix

Configure the device to disable the Finger service.

b
The Configuration auto-loading feature must be disabled.
Medium - V-3080 - SV-3080r3_rule
RMF Control
Severity
M
CCI
Version
NET0760
Vuln IDs
  • V-3080
Rule IDs
  • SV-3080r3_rule
Devices can find their startup configuration either in their own NVRAM or access it over the network via TFTP or Remote Copy (rcp). Loading the image from the network is taking a security risk since the image could be intercepted by an attacker who could corrupt the image resulting in a denial of service.Information Assurance OfficerECSC-1
Checks: C-3574r7_chk

Review the device configuration to determine if the configuration auto-loading feature is disabled. If the configuration auto-loading feature is enabled, this is a finding.

Fix: F-3105r5_fix

Disable the configuration auto-loading feature.

b
IP source routing must be disabled.
Medium - V-3081 - SV-3081r3_rule
RMF Control
Severity
M
CCI
Version
NET0770
Vuln IDs
  • V-3081
Rule IDs
  • SV-3081r3_rule
Source routing is a feature of IP, whereby individual packets can specify routes. This feature is used in several different network attacks by bypassing perimeter and internal defense mechanisms.Information Assurance OfficerECSC-1
Checks: C-58979r1_chk

Review the configuration to determine if source routing is disabled. If IP source routing is enabled, this is a finding.

Fix: F-63435r1_fix

Configure the router to disable IP source routing.

a
IP directed broadcast must be disabled on all layer 3 interfaces.
Low - V-3083 - SV-3083r3_rule
RMF Control
Severity
L
CCI
Version
NET0790
Vuln IDs
  • V-3083
Rule IDs
  • SV-3083r3_rule
An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, which is connected directly to the target subnet, can conclusively identify a directed broadcast. IP directed broadcasts are used in the extremely common and popular smurf, or Denial of Service (DoS), attacks. In a smurf attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified. This service should be disabled on all interfaces when not needed to prevent smurf and DoS attacks. Directed broadcast can be enabled on internal facing interfaces to support services such as Wake-On-LAN. Case scenario may also include support for legacy applications where the content server and the clients do not support multicast. The content servers send streaming data using UDP broadcast. Used in conjunction with the ip multicast helper-map feature, broadcast data can be sent across a multicast topology. The broadcast streams are converted to multicast and vice versa at the first-hop routers and last-hop routers before entering leaving the multicast transit area respectively. The last-hop router must convert the multicast to broadcast. Hence, this interface must be configured to forward a broadcast packet (i.e. a directed broadcast address is converted to the all nodes broadcast address).Information Assurance OfficerECSC-1
Checks: C-3578r4_chk

IP directed broadcast is disabled by default in IOS version 12.0 and higher so the command "no ip directed-broadcast" will not be displayed in the running configuration--verify that the running configuration does not contain the command "ip directed-broadcast". For versions prior to 12.0 ensure the command "no ip directed-broadcast" is displayed in the running configuration. If IP directed broadcasts are enabled on layer 3 interfaces, this is a finding.

Fix: F-3108r4_fix

Disable IP directed broadcasts on all layer 3 interfaces.

b
Network devices must have HTTP service for administrative access disabled.
Medium - V-3085 - SV-3085r3_rule
RMF Control
Severity
M
CCI
Version
NET0740
Vuln IDs
  • V-3085
Rule IDs
  • SV-3085r3_rule
The additional services that the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services.Information Assurance OfficerECSC-1
Checks: C-3572r5_chk

Review the device configuration to determine that HTTP is not enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.

Fix: F-3110r4_fix

Configure the device to disable using HTTP (port 80) for administrative access.

a
BOOTP services must be disabled.
Low - V-3086 - SV-3086r3_rule
RMF Control
Severity
L
CCI
Version
NET0750
Vuln IDs
  • V-3086
Rule IDs
  • SV-3086r3_rule
BOOTP is a user datagram protocol (UDP) that can be used by Cisco routers to access copies of Cisco IOS Software on another Cisco router running the BOOTP service. In this scenario, one Cisco router acts as a Cisco IOS Software server that can download the software to other Cisco routers acting as BOOTP clients. In reality, this service is rarely used and can allow an attacker to download a copy of a router's Cisco IOS Software.Information Assurance OfficerECSD-1
Checks: C-3573r7_chk

Review the device configuration to determine if BOOTP services are enabled. If BOOTP is enabled, this is a finding.

Fix: F-3111r6_fix

Configure the device to disable all BOOTP services.

c
Network devices must not have any default manufacturer passwords.
High - V-3143 - SV-3143r4_rule
RMF Control
Severity
H
CCI
Version
NET0240
Vuln IDs
  • V-3143
Rule IDs
  • SV-3143r4_rule
Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of service. Many default vendor passwords are well-known; hence, not removing them prior to deploying the network devices into production provides an opportunity for a malicious user to gain unauthorized access to the device.Information Assurance OfficerECSC-1
Checks: C-40236r3_chk

Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.

Fix: F-35391r3_fix

Remove any vendor default passwords from the network devices configuration.

b
Network devices must be running a current and supported operating system with all IAVMs addressed.
Medium - V-3160 - SV-3160r4_rule
RMF Control
Severity
M
CCI
Version
NET0700
Vuln IDs
  • V-3160
Rule IDs
  • SV-3160r4_rule
Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial of service attacks, system weaknesses, back doors and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.Information Assurance OfficerECSC-1
Checks: C-3549r4_chk

Have the administrator display the OS version in operation. The OS must be current with related IAVMs addressed. If the device is using an OS that does not meet all IAVMs or currently not supported by the vendor, this is a finding.

Fix: F-3185r4_fix

Update operating system to a supported version that addresses all related IAVMs.

c
The network device must require authentication prior to establishing a management connection for administrative access.
High - V-3175 - SV-3175r5_rule
RMF Control
Severity
H
CCI
Version
NET1636
Vuln IDs
  • V-3175
Rule IDs
  • SV-3175r5_rule
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance OfficerECSC-1
Checks: C-3516r9_chk

Review the network device configuration to verify all management connections for administrative access require authentication. If authentication isn't configured for management access, this is a finding.

Fix: F-3200r3_fix

Configure authentication for all management connections.

c
The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
High - V-3196 - SV-3196r4_rule
RMF Control
Severity
H
CCI
Version
NET1660
Vuln IDs
  • V-3196
Rule IDs
  • SV-3196r4_rule
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.Information Assurance OfficerECSC-1
Checks: C-3820r6_chk

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Fix: F-3221r5_fix

If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).

c
The network device must not use the default or well-known SNMP community strings public and private.
High - V-3210 - SV-3210r4_rule
RMF Control
Severity
H
CCI
Version
NET1665
Vuln IDs
  • V-3210
Rule IDs
  • SV-3210r4_rule
Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An attacker can obtain information about a network device using the read community string "public". In addition, an attacker can change a system configuration using the write community string "private".Information Assurance OfficerECSC-1, IAIA-1, IAIA-2
Checks: C-3822r7_chk

Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.

