Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Inspect the configuration of the VPN or RAS gateway and verify that it is does not provide NAT services to the remote access end points.
Ensure that the remote access gateway is not configured to provide NAT services for remote access connections.
Review the PKI certificate menu in the device configuration to see if DoD PKI has been implement. The certificate used with contain "DoD". If a certificate is used but it is not DoD-approved, this as a finding.
If PKI is used for DEVICE authentication then ensure that a DoD approved certificate is installed. If the device does not have the option to replace the default manufacturer certificate, then the product should be replaced.
Ask if digital certificates are generated by the remote access gateway for device authentication. Examine the authentication configuration using the management interface of the remote access gateway. Verify that the key length and hashing algorithm used conform to DoD requirements.
If digital certificates are generated by the remote access solution for device authentication, then the key length and hashing algorithm used must conform to DoD requirements.
Work with the system administrator to verify that device authentication is implemented. Also, verify that mutual authentication between the remote access gateway and the endpoint is implemented.
Ensure device authentication and mutual authentication between the remote access gateway and the endpoint is implemented.
View the vendor documentation or device configuration to verify that the device is capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.
Ensure all devices which provide remote access services are capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.
Verify that an authentication server is required to access the remote access server by reviewing the currently running configuration. The remote access server will be configured to redirect user authentication requests to the authentication server.
The system administrator will configure the TACACS+, Radius or Diameter server with remote access accounts and user passwords. The remote access server will be configured to redirect user authentication requests to the authentication server.
Review the remote access gateway (RAS or VPN) configuration. Verify that resources and priviledges are assigned to groups not individual users. Verify that the user groups are defined on the authentication server unless not technologically feasible.
Ensure the default network access control policy is modified to restrict remote access based on group policy rather than configured for each individual user.
Work with the SA to examine the RAS. Verify the setting for the number of concurrent end user remote sessions is not set to a value which means unlimited. Value set should be reasonable based on local policy.
Ensure the setting for the number of conncurrent end user remote sessions is set to a resonable value and is not unlimited.
Work with the SA to examine the policies for the host integrity setting. Ensure there are settings and policies applicable to the listed compliance areas. Verify the following settings: - Sensitivity of information accessed such as public, non-public, administrator, classified; - Authentication method used (PKI, password, open); - User identification and authorization; - Type of user such as mobile, teleworker from home, remote DoD site enclave user, or contractor site; - Endpoint type and location (laptop, PDA, virtual, managed/unmanaged; - Other (browser type, day/time, accessed resource type).
Ensure remote access host integrity check is compliant.
Interview the site representative and review network or operating system SRR or self-assessment documentation.
Ensure remote users do not have permissions to access databases, files, and configuration management applications resident on the remote access gateway.
Interview the IAO and examine the configuration of a VPN client.
Implement tunnel-all mode.
Visually inspect the VPN gateway to verify that the VPN device is configured. NOTE: The VPN device will be configured with two interfaces. Remote users use the external interface while internal communications are sent using the internal interface.
Ensure the VPN gateway is configured with two interfaces and does not allow direct communication.
Verify by inspecting the configuration of the firewall or the remote access gateway. Verify the TLS protocol is used.
Ensure that remote access gateway and the clients is using a secure protocol.
Inpect the configuration by viewing the VPN configuration screen in the management workstaion. Verify the VPN attributes are compliant. NOTE: The channel will be configured for phase one IKE exchange type. Additionally the following have not been configured: FIPS 140-2 encryption algorithm (e.g., AES); Integrity protection algorithm is FIPS compliant (e.g., HMAC-SHA-1); and the Authentication method will be digital signatures or PKI.
Ensure tthe IPSEC VPN is configured as requried by the policy.