View STIG - Remote Access VPN STIG V2R7

a

Network Address Translation (NAT) will not be configured for use with remote access gateways and servers unless there is a means of tracking the remote client's network activity throughout the network.

Low - V-21529 - SV-23743r1_rule

RMF Control

Severity

Low

CCI

Version

SRC-NET-060

Vuln IDs

V-21529

Rule IDs

SV-23743r1_rule

An incorrectly configured remote access gateway may allow unauthorized access to malicious or unauthorized remote users.Information Assurance OfficerECSC-1

Checks: C-23370r1_chk

Inspect the configuration of the VPN or RAS gateway and verify that it is does not provide NAT services to the remote access end points.

Fix: F-22325r1_fix

Ensure that the remote access gateway is not configured to provide NAT services for remote access connections.

b

Where digital certificates are used for device authentication, the remote gateway will use DoD-approved PKI rather than default or proprietary device certificates which are preinstalled by the vendor.

Medium - V-21538 - SV-23753r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-010

Vuln IDs

V-21538

Rule IDs

SV-23753r1_rule

Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1

Checks: C-25810r1_chk

Review the PKI certificate menu in the device configuration to see if DoD PKI has been implement. The certificate used with contain "DoD". If a certificate is used but it is not DoD-approved, this as a finding.

Fix: F-22328r1_fix

If PKI is used for DEVICE authentication then ensure that a DoD approved certificate is installed. If the device does not have the option to replace the default manufacturer certificate, then the product should be replaced.

b

If digital certificates are generated by the remote access gateway for device authentication (e.g., mutual authentication between hosts), the key length and hashing algorithm used must conform to DoD requirements.

Medium - V-21540 - SV-23755r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-020

Vuln IDs

V-21540

Rule IDs

SV-23755r1_rule

Digital certificates which are self-generated are not encouraged but may be unavoidable. If used, then key length and hashing algorithm must conform to DoD standards.Information Assurance OfficerECSC-1

Checks: C-25813r1_chk

Ask if digital certificates are generated by the remote access gateway for device authentication. Examine the authentication configuration using the management interface of the remote access gateway. Verify that the key length and hashing algorithm used conform to DoD requirements.

Fix: F-19932r1_fix

If digital certificates are generated by the remote access solution for device authentication, then the key length and hashing algorithm used must conform to DoD requirements.

a

The remote access solution will be configured to authenticate (DOD PKI preferred) all endpoints requesting access to the network; to include mutual authentication between the remote access server device and the endpoint will be enforced prior to network admission.

Low - V-21541 - SV-23759r1_rule

RMF Control

Severity

Low

CCI

Version

SRC-NET-030

Vuln IDs

V-21541

Rule IDs

SV-23759r1_rule

Remote access is a significant risk to the Enclave. Attackers can engage in remote exploits without traversing the physical security controls often in place at the site. Thus, stringent logical controls are needed to protect DoD assets. Both the device and the user must be both authenticated and authorized prior to allowing access. Device authentication may be performed in several ways but DoD-approved PKI is preferred.Information Assurance OfficerECSC-1

Checks: C-25814r1_chk

Work with the system administrator to verify that device authentication is implemented. Also, verify that mutual authentication between the remote access gateway and the endpoint is implemented.

Fix: F-22329r1_fix

Ensure device authentication and mutual authentication between the remote access gateway and the endpoint is implemented.

c

Network devices configured to provide remote access services (e.g., RAS, VPN gateways, and NAC appliances) will be PK-enabled (as required by DoDD 8520) and will have the capability to generate certificate-signing requests and use DoD-approved PKI digital certificates when available.

High - V-21582 - SV-23841r2_rule

RMF Control

Severity

High

CCI

Version

SRC-NET-040

Vuln IDs

V-21582

Rule IDs

SV-23841r2_rule

Network devices, RAS, and VPN gateways will not use proprietary digital certificates or self-signed mechanisms. These certificates are often generated by the manufacturer and are similar to default passwords. Additionally, DoD requires use of DoD-PKI rather than proprietary certificate structures.Information Assurance OfficerECSC-1

Checks: C-25850r1_chk

View the vendor documentation or device configuration to verify that the device is capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

Fix: F-19145r1_fix

Ensure all devices which provide remote access services are capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

b

The remote access gateway/server will be configured to use an authentication server for user authentication to provide for separation of services.

Medium - V-21583 - SV-23842r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-050

Vuln IDs

V-21583

Rule IDs

SV-23842r1_rule

AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of an access server. These servers centralize user identification, authentication, authorization and monitors the user's network usage. Separation of services provides added assurance to the network if the access control server is compromised.Information Assurance OfficerDCBP-1

Checks: C-25851r1_chk

Verify that an authentication server is required to access the remote access server by reviewing the currently running configuration. The remote access server will be configured to redirect user authentication requests to the authentication server.

