Virtual Private Network (VPN) Security Requirements Guide

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2019-07-26

Updated At: 2019-11-11 10:49:10

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-106179r1_rule SRG-NET-000019-VPN-000040 CCI-001414 MEDIUM The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another en
    SV-106181r1_rule SRG-NET-000041-VPN-000110 CCI-000048 MEDIUM The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard
    SV-106183r1_rule SRG-NET-000042-VPN-000120 CCI-000050 MEDIUM The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD wil
    SV-106185r1_rule SRG-NET-000043-VPN-000130 CCI-001384 MEDIUM The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policie
    SV-106187r1_rule SRG-NET-000049-VPN-000150 CCI-000053 LOW The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has o
    SV-106189r1_rule SRG-NET-000053-VPN-000170 CCI-000054 MEDIUM The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement addr
    SV-106191r1_rule SRG-NET-000062-VPN-000200 CCI-000068 HIGH The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. NIST SP 800-52 provides guidance for client negotiation on either D
    SV-106193r1_rule SRG-NET-000063-VPN-000210 CCI-001453 MEDIUM The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Remote access (e.g., RDP) is access to DoD nonpublic information syst
    SV-106195r1_rule SRG-NET-000063-VPN-000220 CCI-001453 MEDIUM The VPN Gateway must be configured to use IPsec with SHA-1 or greater for hashing to protect the integrity of remote access sessions. Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of
    SV-106197r1_rule SRG-NET-000074-VPN-000250 CCI-000068 HIGH The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group. Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key
    SV-106199r1_rule SRG-NET-000077-VPN-000280 CCI-000130 LOW The VPN Gateway must generate log records containing information to establish what type of events occurred. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. VPN gateways often have a separate audit log for capturing VPN status and other information abo
    SV-106201r1_rule SRG-NET-000078-VPN-000290 CCI-000131 LOW The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. VPN gateways often have a separate audit log for capturing VPN status and other information about the traff
    SV-106203r1_rule SRG-NET-000079-VPN-000300 CCI-001487 MEDIUM The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
    SV-106205r1_rule SRG-NET-000088-VPN-000310 CCI-000132 MEDIUM The VPN Gateway must generate log records containing information to establish where the events occurred. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for securi
    SV-106207r1_rule SRG-NET-000089-VPN-000330 CCI-000133 LOW The VPN Gateway must generate log records containing information to establish the source of the events. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to
    SV-106209r1_rule SRG-NET-000091-VPN-000350 CCI-000134 MEDIUM The VPN Gateway must produce log records containing information to establish the outcome of the events. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network. Event outcomes can include indicators of event suc
    SV-106211r1_rule SRG-NET-000098-VPN-000370 CCI-000162 LOW The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured V
    SV-106213r1_rule SRG-NET-000099-VPN-000380 CCI-000163 MEDIUM The VPN Gateway log must protect audit information from unauthorized modification when stored locally. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. This requirement pertains to securing the VPN log as it is stored locally, on the box tem
    SV-106215r1_rule SRG-NET-000100-VPN-000390 CCI-000164 MEDIUM The VPN Gateway must protect audit information from unauthorized deletion when stored locally. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must
    SV-106217r1_rule SRG-NET-000132-VPN-000450 CCI-000382 MEDIUM The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106219r1_rule SRG-NET-000132-VPN-000460 CCI-000382 MEDIUM The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106221r1_rule SRG-NET-000132-VPN-000470 CCI-000382 MEDIUM The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F. The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. Encryption and authentication are both weak.
    SV-106223r1_rule SRG-NET-000132-VPN-000480 CCI-000382 MEDIUM For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for deliv
    SV-106225r1_rule SRG-NET-000138-VPN-000490 CCI-000764 MEDIUM The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106227r1_rule SRG-NET-000140-VPN-000500 CCI-000766 HIGH The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authenticat
    SV-106229r1_rule SRG-NET-000145-VPN-000510 CCI-001939 MEDIUM The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor
    SV-106231r1_rule SRG-NET-000147-VPN-000520 CCI-001942 MEDIUM The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-106233r1_rule SRG-NET-000147-VPN-000530 CCI-001942 MEDIUM The IPsec VPN Gateway must use anti-replay mechanisms for security associations. Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet.
    SV-106235r1_rule SRG-NET-000148-VPN-000540 CCI-000778 MEDIUM The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection. Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims
    SV-106237r1_rule SRG-NET-000164-VPN-000560 CCI-000185 MEDIUM The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and re
    SV-106239r1_rule SRG-NET-000165-VPN-000570 CCI-000186 MEDIUM The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private
    SV-106241r1_rule SRG-NET-000166-VPN-000580 CCI-000187 MEDIUM The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control a
    SV-106251r1_rule SRG-NET-000166-VPN-000590 CCI-000187 MEDIUM The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. This requirement only applies to components where this is specifi
    SV-106253r1_rule SRG-NET-000168-VPN-000600 CCI-000803 MEDIUM The VPN Gateway must use FIPS-validated SHA-1 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only). Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by
    SV-106255r1_rule SRG-NET-000169-VPN-000610 CCI-000804 MEDIUM The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides opportunity for intruders to compromise resources within the network infrastructure. This requirement only ap
    SV-106257r1_rule SRG-NET-000205-VPN-000710 CCI-001097 MEDIUM The VPN Gateway must be configured to route sessions to an IDPS for inspection. Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best. Remote access is access to DoD non-public
    SV-106259r1_rule SRG-NET-000213-VPN-000720 CCI-001133 LOW The VPN Gateway must terminate all network connections associated with a communications session at the end of the session. Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormall
    SV-106261r1_rule SRG-NET-000230-VPN-000770 CCI-001184 MEDIUM The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. VPN gateways utilizing encryption are requir
    SV-106263r1_rule SRG-NET-000230-VPN-000780 CCI-001184 HIGH The IPsec VPN Gateway must use Internet Key Exchange (IKE) with SHA-1 or greater to protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standa
    SV-106265r1_rule SRG-NET-000231-VPN-000790 CCI-001185 MEDIUM The VPN Gateway must invalidate session identifiers upon user logoff or other session termination. Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an app
    SV-106267r1_rule SRG-NET-000233-VPN-000800 CCI-001664 MEDIUM The VPN Gateway must recognize only system-generated session identifiers. VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's applicat
    SV-106269r1_rule SRG-NET-000234-VPN-000810 CCI-001188 MEDIUM The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III.
    SV-106271r1_rule SRG-NET-000235-VPN-000820 CCI-001190 MEDIUM The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VPN gateways that fail suddenly and with no incorporated failure state planning may leave the hosting syste
    SV-106273r1_rule SRG-NET-000313-VPN-001050 CCI-002314 MEDIUM The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity. Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access management difficult at best. Remote access is access to DoD no
    SV-106275r1_rule SRG-NET-000314-VPN-001060 CCI-002322 MEDIUM The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed. Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped. Remote access functionality must have the capability to immediately disconnect current users remotely
    SV-106277r1_rule SRG-NET-000317-VPN-001090 CCI-000068 HIGH The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) c
    SV-106279r1_rule SRG-NET-000320-VPN-001120 CCI-002353 MEDIUM The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions. Protecting authentication communications between the client, the VPN Gateway, and the authentication server keeps this critical information from being exploited. In distributed information systems, authorization processes and access control decisions may
    SV-106281r1_rule SRG-NET-000330-VPN-001220 CCI-002250 LOW The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). Users need to be aware of activity that occurs regarding their account. Providing users with information deemed important by the organization may aid in the discovery of unauthorized access or thwart a potential attacker. Organizations should consider th
    SV-106283r1_rule SRG-NET-000333-VPN-001250 CCI-001844 MEDIUM The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components. Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The conte
    SV-106285r1_rule SRG-NET-000334-VPN-001260 CCI-001851 MEDIUM The VPN Gateway must off-load audit records onto a different system or media than the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This requirement only applies to components where this is sp
    SV-106287r1_rule SRG-NET-000335-VPN-001270 CCI-001858 MEDIUM The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation
    SV-106289r1_rule SRG-NET-000336-VPN-001280 CCI-001861 MEDIUM When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally. If the system were to continue processing after audit failure, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis. Because of the importance of ensuring mission/business continuity, organizations may determ
    SV-106291r1_rule SRG-NET-000337-VPN-001290 CCI-002038 MEDIUM The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period. The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA
    SV-106293r1_rule SRG-NET-000337-VPN-001300 CCI-002038 MEDIUM The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization. When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for ot
    SV-106295r1_rule SRG-NET-000341-VPN-001350 CCI-001953 MEDIUM The VPN Gateway must accept Personal Identity Verification (PIV) credentials. The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary com
    SV-106297r1_rule SRG-NET-000342-VPN-001360 CCI-001954 MEDIUM The VPN Gateway must electronically verify Personal Identity Verification (PIV) credentials. The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary com
    SV-106315r1_rule SRG-NET-000343-VPN-001370 CCI-001958 MEDIUM The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication cla
    SV-106317r1_rule SRG-NET-000352-VPN-001460 CCI-002450 MEDIUM The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to prote
    SV-106319r1_rule SRG-NET-000369-VPN-001620 CCI-002397 MEDIUM The VPN Gateway must disable split-tunneling for remote clients VPNs. Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. A VPN hardware or software client with split tunneling enabled provides an unsecured b
    SV-106321r1_rule SRG-NET-000371-VPN-001640 CCI-002418 MEDIUM The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications. The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey
    SV-106323r1_rule SRG-NET-000371-VPN-001650 CCI-002418 HIGH The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information. Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered. This requirement also applies to both internal and external networks and all
    SV-106325r1_rule SRG-NET-000375-VPN-001690 CCI-002423 MEDIUM The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations. ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header
    SV-106327r1_rule SRG-NET-000400-VPN-001940 CCI-000197 MEDIUM For site-to-site VPN, for accounts using password authentication, the VPN Gateway must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intende
    SV-106329r1_rule SRG-NET-000492-VPN-001980 CCI-000172 MEDIUM The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Log records
    SV-106331r1_rule SRG-NET-000510-VPN-002160 CCI-002450 MEDIUM The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes. FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, th
    SV-106333r1_rule SRG-NET-000510-VPN-002170 CCI-002450 MEDIUM The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, th
    SV-106335r1_rule SRG-NET-000510-VPN-002180 CCI-002450 MEDIUM The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-106337r1_rule SRG-NET-000512-VPN-002220 CCI-000366 HIGH The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. An IPsec SA is established using either Internet Ke
    SV-106339r1_rule SRG-NET-000512-VPN-002230 CCI-000366 HIGH The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication. Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. When an incoming Internet Key Exch
    SV-106341r1_rule SRG-NET-000518-VPN-002280 CCI-002363 MEDIUM The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway. If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typ
    SV-106343r1_rule SRG-NET-000519-VPN-002290 CCI-002364 MEDIUM The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated. Logout messages for access, for exa
    SV-106345r1_rule SRG-NET-000522-VPN-002320 CCI-000196 MEDIUM For site-to-site VPN Gateway must store only cryptographic representations of Pre-shared Keys (PSKs). Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited
    SV-106347r1_rule SRG-NET-000525-VPN-002330 CCI-000068 HIGH The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) c
    SV-106349r1_rule SRG-NET-000530-VPN-002340 CCI-001453 MEDIUM The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateway
    SV-106351r1_rule SRG-NET-000540-VPN-002350 CCI-001453 MEDIUM The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to public-facing or external-facing device
    SV-106353r1_rule SRG-NET-000550-VPN-002360 CCI-001967 MEDIUM The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. SNMPv3 suppor
    SV-106355r1_rule SRG-NET-000565-VPN-002390 CCI-002450 HIGH The VPN Gateway must use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network. Use of improperly configured or lower assurance equipment and solutions could compromise high-value information. The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to
    SV-106357r1_rule SRG-NET-000565-VPN-002400 CCI-002450 HIGH The IPsec VPN Gateway Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-106359r1_rule SRG-NET-000580-VPN-002410 CCI-000185 MEDIUM The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entit
    SV-106361r1_rule SRG-NET-000585-VPN-002420 CCI-000803 MEDIUM The VPN Gateway must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Use only SHA-2 for Digital signature generation applications and functions. SHA-2 is strongly preferred for use by DoD for non-signature gener
    SV-106363r1_rule SRG-NET-000075-VPN-000260 CCI-000068 MEDIUM If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic. L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are therefore less defended and not as well-known. As stated in DoD IPv6 IA Guidance for MO3 (S4-C7-1), the L2TP