Fix: F-3235r4_fix

Configure unique SNMP community strings replacing the default community strings.

b
In the event the authentication server is down or unavailable, there must only be one local account of last resort created for emergency use.
Medium - V-3966 - SV-3966r5_rule
RMF Control
Severity
M
CCI
Version
NET0440
Vuln IDs
  • V-3966
Rule IDs
  • SV-3966r5_rule
Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The console or account of last resort logon credentials must be stored in a sealed envelope and kept in a safe.ECSC-1
Checks: C-3502r6_chk

Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one account of last resort configured locally for an emergency. Verify the username and password for the account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.

Fix: F-3899r8_fix

Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.

b
The network devices must time out access to the console port at 10 minutes or less of inactivity.
Medium - V-3967 - SV-3967r4_rule
RMF Control
Severity
M
CCI
Version
NET1624
Vuln IDs
  • V-3967
Rule IDs
  • SV-3967r4_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network device. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.Information Assurance OfficerECSC-1
Checks: C-3511r5_chk

Review the configuration and verify a session using the console port will time out after 10 minutes or less of inactivity. If console access is not configured to timeout at 10 minutes or less, this is a finding.

Fix: F-3900r4_fix

Configure the timeout for idle console connection to 10 minutes or less.

b
Network devices must only allow SNMP read-only access.
Medium - V-3969 - SV-3969r5_rule
RMF Control
Severity
M
CCI
Version
NET0894
Vuln IDs
  • V-3969
Rule IDs
  • SV-3969r5_rule
Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.Information Assurance OfficerECSC-1
Checks: C-3942r10_chk

Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the ISSO, this is a finding.

Fix: F-3902r7_fix

Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

c
The network device must require authentication for console access.
High - V-4582 - SV-4582r5_rule
RMF Control
Severity
H
CCI
Version
NET1623
Vuln IDs
  • V-4582
Rule IDs
  • SV-4582r5_rule
Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.Information Assurance OfficerIAIA-1, IAIA-2
Checks: C-3510r6_chk

Review the network device's configuration and verify authentication is required for console access. If authentication is not configured for console access, this is a finding.

Fix: F-4515r4_fix

Configure authentication for console access on the network device.

a
The network device must log all messages except debugging and send all log data to a syslog server.
Low - V-4584 - SV-4584r3_rule
RMF Control
Severity
L
CCI
Version
NET1021
Vuln IDs
  • V-4584
Rule IDs
  • SV-4584r3_rule
Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network. Syslog levels 0-6 are the levels required to collect the necessary information to help in the recovery process.Information Assurance OfficerECAT-1, ECAT-2, ECSC-1
Checks: C-3950r6_chk

Review the network device configuration to ensure all messages up to and including severity level 6 (informational) are logged and sent to a syslog server. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging If logging does not capture of up severity level 6, this is a finding.

Fix: F-4517r6_fix

Configure the network device to log all messages except debugging and send all log data to a syslog server.

b
The network devices must only allow management connections for administrative access from hosts residing in the management network.
Medium - V-5611 - SV-5611r4_rule
RMF Control
Severity
M
CCI
Version
NET1637
Vuln IDs
  • V-5611
Rule IDs
  • SV-5611r4_rule
Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted information they could gain access to the infrastructure and cause denial of service attacks, intercept sensitive information, or perform other destructive actions.Information Assurance OfficerECSC-1
Checks: C-3527r6_chk

Review the configuration and verify management access to the device is allowed only from hosts within the management network. If management access can be gained from outside of the authorized management network, this is a finding.

Fix: F-5522r4_fix

Configure an ACL or filter to restrict management access to the device from only the management network.

b
The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
Medium - V-5612 - SV-5612r3_rule
RMF Control
Severity
M
CCI
Version
NET1645
Vuln IDs
  • V-5612
Rule IDs
  • SV-5612r3_rule
An attacker may attempt to connect to the device using SSH by guessing the authentication method, encryption algorithm, and keys. Limiting the amount of time allowed for authenticating and negotiating the SSH session reduces the window of opportunity for the malicious user attempting to make a connection to the network device.Information Assurance OfficerECSC-1
Checks: C-3534r6_chk

Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. If the device is not configured to drop broken SSH sessions after 60 seconds, this is a finding.

Fix: F-5523r5_fix

Configure the network devices so it will require a secure shell timeout of 60 seconds or less.

b
The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
Medium - V-5613 - SV-5613r4_rule
RMF Control
Severity
M
CCI
Version
NET1646
Vuln IDs
  • V-5613
Rule IDs
  • SV-5613r4_rule
An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens against a Brute Force attack.Information Assurance OfficerECSC-1
Checks: C-3538r8_chk

Review the configuration and verify the number of unsuccessful SSH logon attempts is set at 3. If the device is not configured to reset unsuccessful SSH logon attempts at 3, this is a finding.

Fix: F-5524r9_fix

Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.

a
Network devices must have the PAD service disabled.
Low - V-5614 - SV-5614r3_rule
RMF Control
Severity
L
CCI
Version
NET0722
Vuln IDs
  • V-5614
Rule IDs
  • SV-5614r3_rule
Packet Assembler Disassembler (PAD) is an X.25 component seldom used. It collects the data transmissions from the terminals and gathers them into a X.25 data stream and vice versa. PAD acts like a multiplexer for the terminals. If enabled, it can render the device open to attacks. Some voice vendors use PAD on internal routers.Information Assurance OfficerECSC-1
Checks: C-3552r5_chk

Review the device configuration to determine if the PAD service is enabled. If the PAD service is enabled, this is a finding.

Fix: F-5525r5_fix

Configure the device to disable the PAD service.

a
Network devices must have TCP Keep-Alives enabled for TCP sessions.
Low - V-5615 - SV-5615r3_rule
RMF Control
Severity
L
CCI
Version
NET0724
Vuln IDs
  • V-5615
Rule IDs
  • SV-5615r3_rule
Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These "orphaned" sessions use up valuable router resources and can also be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keepalive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the keepalive message, the sending router will clear the connection and free resources allocated to the session.Information Assurance OfficerECSC-1
Checks: C-3559r7_chk

Review the device configuration to verify the "service tcp-keepalives-in" command is configured. If TCP Keep-Alives are not enabled, this is a finding.

Fix: F-5526r7_fix

Configure the device to enable TCP Keep-Alives.

a
Network devices must have identification support disabled.
Low - V-5616 - SV-5616r3_rule
RMF Control
Severity
L
CCI
Version
NET0726
Vuln IDs
  • V-5616
Rule IDs
  • SV-5616r3_rule
Identification support allows one to query a TCP port for identification. This feature enables an unsecured protocol to report the identity of a client initiating a TCP connection and a host responding to the connection. Identification support can connect a TCP port on a host, issue a simple text string to request information, and receive a simple text-string reply. This is another mechanism to learn the router vendor, model number, and software version being run.Information Assurance OfficerECSC-1
Checks: C-3562r5_chk

Review the device configuration to verify that identification support is not enabled via "ip identd" global command. It is disabled by default. If identifications support is enabled, this is a finding.

Fix: F-5527r5_fix

Configure the device to disable identification support.

b
Gratuitous ARP must be disabled.
Medium - V-5618 - SV-5618r3_rule
RMF Control
Severity
M
CCI
Version
NET0781
Vuln IDs
  • V-5618
Rule IDs
  • SV-5618r3_rule
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.Information Assurance OfficerECSC-1
Checks: C-3577r7_chk

Review the configuration to determine if gratuitous ARP is disabled. If gratuitous ARP is enabled, this is a finding.

Fix: F-5529r5_fix

Disable gratuitous ARP on the device.

b
The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
Medium - V-5646 - SV-5646r5_rule
RMF Control
Severity
M
CCI
Version
NET0965
Vuln IDs
  • V-5646
Rule IDs
  • SV-5646r5_rule
A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.Information Assurance OfficerECSC-1
Checks: C-3604r11_chk

Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.

Fix: F-5557r6_fix

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

a
The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
Low - V-7011 - SV-7365r4_rule
RMF Control
Severity
L
CCI
Version
NET1629
Vuln IDs
  • V-7011
Rule IDs
  • SV-7365r4_rule
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port, thus the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.Information Assurance OfficerECSC-1
Checks: C-3513r5_chk

Review the configuration and verify the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected. If the auxiliary port is enabled without the use of a secured modem, this is a finding.

Fix: F-6614r3_fix

Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.

a
Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration exceeding 180 days.
Low - V-14667 - SV-15301r3_rule
RMF Control
Severity
L
CCI
Version
NET0422
Vuln IDs
  • V-14667
Rule IDs
  • SV-15301r3_rule
If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates, both with 180-day expirations.Information Assurance OfficerIAKM-1, IAKM-2, IAKM-3
Checks: C-12696r5_chk

Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.

Fix: F-14125r4_fix

Configure the device so rotating keys expire at 180 days or less.

b
Network devices must have BSDr commands disabled.
Medium - V-14669 - SV-15313r3_rule
RMF Control
Severity
M
CCI
Version
NET0744
Vuln IDs
  • V-14669
Rule IDs
  • SV-15313r3_rule
Berkeley Software Distribution (BSD) "r" commands allow users to execute commands on remote systems using a variety of protocols. The BSD "r" commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) are designed to provide convenient remote access without passwords to services such as remote command execution (rsh), remote login (rlogin), and remote file copy (rcp and rdist). The difficulty with these commands is they use address-based authentication. An attacker who convinces a server that he is coming from a "trusted" machine can essentially get complete and unrestricted access to a system. The attacker can convince the server by impersonating a trusted machine and using IP address, by confusing DNS so that DNS thinks that the attacker's IP address maps to a trusted machine's name, or by any of a number of other methods.Information Assurance OfficerECSC-1
Checks: C-12779r5_chk

Review the device configuration and verify there are no BSDr commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) enabled. If BSDr commands are enabled, this is a finding.

Fix: F-14130r4_fix

Configure the device to disable BSDr command services.

b
Network devices must authenticate all NTP messages received from NTP servers and peers.
Medium - V-14671 - SV-15327r4_rule
RMF Control
Severity
M
CCI
Version
NET0813
Vuln IDs
  • V-14671
Rule IDs
  • SV-15327r4_rule
Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source. Two NTP-enabled devices can communicate in either client-server mode or peer-to-peer mode (aka "symmetric mode"). The peering mode is configured manually on the device and indicated in the outgoing NTP packets. The fundamental difference is the synchronization behavior: an NTP server can synchronize to a peer with better stratum, whereas it will never synchronize to its client regardless of the client's stratum. From a protocol perspective, NTP clients are no different from the NTP servers. The NTP client can synchronize to multiple NTP servers, select the best server and synchronize with it, or synchronize to the averaged value returned by the servers. A hierarchical model can be used to improve scalability. With this implementation, an NTP client can also become an NTP server providing time to downstream clients at a higher stratum level and of decreasing accuracy than that of its upstream server. To increase availability, NTP peering can be used between NTP servers. In the event the device loses connectivity to it upstream NTP server, it will be able to choose time from one of its peers. The NTP authentication model is opposite of the typical client-server authentication model. NTP authentication enables an NTP client or peer to authenticate time received from their servers and peers. It's not used to authenticate NTP clients because NTP servers don't care about the authenticity of their clients, as they never accept any time from them.Information Assurance OfficerECSC-1
Checks: C-12793r7_chk

Review the device configuration and verify it is authenticating the NTP messages received from the NTP server or peer. Authentication must be performed using either PKI (supported in NTP v4) or SHA-1 hashing algorithm. If NTP messages are not authenticated using PKI or SHA-1 hashing, this is a finding.

Fix: F-14132r2_fix

Configure the device to authenticate all received NTP messages using either PKI (supported in NTP v4) or SHA-1 hashing algorithm.

a
The network device must use its loopback or OOB management interface address as the source address when originating authentication services traffic.
Low - V-14672 - SV-15336r3_rule
RMF Control
Severity
L
CCI
Version
NET0897
Vuln IDs
  • V-14672
Rule IDs
  • SV-15336r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. TACACS+, RADIUS messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12802r5_chk

Review the device configuration and determine if authentication services are using the loopback or OOB management interface as the source address. If the loopback or OOB management interface isn't being used as the source address for authentications services, this is a finding.

Fix: F-14134r5_fix

Configure the device to use its loopback or OOB management interface address as the source address when originating authentication services traffic.

a
The network device must use its loopback or OOB management interface address as the source address when originating syslog traffic.
Low - V-14673 - SV-15339r3_rule
RMF Control
Severity
L
CCI
Version
NET0898
Vuln IDs
  • V-14673
Rule IDs
  • SV-15339r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. Syslog messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12805r7_chk

Review the configuration and verify the loopback interface address is used as the source address when originating syslog traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for syslog traffic, this is a finding.

Fix: F-14135r4_fix

Configure the device to use its loopback or OOB management interface address as the source address when originating syslog traffic.

a
The network device must use its loopback or OOB management interface address as the source address when originating NTP traffic.
Low - V-14674 - SV-15342r3_rule
RMF Control
Severity
L
CCI
Version
NET0899
Vuln IDs
  • V-14674
Rule IDs
  • SV-15342r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. NTP messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12808r5_chk

Review the configuration and verify the loopback interface address is used as the source address when originating NTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for NTP traffic, this is a finding.

Fix: F-14136r4_fix

Configure the device to use its loopback or OOB management interface address as the source address when originating NTP traffic.

a
The network device must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
Low - V-14675 - SV-15345r3_rule
RMF Control
Severity
L
CCI
Version
NET0900
Vuln IDs
  • V-14675
Rule IDs
  • SV-15345r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. SNMP messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12811r5_chk

Review the configuration and verify the loopback interface address is used as the source address when originating SNMP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for SNMP traffic, this is a finding.

Fix: F-14137r4_fix

Configure the device to use its loopback or OOB management interface address as the source address when originating SNMP traffic.

a
The network device must use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.
Low - V-14676 - SV-15348r3_rule
RMF Control
Severity
L
CCI
Version
NET0901
Vuln IDs
  • V-14676
Rule IDs
  • SV-15348r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. NetFlow messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12814r5_chk

Review the configuration and verify the loopback interface address is used as the source address when originating NetFlow traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for IP Flow/NetFlow traffic, this is a finding.

Fix: F-63437r1_fix

Configure the device to use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.

a
The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
Low - V-14677 - SV-15351r4_rule
RMF Control
Severity
L
CCI
Version
NET0902
Vuln IDs
  • V-14677
Rule IDs
  • SV-15351r4_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of network devices. It is easier to construct appropriate ingress filters for management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. TFTP and FTP messages sent to management servers should use the loopback address as the source address.Information Assurance OfficerECSC-1
Checks: C-12818r7_chk

Review the device configuration to verify the loopback interface address is used as the source address when originating TFTP or FTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. If the loopback or OOB management interface isn't being used as the source address for TFTP or FTP traffic, this is a finding.

Fix: F-14139r6_fix

Configure the network device to use a loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.

a
The network device must use its loopback interface address as the source address for all iBGP peering sessions.
Low - V-14681 - SV-15357r3_rule
RMF Control
Severity
L
CCI
Version
NET0903
Vuln IDs
  • V-14681
Rule IDs
  • SV-15357r3_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability. It is easier to construct appropriate filters for control plane traffic. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.Information Assurance OfficerECSC-1
Checks: C-12824r3_chk

Review the configuration and verify iBGP peering uses the devices loopback interface address as the source address. If the loopback interface isn't being used as the source address for iBGP peering, this is a finding.

Fix: F-14148r3_fix

Configure the network device's loopback address as the source address for iBGP peering.

b
The network device must not allow SSH Version 1 to be used for administrative access.
Medium - V-14717 - SV-15459r4_rule
RMF Control
Severity
M
CCI
Version
NET1647
Vuln IDs
  • V-14717
Rule IDs
  • SV-15459r4_rule
SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1.Information Assurance OfficerECSC-1
Checks: C-12924r8_chk

Review the configuration and verify SSH Version 1 is not being used for administrative access. If the device is using an SSHv1 session, this is a finding.

Fix: F-14184r5_fix

Configure the network device to use SSH version 2.

b
Network devices must use two or more authentication servers for the purpose of granting administrative access.
Medium - V-15432 - SV-16259r4_rule
RMF Control
Severity
M
CCI
Version
NET0433
Vuln IDs
  • V-15432
Rule IDs
  • SV-16259r4_rule
The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in conjunction with an authentication server such as TACACS+ or RADIUS, the administrators can easily add or remove user accounts, add or remove command authorizations, and maintain a log of user activity. The use of an authentication server provides the capability to assign router administrators to tiered groups that contain their privilege level that is used for authorization of specific commands. For example, user mode would be authorized for all authenticated administrators while configuration or edit mode should only be granted to those administrators that are permitted to implement router configuration changes.Information Assurance OfficerIAIA-1
Checks: C-14439r6_chk

Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.

Fix: F-15096r3_fix

Configure the device to use two separate authentication servers.

c
The emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
High - V-15434 - SV-16261r4_rule
RMF Control
Severity
H
CCI
Version
NET0441
Vuln IDs
  • V-15434
Rule IDs
  • SV-16261r4_rule
The emergency account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the network. The emergency account must be set to an appropriate authorization level to perform necessary administrative functions during this time.Information Assurance OfficerECSC-1
Checks: C-14441r5_chk

Review the emergency account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency account is configured for more access than needed to troubleshoot issues, this is a finding.

Fix: F-15098r6_fix

Assign a privilege level to the emergency account to allow the administrator to perform necessary administrative functions when the authentication server is not online.

b
The network devices OOBM interface must be configured with an OOBM network address.
Medium - V-17821 - SV-19075r4_rule
RMF Control
Severity
M
CCI
Version
NET0991
Vuln IDs
  • V-17821
Rule IDs
  • SV-19075r4_rule
The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the OOBM interface does not have an IP address from the managed network address space, it will not have reachability from the NOC using scalable and normal control plane and forwarding mechanisms.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-19238r5_chk

Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.

Fix: F-17736r2_fix

Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.

b
The network devices management interface must be configured with both an ingress and egress ACL.
Medium - V-17822 - SV-19076r4_rule
RMF Control
Severity
M
CCI
Version
NET0992
Vuln IDs
  • V-17822
Rule IDs
  • SV-19076r4_rule
The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network device will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-19239r5_chk

Step 1: Verify the managed interface has an inbound and outbound ACL or filter. Step 2: Verify the ingress ACL blocks all transit traffic--that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. Step 3: Verify the egress ACL blocks any traffic not originated by the managed element. If management interface does not have an ingress and egress filter configured and applied, this is a finding.

Fix: F-17737r2_fix

If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.

a
The management interface must be configured as passive for the IGP instance deployed in the managed network.
Low - V-17823 - SV-19077r3_rule
RMF Control
Severity
L
CCI
Version
NET0993
Vuln IDs
  • V-17823
Rule IDs
  • SV-19077r3_rule
The OOBM access switch will connect to the management interface of the managed network devices. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network devices will be directly connected to the OOBM network. An OOBM interface does not forward transit traffic; thereby, providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic, both data plane and control plane, does not leak into the managed network and that production traffic does not leak into the management network.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-19240r7_chk

Review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration. If the management interface is not configured to be passive for IGP instances, this is a finding.

Fix: F-17738r2_fix

Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.

b
The network device must have control plane protection enabled.
Medium - V-19188 - SV-21027r3_rule
RMF Control
Severity
M
CCI
Version
NET0966
Vuln IDs
  • V-19188
Rule IDs
  • SV-21027r3_rule
The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Hence, any disruption to the RP or the control and management planes can result in mission critical network outages. In addition to control plane and management plane traffic that is in the router's receive path, the RP must also handle other traffic that must be punted to the RP--that is, the traffic must be fast or process switched. This is the result of packets that must be fragmented, require an ICMP response (TTL expiration, unreachable, etc.) have IP options, etc. A DoS attack targeting the RP can be perpetrated either inadvertently or maliciously involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability, the router must be able to securely handle specific control plane and management plane traffic that is destined to it, as well as other punted traffic. Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing can be used to increase security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23115r5_chk

Determine if control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. If the device doesn't have any control plane protection configured on the device, this is a finding.

Fix: F-19812r1_fix

Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.

a
Network devices must use at least two NTP servers to synchronize time.
Low - V-23747 - SV-28651r4_rule
RMF Control
Severity
L
CCI
Version
NET0812
Vuln IDs
  • V-23747
Rule IDs
  • SV-28651r4_rule
Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches, and firewalls, it will be very difficult to determine the exact events that resulted in a network breach incident. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-3581r5_chk

Review the configuration and verify two NTP servers have been defined. If the device is not configured to use two separate NTP servers, this is a finding.

Fix: F-3044r2_fix

Configure the device to use two separate NTP servers.

c
The VPN gateway must use IKE for negotiating and establishing all IPSec security associations.
High - V-30939 - SV-40981r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-010
Vuln IDs
  • V-30939
Rule IDs
  • SV-40981r1_rule
An IPSec Security Associations (SA) is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. With manual configuration of the IPSec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPSec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA which could result in a rouge device establishing an IPSec SA with either of the VPN end points. IKE provides primary authentication to verify the identity of the remote system before negotiation begins. IKE also enables anti-replay services and will establish a lifetime for each IPSec session. These features are lost when the IPSec security associations are manually configured which results in a non-terminating session using static pre-shared keys. Information Assurance OfficerECSC-1
Checks: C-39599r2_chk

Review the VPN gateway configuration to determine if there are any IPSec crypto maps enabled in manual mode. The crypto map will specify that it is manual and will define the remote peer, what traffic is to be protected, as well as the cipher key and encryption algorithm to be used for encrypting the IP packets.

Fix: F-34748r1_fix

Configure the VPN gateway to use IKE for establishing all IPSec security associations. An ISAKMP policy must be configured to define the IKE security association which will include the peer, the authentication method, encryption suite, and Diffie-Hellman group.

c
The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.
High - V-30941 - SV-40983r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-020
Vuln IDs
  • V-30941
Rule IDs
  • SV-40983r1_rule
Both IPSec endpoints must authenticate each other to ensure the identity of each by additional means besides an IP address which can easily be spoofed. The objective of IPSec is to establish a secured tunnel with privacy between the two endpoints traversing an IP backbone network. In the case of teleworkers accessing the enclave using a laptop configured with an IPSec software client, the secured path will also traverse the Internet. The secured path will grant the remote site or client access to resources within the private network; thereby establishing a level of trust. Hence, it is imperative that some form of authentication is used prior to establishing an IPSec session for transporting data to and from the enclave from a remote site.Information Assurance OfficerECSC-1
Checks: C-39601r1_chk

Review the VPN gateway configuration to determine if either username/password or certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Fix: F-34751r1_fix

Configure the VPN gateway to authenticate the remote end-point prior to establishing an IPSec session. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

b
The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.
Medium - V-30943 - SV-40985r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-030
Vuln IDs
  • V-30943
Rule IDs
  • SV-40985r1_rule
Using shared secrets between two IPSec endpoints is easy to implement but are also easy to compromise. Regardless of the strength of the password, they can be cracked using software tools that are readily available. Furthermore, implementation using shared secrets is not scalable since all VPN gateways and software clients would need to be configured with the shared secrets. In addition, there cannot be a preshared key for every user because the VPN gateway server does not know the client’s identity (the IP address is commonly used). Hence, remote users must use a group-based preshared key for authentication. When an individual leaves the group, changing the key must be coordinated with the other users of the group. PKI mitigates the risk involved with group passwords because each user has a certificate. PKI offers a scalable way to authenticate all IPSec endpoints in a secure manner. Every VPN gateway or remote client that needs to participate in IPSec VPN is issued a digital certificate by the Certification Authority (CA). The digital certificate binds the identity information of a VPN gateway (e.g., hostname or IP address) to the device’s public key by means of digital signature. This involves the use of public key cryptography algorithms, such as RSA. Based on this binding, any device that trusts the CA certificate, i.e., trusts the signature of the CA, would accept the identity inside the signed certificate. This model enables all VPN gateways and clients that trust the same CA to authenticate each other. Information Assurance OfficerECSC-1
Checks: C-39603r1_chk

Review the VPN gateway configuration to determine if certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Fix: F-34752r1_fix

Configure the VPN gateway to use certificate-based authentication for IPSec peers and clients. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

b
The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.
Medium - V-30944 - SV-40986r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-040
Vuln IDs
  • V-30944
Rule IDs
  • SV-40986r1_rule
When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization. Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized. Information Assurance OfficerECSC-1
Checks: C-39605r2_chk

Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Fix: F-34753r2_fix

Configure the VPN gateway to enroll with a DoD-approved Certificate Authority.

b
The VPN gateway server must enforce a policy to the software client to disallow the remote client from being able to save the logon password locally on the remote PC.
Medium - V-30945 - SV-40987r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-250
Vuln IDs
  • V-30945
Rule IDs
  • SV-40987r1_rule
Enabling the password save function requires users to only enter their password once when establishing the VPN tunnel. After that the software client will automatically re-enter the password when prompted for credentials by the VPN gateway.Information Assurance OfficerECSC-1
Checks: C-39604r1_chk

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client allows the users to save their logon password locally on the remote PC. Note: This vulnerability is only applicable if certificate-based authentication is not implemented.

Fix: F-34754r1_fix

Configure the ISAKMP client configuration groups used to push policy to remote software clients to disable the ability for users to save their logon password locally on the remote PC.

b
The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.
Medium - V-30946 - SV-40988r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-240
Vuln IDs
  • V-30946
Rule IDs
  • SV-40988r1_rule
All software remote clients must present a DoD approved warning banner prior allowing access to VPN. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the network is subject to monitoring to detect unauthorized usage. Failure to display the required warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. DoD CIO has issued new, mandatory policy standardizing the wording of “notice and consent” banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.Information Assurance OfficerECSC-1
Checks: C-39606r5_chk

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will display a DoD approved warning banner prior to allowing access to the VPN. Verify either Option A or Option B (for clients with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the client is incapable of displaying the required banner verbiage due to its size or the server is limited as to the banner to push to the client, a smaller banner must be used. The mandatory verbiage follows:“I've read & consent to terms in IS user agreem't.”

Fix: F-34755r1_fix

Configure the ISAKMP client configuration groups used to push policy to remote software clients to display a DoD approved warning banner prior to allowing access to the VPN.

b
The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.
Medium - V-30947 - SV-40989r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-050
Vuln IDs
  • V-30947
Rule IDs
  • SV-40989r1_rule
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPSec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPSec security association will not be established for the remote end-point.Information Assurance OfficerECSC-1
Checks: C-39608r1_chk

Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.

Fix: F-34758r1_fix

Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.

b
The VPN gateway server must enforce a policy to the remote software client to check for the presence of a personal firewall before enabling access to the VPN.
Medium - V-30948 - SV-40990r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-230
Vuln IDs
  • V-30948
Rule IDs
  • SV-40990r1_rule
The security posture of the remote PC connecting to the enclave via VPN is vital to the overall security of the enclave. While on-site hosts are behind the enclave’s perimeter defense, a remote PC is not and therefore is exposed to many vulnerabilities existing in the Internet when connected to a service provider via dial-up or broadband connection. Though it is policy to have a firewall installed on the remote PC according to the Secure Remote Computing Endpoint STIG (SRC-EPT-405), it is imperative the VPN gateway enforce the policy to the software client to verify the firewall is active prior to enabling access to the VPN.Information Assurance OfficerECSC-1
Checks: C-39607r1_chk

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will check for the presence of a personal firewall before enabling access to the VPN.

Fix: F-34757r1_fix

Configure the ISAKMP client configuration groups used to push policy to remote software clients to check for the presence of a personal firewall before enabling access to the VPN.

c
The VPN gateway must use Secure Hash Algorithm for IKE cryptographic hashing operations required for authentication and integrity verification.
High - V-30950 - SV-40992r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-060
Vuln IDs
  • V-30950
Rule IDs
  • SV-40992r1_rule
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore, MD5 is considered cryptographically broken and should be not be used—and certainly not for security-based services relying on collision resistance. Using a weak hash algorithm such as MD5 could enable a rogue device to discover the authentication key enabling it to establish an Internet Key Exchange (IKE) Security Association with either of the VPN end points. Hence, Secure Hash Algorithm (SHA) must be used for IKE cryptographic hashing operations required for authentication and integrity verification.Information Assurance OfficerECSC-1
Checks: C-39610r1_chk

Examine all ISAKMP policies configured on the VPN gateway to determine what hash algorithm is being used for establishing an IKE Security Association.

Fix: F-34760r1_fix

Configure all ISAKMP policies to use SHA for IKE cryptographic hashing operations.

b
The VPN gateway server must enforce a no split-tunneling policy to all remote clients.
Medium - V-30951 - SV-40993r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-220
Vuln IDs
  • V-30951
Rule IDs
  • SV-40993r1_rule
A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPSec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPSec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.Information Assurance OfficerECSC-1
Checks: C-39609r1_chk

Review the ISAKMP client configuration groups used to push policy to remote clients and determine if split tunneling is allowed. Split tunneling is commonly enabled by specifying an access control list within the client’s group policy. The access control list specifies what traffic flows are protected; hence, any traffic to destinations not declared in the access control list is forwarded outside of the IPSec tunnel by the remote client. If there is no access control list specified within a client configuration group, then packets for all destinations are transported within the IPSec tunnel.

Fix: F-34759r1_fix

Disable split tunneling on all ISAKMP client configuration groups.

c
The VPN gateway must use AES for IKE cryptographic encryption operations required to ensure privacy of the IKE session.
High - V-30952 - SV-40994r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-070
Vuln IDs
  • V-30952
Rule IDs
  • SV-40994r1_rule
While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus that it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. To ensure the privacy of the IKE session responsible for establishing the security association and key exchange for an IPSec tunnel, it is imperative that AES is used for encryption operations.Information Assurance OfficerECSC-1
Checks: C-39612r1_chk

Examine all ISAKMP policies configured on the VPN gateway to determine what encryption algorithm is being used for establishing an IKE Security Association.

Fix: F-34762r1_fix

Configure all ISAKMP policies to use AES for IKE cryptographic encryption operations.

b
The VPN gateway peer at a remote site must receive all ingress traffic and forward all egress traffic via the IPSec tunnel or other provisoned WAN links connected to the central or remote site.
Medium - V-30953 - SV-40995r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-210
Vuln IDs
  • V-30953
Rule IDs
  • SV-40995r1_rule
A VPN gateway peer at the remote site provides connectivity to the central or other remote sites belonging to the enclave via an IPSec tunnel across an IP backbone network such as the NIPRNet. This creates an extension or Intranet for the enclave using IPSec tunnels in lieu of traditional or legacy WAN services (T carrier, ATM, frame relay, etc). Unless the remote site has the required enclave perimeter defense (firewall, IPS, deny by default, etc), it is imperative that all inbound and outbound traffic traverse only the IPSec tunnels or other provisioned WAN links connecting the remote site to other sites belonging to the enclave. In other words, no packets can leak out an external-facing interface as “native” IP traffic into an IP backbone (i.e. NIPRNet, Internet). In addition, the external interface must not receive any traffic that is not secured by an IPSec tunnel or other provisioned WAN links connected to the central or remote site. This not only ensures that inbound and outbound traffic does not bypass the enclave’s perimeter defense, but also eliminates any backdoor connection. Information Assurance OfficerECSC-1
Checks: C-39613r2_chk

Review the remote VPN gateway interface configurations. All external-facing interfaces connected to an IP backbone network (i.e. NIPRNet) must have an IPSec crypto map bound to it or be the source of an IPSec-protected virtual tunnel interface. All inbound traffic must either map to a crypto map bound to a physical interface or be received via the virtual tunnel interface. Likewise, all outbound traffic must either map to a crypto map bound to a physical interface or be forwarded via the virtual tunnel interface. The remote VPN client can have WAN links connecting to other remote sites and the central sites. Traffic traversing these links does not need to be encrypted as they are part of the enclave’s private network.

Fix: F-34763r3_fix

Configure the VPN gateway at the remote site to ensure it receives all ingress traffic and forward all egress traffic via the IPSec tunnel. All inbound and outbound traffic must be considered interesting traffic for the IPSec crypto maps bound to the external interfaces. If IPSec-protected virtual tunnel interfaces are configured, all traffic must flow through them or other provisioned WAN links connecting the remote site to other sites belonging to the enclave.

b
The VPN gateway must ensure traffic from a remote client with an outbound destination does not bypass the enclaves perimeter defense mechanisms deployed for egress traffic.
Medium - V-30954 - SV-40996r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-200
Vuln IDs
  • V-30954
Rule IDs
  • SV-40996r1_rule
Packets from a remote client destined outbound must be inspected and proxied the same as any other traffic that will egress the enclave. Otherwise, there is the risk that the return traffic that will ingress the IPSec tunnel could compromise the remote client and possibly the remote LAN. This scenario can exist with a VPN-on-a-stick implementation that allows traffic to u-turn—that is, traffic from the remote site that traverses the IPSec tunnel is immediately forwarded out the same interface towards the NIPRNet and Internet with no upstream firewall. If a remote LAN is breached, the entire enclave could be exposed via the secured tunnel or any other provisioned link between the compromised remote LAN and other remote sites and the central site. Hence, it is imperative that traffic from the remote site that is destined outbound does not bypass the applicable inspection and proxy services deployed for the enclave’s perimeter defense. Information Assurance OfficerECSC-1
Checks: C-39614r3_chk

Deploying the VPN gateway within a DMZ or service network will eliminate any risks associated with u-turn traffic. The traffic exiting the IPSec tunnel leaving the DMZ destined to either the private network or the NIPRNet/Internet will have to pass through the DMZ firewall and therefore, be subject to the applicable policy. If the VPN gateway is a firewall, which could be either on or outside the DMZ, review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (PAT the same global address), as well as a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates—most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Fix: F-34764r2_fix

Deploy the VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a firewall upstream to inspect the outbound traffic.

c
IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.
High - V-30955 - SV-40997r2_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-190
Vuln IDs
  • V-30955
Rule IDs
  • SV-40997r2_rule
RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic user interface suites for deploying IPSec. Each suite provides choices for Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level.Information Assurance OfficerECSC-1
Checks: C-39615r1_chk

Review all transform sets defined in IPSec profiles and crypto maps used for securing classified traffic to determine if they are compliant with Suite B requirements. According to NIST, AES with 128-bit keys, SHA-256, and ECDH and ECDSA using the 256-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to SECRET level. AES with 356-bit keys, SHA-384, and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to TOP SECRET level. Note: During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

Fix: F-34765r1_fix

Configure transform sets used for transporting classified packets to be compliant with Suite B requirements.

b
The VPN gateway must enable anti-replay for all IPSec security associations.
Medium - V-30956 - SV-40998r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-180
Vuln IDs
  • V-30956
Rule IDs
  • SV-40998r1_rule
Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped. Information Assurance OfficerECSC-1
Checks: C-39616r1_chk

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default.

Fix: F-34766r2_fix

Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command.

a
The VPN gateway must use IKE main mode for the purpose of negotiating an IPSec security association policy when pre-shared keys are used for authentication
Low - V-30957 - SV-40999r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-080
Vuln IDs
  • V-30957
Rule IDs
  • SV-40999r1_rule
Aggressive mode is completed using only three messages instead of the six used in main mode. Essentially, all the information needed to generate the Diffie-Hellman secret is exchanged in the first two messages exchanged between the two peers. The identity of the peer is also exchanged in the first two packets which have been sent in the clear. There are risks to configurations that use pre-shared keys which are exaggerated when aggressive mode is used. The entire session may be intercepted and manipulated. An adversary can either use a pre-shared key to impersonate a trusted end-point or client and connect to the protected network, or it can mount a Man-in-the-Middle attack on any new session.Information Assurance OfficerECSC-1
Checks: C-39617r2_chk

Examine all ISAKMP profiles configured on the VPN gateway to verify aggressive mode has not been defined for IKE Phase 1 Security Association. Aggressive mode could also be configured globally which would make it applicable to all IKE sessions.

Fix: F-34767r2_fix

Configure the VPN gateway to ensure aggressive mode is disabled for all IKE Phase 1 security associations.

a
The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 1.
Low - V-30959 - SV-41001r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-090
Vuln IDs
  • V-30959
Rule IDs
  • SV-41001r1_rule
Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. IKE uses DH to create keys used to encrypt both the Internet Key Exchange (IKE) and IPSec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. The DH group is configured as part of the IKE Phase 1 key exchange settings. DH public key cryptography is used by all major VPN gateways, supporting DH groups 1, 2, and 5. DH group 1 consists of a 768 bit modulus, group 2 consists of 1024 bit modulus, and group 5 uses a 1536 bit modulus. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be. Information Assurance OfficerECSC-1
Checks: C-39619r1_chk

Examine all ISAKMP policies configured on the VPN gateway to determine what Diffie-Hellman group is being used. Verify Group 2 or larger has been configured. If the group has not been configured, determine what the default for the VPN gateway is or enter the appropriate show command to display the policies. Group 1 is the default for many VPN gateways.

Fix: F-34769r1_fix

Configure the VPN gateway to ensure Diffie-Hellman Group 2 or larger is used.

b
The VPN gateway must specify Perfect Forward Secrecy during IKE negotiation.
Medium - V-30960 - SV-41002r1_rule
RMF Control
Severity
M
CCI
Version
NET-VPN-100
Vuln IDs
  • V-30960
Rule IDs
  • SV-41002r1_rule
The Internet Key Exchange (IKE) Phase-2 (Quick Mode) Security Association (SA) is used to create an IPSec session key. Hence, its rekey or key regeneration procedure is very important. The Phase-2 rekey can be performed with or without Perfect Forward Secrecy (PFS). With PFS, every time a new IPSec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from Phase 1) for generating a new IPSec session key. If PFS is not used, the IPSec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. The DH exchange is performed in the same manner as was done in Phase 1 (Main or Aggressive Mode). However, the Phase-2 exchange is protected by encrypting the Phase-2 packets with the key derived from the Phase-1 negotiation. Because DH negotiations during Phase-2 are encrypted, the new IPSec session key has an added element of secrecy. Information Assurance OfficerECSC-1
Checks: C-39621r2_chk

Review the VPN gateway configuration to determine if Perfect Forward Secrecy (PFS) is enabled. For most platforms, PFS is enabled by default. Examine all ISAKMP profiles and crypto maps to verify PFS is enabled.

Fix: F-34771r1_fix

Configure the VPN gateway to ensure PFS is enabled.

a
The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.
Low - V-30961 - SV-41003r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-170
Vuln IDs
  • V-30961
Rule IDs
  • SV-41003r1_rule
When a VPN gateway creates an IPSec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPSec endpoint inactivity which could result in the gateway’s inability to create new SAs for other endpoints; thereby, preventing new sessions from connecting. The IPSec SA idle timer allows SAs associated with inactive endpoints to be deleted before the SA lifetime has expired.Information Assurance OfficerECSC-1
Checks: C-39620r2_chk

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured idle time. The idle time value must be 1 hour or less. If idle time is not configured, determine the default used by the gateway.

Fix: F-34770r1_fix

Configure an idle time value of 1 hour or less for all IPSec security associations either within IPSec profiles or as a global command.

a
The VPN gateway must implement IPSec security associations that terminate within 8 hours or less.
Low - V-30962 - SV-41004r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-160
Vuln IDs
  • V-30962
Rule IDs
  • SV-41004r1_rule
The IPSec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the life time of the IPSec Security Association, the longer the life time of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPSec peers to have to renegotiate IKE Phase II more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IPSec SA lifetime terminates within 8 hours.Information Assurance OfficerECSC-1
Checks: C-39622r1_chk

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured lifetime. The lifetime value must be 8 hours or less. If they are not configured, determine the default that used by the gateway.

Fix: F-34772r1_fix

Configure a lifetime value of 8 hours or less for all IPSec security associations either within IPSec profiles or as a global command.

a
The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 2.
Low - V-30963 - SV-41005r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-110
Vuln IDs
  • V-30963
Rule IDs
  • SV-41005r1_rule
Diffie-Hellman (DH) is a public -key cryptography scheme allowing two parties to establish a shared secret over an insecure communications channel. IKE uses Diffie-Hellman to create keys used to encrypt both the Internet Key Exchange (IKE) and IPSec communication channels. The process works by two peers both generating a private and a public key and then exchanging their public keys with each other. The peers produce the same shared secret by using each other’s public key and their own private key using the DH algorithm. With Perfect Forward Secrecy (PFS), every time a new IPSec SA is negotiated during the Quick Mode, a new DH exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from Phase 1) for generating a new IPSec session key. If PFS is not used, the IPSec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. Information Assurance OfficerECSC-1
Checks: C-39623r3_chk

Review the VPN gateway configuration to determine if Perfect Forward Secrecy (PFS) is enabled. If PFS is enabled, it must use DH Group 2. For most platforms, PFS is enabled by default using DH Group 1. Examine all ISAKMP profiles and crypto maps to verify PFS is enabled using DH Group 2.

Fix: F-34773r1_fix

Configure the VPN gateway to ensure Diffie-Hellman Group 2 or larger is used when enabling PFS.

c
The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.
High - V-30964 - SV-41006r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-150
Vuln IDs
  • V-30964
Rule IDs
  • SV-41006r1_rule
Encapsulating Security Payload (ESP) is the feature in the IPSec architecture providing confidentiality, data origin authentication, integrity, and anti-replay services. ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPSec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted; whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPSec gateways, or between an IPSec gateway and an end-station running IPSec software. Hence, it is the only method to provide secured path to transport traffic between remote sites or end-stations and the central site.Information Assurance OfficerECSC-1
Checks: C-39624r2_chk

Review all transform sets defined in IPSec profiles and crypto maps and verify ESP tunnel mode has been specified. If the mode is not configured, determine the default for the VPN gateway.

Fix: F-34774r1_fix

Configure all IPSec transform sets to use ESP tunnel mode.

a
The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.
Low - V-30965 - SV-41007r1_rule
RMF Control
Severity
L
CCI
Version
NET-VPN-120
Vuln IDs
  • V-30965
Rule IDs
  • SV-41007r1_rule
The Security Association (SA) and its corresponding key will expire after the number of seconds has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure a new SA is ready for use when the old one expires. The longer the life time of the Internet Key Exchange (IKE) Security Association, the longer the life time of the key used for the IKE session, which is the control plane for establishing IPSec Security Associations. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter IKE lifetime causes IPSec peers to have to renegotiate IKE more often resulting in the expenditure of additional resources. Nevertheless, it is imperative the IKE SA lifetime terminates within 24 hours or less.Information Assurance OfficerECSC-1
Checks: C-39625r1_chk

Review all ISAKMP policies configured on the VPN gateway and examine the configured lifetime. The lifetime value must be 24 hours or less. If they are not configured, determine the default that used by the gateway.

Fix: F-34776r1_fix

Configure a lifetime value of 24 hours or less for all ISAKMP polices.

c
The VPN gateway must use AES for IPSec cryptographic encryption operations required to ensure privacy of the IPSec session.
High - V-30966 - SV-41008r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-140
Vuln IDs
  • V-30966
Rule IDs
  • SV-41008r1_rule
While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. Hence, AES must be used to ensure the privacy of the IPSec tunnel. Information Assurance OfficerECSC-1
Checks: C-39626r3_chk

Review all transform sets defined in IPSec profiles and crypto maps and verify that AES has been enabled for performing cryptographic encryption operations.

Fix: F-34775r2_fix

Configure all IPSec transform sets to use AES for performing cryptographic encryption operations.

c
The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.
High - V-30967 - SV-41009r1_rule
RMF Control
Severity
H
CCI
Version
NET-VPN-130
Vuln IDs
  • V-30967
Rule IDs
  • SV-41009r1_rule
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision. For a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore MD5 is considered cryptographically broken and should not be used—and certainly not for security-based services relying on collision resistance. Hence Secure Hash Algorithm (SHA) must be used for IPSec cryptographic hashing operations required for authentication and integrity verification.Information Assurance OfficerECSC-1
Checks: C-39627r2_chk

Review all transform sets defined in IPSec profiles and crypto maps and verify SHA has been enabled for performing cryptographic hashing operations.

Fix: F-34777r1_fix

Configure all IPSec transform sets to use SHA for performing cryptographic hashing operations.

b
Network devices must authenticate all BGP peers within the same or between autonomous systems (AS).
Medium - V-31285 - SV-41553r3_rule
RMF Control
Severity
M
CCI
Version
NET0408
Vuln IDs
  • V-31285
Rule IDs
  • SV-41553r3_rule
As specified in RFC 793, TCP utilizes sequence checking to ensure proper ordering of received packets. RFC 793 also specifies that RST (reset) control flags should be processed immediately, without waiting for out of sequence packets to arrive. RFC 793 also requires that sequence numbers are checked against the window size before accepting data or control flags as valid. A router receiving an RST segment will close the TCP session with the BGP peer that is being spoofed; thereby, purging all routes learned from that BGP neighbor. A RST segment is valid as long as the sequence number is within the window. The TCP reset attack is made possible due to the requirements that Reset flags should be processed immediately and that a TCP endpoint must accept out of order packets that are within the range of a window size. This reduces the number of sequence number guesses the attack must make by a factor equivalent to the active window size. Each sequence number guess made by the attacker can be simply incremented by the receiving connections window size. The BGP peering session can protect itself against such an attack by authenticating each TCP segment. The TCP header options include an MD5 signature in every packet and are checked prior to the acceptance and processing of any TCP packet--including RST flags. One way to create havoc in a network is to advertise bogus routes to a network. A rogue router could send a fictitious routing update to convince a BGP router to send traffic to an incorrect or rogue destination. This diverted traffic could be analyzed to learn confidential information of the site's network, or merely used to disrupt the network's ability to effectively communicate with other networks. An autonomous system can advertise incorrect information by sending BGP updates messages to routers in a neighboring AS. A malicious AS can advertise a prefix originated from another AS and claim that it is the originator (prefix hijacking). Neighboring autonomous systems receiving this announcement will believe that the malicious AS is the prefix owner and route packets to it.ECSC-1
Checks: C-12685r2_chk

Review the device configuration to determine if authentication is being used for all peers. A password or key should be defined for each BGP neighbor regardless of the autonomous system the peer belongs. Most vendors' command lines use a neighbor statement or keyword to specify a BGP peer. If BGP peers are not authenticated, this is a finding.

Fix: F-14123r2_fix

Configure the device to authenticate all BGP peers.