Fix: F-19146r1_fix

The system administrator will configure the TACACS+, Radius or Diameter server with remote access accounts and user passwords. The remote access server will be configured to redirect user authentication requests to the authentication server.

b

The default remote access control policy will restrict remote user and device access based on group policy rather than by individual user or device.

Medium - V-21584 - SV-23843r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-070

Vuln IDs

V-21584

Rule IDs

SV-23843r1_rule

The access control policy configuration is the key security control of the remote access solution. This policy should be centralized particulary when multiple remote access control gateways and communications devices are used. Use of a policy server that can service all types of is highly encouraged. This reduces policy complexity, facilitates management of remote access, and reduces the threat posed by inadvertent administration error with access restrictions. Access control should be managed using access groups and placing the users into these groups. RADIUS or Active Directory groups will facilitate single sign-on and make modification of users and resources across the network easier. Information Assurance OfficerECSC-1

Checks: C-25852r1_chk

Review the remote access gateway (RAS or VPN) configuration. Verify that resources and priviledges are assigned to groups not individual users. Verify that the user groups are defined on the authentication server unless not technologically feasible.

Fix: F-22354r1_fix

Ensure the default network access control policy is modified to restrict remote access based on group policy rather than configured for each individual user.

b

The RAS or communications server will be configured to limit the number of concurrent connections from the remote user.

Medium - V-21585 - SV-23844r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-080

Vuln IDs

V-21585

Rule IDs

SV-23844r1_rule

The number of concurrent logins will be limited in order to guard against the potential for Denial of Service attacks. Recommended setting should be based on usage trends and the number of approved remote users in the organization.System AdministratorECSC-1

Checks: C-25853r1_chk

Work with the SA to examine the RAS. Verify the setting for the number of concurrent end user remote sessions is not set to a value which means unlimited. Value set should be reasonable based on local policy.

Fix: F-22355r1_fix

Ensure the setting for the number of conncurrent end user remote sessions is set to a resonable value and is not unlimited.

b

Remote access host integrity checks will incorporate settings and policies as required.

Medium - V-21586 - SV-23845r2_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-090

Vuln IDs

V-21586

Rule IDs

SV-23845r2_rule

The access control policy will be integrated with endpoint security controls. Users accessing from untrusted devices such as kiosks, personaly owned, or unmanaged devices may require active content in the client Web Browser which clears the cache or remove files, cookies, and session information. For example, users detected as accessing from a kiosk may be subjected to a host integrity check prior to authentication in order to guard against keystroke loggers. Consideration should also be taken for emergency and disaster recovery. Remote access for remote reset or for special circumstances should be considered.System AdministratorECSC-1

Checks: C-25854r1_chk

Work with the SA to examine the policies for the host integrity setting. Ensure there are settings and policies applicable to the listed compliance areas. Verify the following settings: - Sensitivity of information accessed such as public, non-public, administrator, classified; - Authentication method used (PKI, password, open); - User identification and authorization; - Type of user such as mobile, teleworker from home, remote DoD site enclave user, or contractor site; - Endpoint type and location (laptop, PDA, virtual, managed/unmanaged; - Other (browser type, day/time, accessed resource type).

Fix: F-22356r1_fix

Ensure remote access host integrity check is compliant.

b

Configure the remote access gateway to prevent remotely connected users from unauthorized access to the local files or host system configuration.

Medium - V-21587 - SV-23846r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-NET-100

Vuln IDs

V-21587

Rule IDs

SV-23846r1_rule

If users are allowed access to system files or configuration applications, they may change the application setting and create a denial of service incident.Information Assurance OfficerECSC-1

Checks: C-25855r1_chk

Interview the site representative and review network or operating system SRR or self-assessment documentation.

Fix: F-19952r1_fix

Ensure remote users do not have permissions to access databases, files, and configuration management applications resident on the remote access gateway.

b

Remote access via VPN technology will be configured for tunnel-all mode so that split-tunneling entering or leaving the enclave boundary is prohibited.

Medium - V-21588 - SV-23847r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-VPN-010

Vuln IDs

V-21588

Rule IDs

SV-23847r1_rule

The VPN software on a host can be configured in either of two modes. It can be set to encrypt all IP traffic originating from that host, and send all of that traffic to the remote IP address of the network gateway. This configuration is called “tunnel-all” mode, because all IP traffic from the host must traverse the VPN tunnel to the remote system, where it will either be processed or further forwarded to additional IP addresses after decryption. Alternately, the VPN software can be set only to encrypt traffic that is specifically addressed to an IP at the other end of the VPN tunnel. All other IP traffic bypasses the VPN encryption and routing process, and is handled by the host as if the VPN relationship did not exist. This configuration is called “split-tunnel” mode, because the IP traffic from the host is split between encrypted packets sent across the VPN tunnel and unencrypted packets sent to all other external addresses. There are security and operational implications in the decision of whether to use split-tunnel or tunnel-all mode. Placing a host in tunnel-all mode makes it appear to the rest of the world as a node on the connected logical (VPN-connected) network. It no longer has an identity to the outside world based on the local physical network. In tunnel-all mode, all traffic between the remote host and any other host can be subject to inspection and processing by the security policy devices of the remote VPN-linked network. This improves the security aspects of the connected network, since it can enforce all security policies on the VPN-connected computer. Information Assurance OfficerECSC-1

Checks: C-25856r1_chk

Interview the IAO and examine the configuration of a VPN client.

Fix: F-22357r1_fix

Implement tunnel-all mode.

b

The VPN gateway will be configured to disallow remote endpoints to communicate directly with other DMZ hosts.

Medium - V-21589 - SV-23848r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-VPN-020

Vuln IDs

V-21589

Rule IDs

SV-23848r1_rule

Pass through communications from remote endpoints may allow network attack through the remote access gateway. To mitigate this risk, the VPN gateway or host will be configured with two interfaces. Remote users use the external interface while internal communications are sent using the internal interface.Information Assurance OfficerECSC-1

Checks: C-25857r1_chk

Visually inspect the VPN gateway to verify that the VPN device is configured. NOTE: The VPN device will be configured with two interfaces. Remote users use the external interface while internal communications are sent using the internal interface.

Fix: F-22358r1_fix

Ensure the VPN gateway is configured with two interfaces and does not allow direct communication.

b

Remote access TLS VPNs will be configured to use a properly configured TLS version.

Medium - V-21590 - SV-23849r1_rule

RMF Control

Severity

Medium

CCI

Version

SRC-VPN-030

Vuln IDs

V-21590

Rule IDs

SV-23849r1_rule

The TLS protocol allows clients and HTTP servers to communicate over a secure connection. It offers encryption, source authentication, and data integrity as means to protect information exchanged over unsecured, public networks. Only TLS is allowed because the manner in which previous version of the protocol used some unapproved cryptographic algorithms for its operation, thus this makes these older verison untrusted.Information Assurance OfficerECSC-1

Checks: C-25858r1_chk

Verify by inspecting the configuration of the firewall or the remote access gateway. Verify the TLS protocol is used.

Fix: F-22359r1_fix

Ensure that remote access gateway and the clients is using a secure protocol.

a

Configure the IPSec VPN gateway for the main mode with digital certificates for secure negotiation of the communications channel, including compliant settings for key exchange and authentication of both ends of the channel.

Low - V-21591 - SV-23850r1_rule

RMF Control

Severity

Low

CCI

Version

SRC-VPN-040

Vuln IDs

V-21591

Rule IDs

SV-23850r1_rule

This configuration will ensure secure negotiation of a secure channel including key exchange, and authentication of both ends resulting in a secure connection over which other IPSec communications can occur. Information Assurance OfficerECSC-1

Checks: C-25859r1_chk

Inpect the configuration by viewing the VPN configuration screen in the management workstaion. Verify the VPN attributes are compliant. NOTE: The channel will be configured for phase one IKE exchange type. Additionally the following have not been configured: FIPS 140-2 encryption algorithm (e.g., AES); Integrity protection algorithm is FIPS compliant (e.g., HMAC-SHA-1); and the Authentication method will be digital signatures or PKI.

Fix: F-22360r1_fix

Ensure tthe IPSEC VPN is configured as requried by the policy.

Remote Access VPN STIG

Compare

View

Checks: C-23370r1_chk

Fix: F-22325r1_fix

Generate Mitigation Statement:

Checks: C-25810r1_chk

Fix: F-22328r1_fix

Generate Mitigation Statement:

Checks: C-25813r1_chk

Fix: F-19932r1_fix

Generate Mitigation Statement:

Checks: C-25814r1_chk

Fix: F-22329r1_fix

Generate Mitigation Statement:

Checks: C-25850r1_chk

Fix: F-19145r1_fix

Generate Mitigation Statement:

Checks: C-25851r1_chk

Fix: F-19146r1_fix

Generate Mitigation Statement:

Checks: C-25852r1_chk

Fix: F-22354r1_fix

Generate Mitigation Statement:

Checks: C-25853r1_chk

Fix: F-22355r1_fix

Generate Mitigation Statement:

Checks: C-25854r1_chk

Fix: F-22356r1_fix

Generate Mitigation Statement:

Checks: C-25855r1_chk

Fix: F-19952r1_fix

Generate Mitigation Statement:

Checks: C-25856r1_chk

Fix: F-22357r1_fix

Generate Mitigation Statement:

Checks: C-25857r1_chk

Fix: F-22358r1_fix

Generate Mitigation Statement:

Checks: C-25858r1_chk

Fix: F-22359r1_fix

Generate Mitigation Statement:

Checks: C-25859r1_chk

Fix: F-22360r1_fix

Generate Mitigation Statement: