Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,
Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.
If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.
Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.
Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.
Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.
Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.
Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.
Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.
Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.
Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.
Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.
Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. View the IKE options dh-group option. If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.
Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.
If L2TP communications protocol is not used, this is not applicable. Verify L2TPv3 sessions are configured to authenticate the traffic before transit. L2TPv3 sessions must be authenticated prior to transporting traffic. If L2TPv3 sessions do not require authentication, this is a finding.
If the site-to-site VPN implementation uses L2TPv3, configure L2TPv3 sessions to authenticate the traffic before transit.
Verify the VPN Gateway generates log records containing information to establish what type of events occurred. If the VPN Gateway does not generate log records containing information to establish what type of events occurred, this is a finding.
Configure the VPN Gateway to generate log records containing information to establish what type of events occurred.
Configure the VPN Gateway generates log records containing information to establish when (date and time) the events occurred. If the VPN Gateway does not generate log records containing information to establish when (date and time) the events occurred, this is a finding.
Configure the VPN Gateway to generate log records containing information to establish when (date and time) the events occurred.
Verify the VPN Gateway generates log records containing information that establishes the identity of any individual or process associated with the event. If the VPN Gateway does not generate log records containing information that establishes the identity of any individual or process associated with the event, this is a finding.
Configure the VPN Gateway to generate log records containing information that establishes the identity of any individual or process associated with the event.
Verify the VPN Gateway generates log records containing information to establish where the events occurred. If the VPN Gateway does not generate log records containing information to establish where the events occurred, this is a finding.
Configure the VPN Gateway to generates log records containing information to establish where the events occurred.
Verify the VPN Gateway generates log records containing information to establish the source of the events. If the VPN Gateway does not generate log records containing information to establish the source of the events, this is a finding.
Configure the VPN Gateway to generate log records containing information to establish the source of the events.
Examine the log configuration on the VPN Gateway or view several alert events on the organization's central audit server. Alternatively, examine the Central Log Server to see if it contains information about success or failure of client connection attempts or other events. If the traffic log entries do not include the success or failure of connection attempts and other events, this is a finding.
Configure the VPN Gateway to generate log entries containing information to establish the outcome of the events, such as, at a minimum, the success or failure of the client connection attempts.
Verify the VPN Gateway protects log information from unauthorized read access if all or some of this data is stored locally. If the VPN Gateway does not protect log information from unauthorized read access if all or some of this data is stored locally, this is a finding.
Configure the VPN Gateway to protect log information from unauthorized read access if all or some of this data is stored locally.
Verify the VPN Gateway log is configured to protect audit information from unauthorized modification when stored locally. The VPN Gateway log must protect audit information from unauthorized modification when stored locally, this is a finding.
Configure the VPN Gateway log to protect audit information from unauthorized modification when stored locally. The method used depends on system architecture and design. Examples: ensuring log files receive the proper file system permissions and limiting log data locations.
Verify the VPN Gateway is configured to protect audit information from unauthorized deletion when stored locally. If the VPN Gateway does not protect audit information from unauthorized deletion when stored locally, this is a finding.
Configure the VPN Gateway to protect audit information from unauthorized deletion when stored locally. Ensure log files receive the proper file system permissions and limiting log data locations.
View the configured security services. Compare the services that are enabled, including the port, services, protocols, and functions. If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.
Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration. View the configured security services. Compare the services that are enabled, including the port, services, protocols, and functions. Consult the product knowledge base and configuration guides to determine the commands for disabling each port, protocols, services, or functions that is not in compliance with the PPSM CAL and vulnerability assessments.
Verify the IPsec VPN Gateway uses IKEv2 for IPsec VPN security associations. If the IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations, this is a finding.
Configure the IPsec VPN Gateway to use IKEv2 for IPsec VPN security associations.
Verify the VPN Gateway is configured to prohibit PPTP and L2F. If the VPN Gateway does not be configured to prohibit PPTP and L2F, this is a finding.
Configure the VPN Gateway to prohibit PPTP and L2F.
If L2TP communications protocol is not used, this is not applicable. Verify the VPN Gateway or another network element (e.g., firewall) is configure to block or deny L2TP packets with a destination address within the private network of the enclave. If L2TP communications are allowed to cross the security boundary into the private network of the enclave, this is a finding.
If L2TP is used for encapsulation, configure the VPN Gateway or other network element to block or deny this communications protocol unencrypted L2TP packets across the security boundary and into the private network of the enclave.
Verify the VPN Gateway is configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). If the VPN Gateway does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
Configure the VPN Gateway to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Verify the VPN Gateway uses multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. If the VPN Gateway does not use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts, this is a finding.
Configure the VPN Gateway to use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
Verify the VPN Client implements multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the VPN Client does not implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.
Configure the VPN Client to implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Verify the TLS VPN Gateway is configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts. If the TLS VPN is not configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts, this is a finding.
Configure the TLS VPN Gateway to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Verify the IPsec VPN Gateway uses anti-replay mechanisms for security associations. If the IPsec VPN Gateway does not use anti-replay mechanisms for security associations, this is a finding.
Configure the IPsec VPN Gateway to use anti-replay mechanisms for security associations.
Verify the VPN Gateway uniquely identifies all network-connected endpoint devices before establishing a connection. If the VPN Gateway does not uniquely identify all network-connected endpoint devices before establishing a connection, this is a finding.
Configure the VPN Gateway to uniquely identify all network-connected endpoint devices before establishing a connection.
Verify the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor. If PKI-based authentication does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.
Configure the VPN Gateway to use PKI-based authentication that validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
If PKI-based authentication is not being used for device authentication, this is not applicable. Verify the site-to-site VPN that uses certificate-based device authentication uses a FIPS-compliant key management process. If the site-to-site VPN that uses certificate-based device authentication does not use a FIPS-compliant key management process, this is a finding.
Configure the site-to-site VPN that uses certificate-based device authentication to use a FIPS-compliant key management process.
Verify the Remote Access VPN Gateway is configured to use a physically separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. If the Remote Access VPN Gateway does not use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication, this is a finding.
Configure the Remote Access VPN Gateway to use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
Verify the VPN Gateway maps the authenticated identity to the user account for PKI-based authentication. If the VPN Gateway does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.
Configure the VPN Gateway to map the authenticated identity to the user account for PKI-based authentication.
Verify the VPN Gateway uses FIPS-validated SHA-2 or higher. If the VPN Gateway does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification, this is a finding.
Configure the VPN Gateway to use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). If the VPN Gateway does not uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users), this is a finding.
Configure the VPN Gateway to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Verify the VPN Gateway routes sessions to an IDPS for inspection. If the VPN Gateway is not configured to route sessions to an IDPS for inspection, this is a finding.
Configure the VPN Gateway to route sessions to an IDPS for inspection.
Verify the VPN Gateway terminates all network connections associated with a communications session at the end of the session. If the VPN Gateway does not terminate all network connections associated with a communications session at the end of the session, this is a finding.
Configure the VPN Gateway to terminate all network connections associated with a communications session at the end of the session.
Verify the VPN Gateway uses FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. If the VPN Gateway does not use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.
Configure the VPN Gateway to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
Verify the IPsec VPN Gateway uses IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions. If the IPsec VPN Gateway is not configured to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions, this is a finding.
Configure the IPsec VPN Gateway to use IKE with SHA-2 at 384 bits or greater to protect the authenticity of communications sessions.
Verify the VPN Gateway invalidates session identifiers upon user logoff or other session termination. If the VPN Gateway does not invalidate session identifiers upon user logoff or other session termination, this is a finding.
Configure the VPN Gateway to invalidate session identifiers upon user logoff or other session termination.
Verify the VPN Gateway recognizes only system-generated session identifiers. If the VPN Gateway does not recognize only system-generated session identifiers, this is a finding.
Configure the VPN Gateway to recognize only system-generated session identifiers.
Verify the VPN Gateway generates unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. If the VPN Gateway does not generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm, this is a finding.
Configure the VPN Gateway to generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Verify the VPN Gateway is configured to fail to a secure state if system initialization fails, shutdown fails, or aborts fail. If the VPN Gateway does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.
Configure the VPN Gateway to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Verify the VPN Gateway is configured to perform an organization-defined action if the audit reveals unauthorized activity. If the VPN Gateway does not be configured to perform an organization-defined action if the audit reveals unauthorized activity, this is a finding.
Configure the VPN Gateway to be configured to perform an organization-defined action if the audit reveals unauthorized activity.
Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP. If the VPN Gateway administrator accounts or security policy is not configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed, this is a finding.
Configure the VPN Gateway for functionality, such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. Configure authorized system administrator accounts to allow them to disconnect or disable remote access to remove user under circumstances defined in the VPN SSP.
Verify all IKE proposals are set to use the AES encryption algorithm. View the value of the encryption algorithm for each defined proposal. If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.
Configure the IPsec Gateway to use AES with IKE. The option on the IKE Phase 1 proposal may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.
Verify the VPN Gateway off-loads log records onto a different system or media than the system being audited. If the VPN Gateway does not off-load audit records onto a different system or media than the system being audited, this is a finding.
Configure the VPN Gateway to off-load audit records onto a different system or media than the system being audited.
Verify the VPN Gateway generates a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. If the VPN Gateway does not generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server, this is a finding.
Configure the VPN Gateway to generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
Verify the VPN Gateway renegotiates the IPsec security association after eight hours or less.
Configure the VPN Gateway to renegotiate the IPsec security association after eight hours or less.
Verify the VPN Gateway renegotiates the IKE security association after eight hours or less. If the VPN Gateway does not renegotiate the IKE security association after eight hours or less, this is a finding.
Configure the VPN Gateway to renegotiate the IKE security association after eight hours or less.
Verify the VPN Gateway accepts PIV credentials. If the VPN Gateway does not accept the CAC credential, this is a finding.
Configure the VPN Gateway to accept the CAC credential.
Verify the VPN Gateway electronically verifies the CAC credential. If the VPN Gateway does not electronically verify Personal Identity Verification (PIV) credentials, this is a finding.
Configure the VPN Gateway to electronically verify the CAC credential.
Verity the VPN Gateway authenticates all network-connected endpoint devices before establishing a connection. If the VPN Gateway does not authenticate all network-connected endpoint devices before establishing a connection, this is a finding.
Configure the VPN Gateway to authenticate all network-connected endpoint devices before establishing a connection.
Verify the VPN Gateway uses an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. If the VPN Gateway does not use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network, this is a finding.
Configure the VPN Gateway to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
Verify the VPN Gateway disables split-tunneling for remote clients VPNs. If the VPN Gateway does not disable split-tunneling for remote clients VPNs, this is a finding. Note: Certain cloud products require direct connectivity to operate correctly. These items may be excluded from the split tunneling restriction if documented and approved. If split-tunneling for remote client VPNs is enabled by the above exception, verify only authorized external destinations are excluded from tunneling as shown in the example below: Webvpn anyconnect-custom-attr dynamic-split-exclude-domains description DoD IL5 Authorized Destinations anyconnect-custom-data dynamic-split-exclude-domains DoD-IL5 dod.teams.microsoft.us,azureedge.net,core.usgovcloudapi.net,streaming.media.usgovcloudapi.net,wvd.azure.us,cdn.office365.us anyconnect-custom dynamic-split-exclude-domains value DoD-IL5 If any unauthorized exempted connections exist, this is a finding.
Configure the VPN Gateway to disable split-tunneling for remote clients VPNs.
Verify the IPsec VPN Gateway specifies PFS during IKE negotiation. If the IPsec VPN Gateway does not specify PFS during IKE negotiation, this is a finding.
Configure the IPsec VPN Gateway to specify PFS during IKE negotiation.
Verify the VPN Gateway and the remote access client are configured to protect the confidentiality and integrity of transmitted information. If VPN Gateway and Client does not protect the confidentiality and integrity of transmitted information, this is a finding.
Configure the VPN Gateway and the remote access client to protect the confidentiality and integrity of transmitted information.
For accounts using password authentication, verify the VPN Gateway uses SHA-2 or later protocol to protect the integrity of the password authentication process. For accounts using password authentication, if the VPN Gateway does not use SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.
For accounts using password authentication, configure the VPN Gateway to use SHA-2 or later protocol to protect the integrity of the password authentication process.
Verify the VPN Gateway generates log records when successful and/or unsuccessful VPN connection attempts occur. If the VPN Gateway does not generate log records when successful and/or unsuccessful VPN connection attempts occur, this is a finding.
Configure the VPN Gateway to generate log records when successful and/or unsuccessful VPN connection attempts occur.
Verify the VPN Gateway uses a FIPS-validated cryptographic module to generate cryptographic hashes. If the VPN Gateway does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.
Configure the VPN Gateway to use a FIPS-validated cryptographic module to generate cryptographic hashes.
Verify the VPN Gateway uses a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. If the VPN Gateway does not use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, this is a finding.
Configure the VPN Gateway to use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
Verify the IPsec VPN Gateway IKE uses a NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. If the IPsec VPN Gateway IKE does not use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic, this is a finding.
Configure the IPsec VPN Gateway IKE to use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
Verify the IKE protocol is specified for all IPsec VPNs. If the IKE protocol is not specified as an option on all VPN gateways, this is a finding.
Configure the IPsec VPN Gateway to use IKE and IPsec VPN SAs.
Verify the VPN Client logout function is configured to terminate the session on/with the VPN Gateway. If the VPN Client logout function does not terminate the session on/with the VPN Gateway, this is a finding.
Configure the VPN Client logout log out function must be configured to terminate the session on/with the VPN Gateway.
Verify the VPN Client displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. If the VPN Client does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.
Configure the VPN Client to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
Verify the VPN Gateway stores only cryptographic representations of the PSK. If the VPN Gateway does not store only cryptographic representations of the PSK, this is a finding.
Configure the VPN Gateway to store only cryptographic representations of the PSK.
Verify all Internet Key Exchange (IKE) proposals are set to use the AES256 or greater encryption algorithm. View the value of the encryption algorithm for each defined proposal. If the value of the encryption algorithm for any IPsec proposal is not set to use an AES256 or greater algorithm, this is a finding.
Configure the IPsec Gateway to use AES256 or greater for the IPsec proposal.
Verify the TLS VPN Gateway that supports Government-only services prohibits client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. If the TLS VPN Gateway that supports Government-only services does not prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.
Configure the TLS VPN Gateway that supports Government-only services to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
Verify the TLS VPN Gateway that supports citizen- or business-facing network devices prohibits client negotiation to SSL 2.0 or SSL 3.0. If the TLS VPN Gateway that supports citizen- or business-facing network devices does not prohibit client negotiation to SSL 2.0 or SSL 3.0, this is a finding.
Configure the TLS VPN Gateway that supports citizen- or business-facing network devices to prohibit client negotiation to SSL 2.0 or SSL 3.0.
Verify the VPN Gateway that provides a SNMP NMS is configured to use SNMPv3 to use FIPS-validated AES cipher block algorithm. If the VPN Gateway that provides a SNMP NMS does not configure SNMPv3 to use FIPS-validated AES cipher block algorithm, this is a finding.
For the VPN Gateway that provides a SNMP NMS, configure SNMPv3 to use FIPS-validated AES cipher block algorithm.
Verify the VPN gateway is configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network. If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network, this is a finding.
Configure the IPsec VPN Gateway to use cryptography that is compliant with NSA/CSS parameters to protect NSS for remote access to a classified network.
Verify the VPN gateway IKE Phase 1 and Phase 2 are configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network. If the VPN gateway is not configured to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network, this is a finding.
Configure the IPsec VPN Gateway Internet Key Exchange (IKE) to use cryptography that is compliant with NSA/CSS parameters when transporting classified traffic across an unclassified network.
Verify the VPN Gateway validates TLS certificates by performing RFC 5280-compliant certification path validation. If the VPN Gateway does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.
Configure the VPN Gateway to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. Review the system security plan. Verify the VPN gateway session termination is configured in accordance with the value specified in the SSP. If a risk assessment has not been conducted and an organization-defined session termination period is not addressed/documented in the SSP, this is a finding. If the VPN gateway is not configured to terminate all remote access network connections in accordance with the values defined in the SSP, this is a finding.
This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement. Conduct a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at risk of failure. Identify the organizations' VPN session termination periodic value based on the risk assessment. Add the results of the risk assessment and the session termination values to the site's SSP documents. Configure the VPN gateway to periodically terminate all remote network connections in accordance with the values defined in the SSP.
Verify the VPN Gateway is configured to employ organization-defined controls by type of DoS to achieve the DoS objective. If the VPN Gateway is not configured to employ organization-defined controls by type of DoS to achieve the DoS objective, this is a finding.
Configure the VPN Gateway to employ organization-defined controls by type of DoS to achieve the DoS objective.
Verify the VPN Gateway is configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. If the VPN Gateway is not configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions, this is a finding.
Configure the VPN Gateway to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
Verify the VPN Gateway is configured to establish organization-defined alternate communications paths for system operations organizational command and control. If the VPN Gateway is not configured to establish organization-defined alternate communications paths for system operations organizational command and control, this is a finding.
Configure the VPN Gateway to establish organization-defined alternate communications paths for system operations organizational command and control.
If the VPN does not provide PKI-based user authentication intermediary services, this is not applicable. Verify the VPN implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. If the VPN does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.
If PKI-based user authentication intermediary services are provided, configure the VPN to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Verify the VPN Gateway rejects user certificates that have been revoked when using DOD PKI for authentication. If the VPN Gateway does not configure OCSP and/or CRL to reject revoked user credentials that are prohibited from establishing an allowed session, this is a finding.
Configure the VPN Gateway to reject user certificates that have been revoked when using DOD PKI for authentication.
Verify the VPN Gateway rejects machine certificates that have been revoked when using DOD PKI for authentication. If the VPN Gateway does not configure OCSP and/or CRL to reject revoked machine credentials that are prohibited from establishing an allowed session, this is a finding.
Configure the VPN Gateway to reject machine certificates that have been revoked when using DOD PKI for authentication.
If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable. Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions. Verify both user and machine certificates are being validated when establishing VPN sessions. If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.
Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.
Verify the TLS VPN Gateway limits authenticated client sessions to initial session source IP. If the TLS VPN Gateway does not limit authenticated client sessions to initial session source IP, this is a finding.
Configure the TLS VPN Gateway to limit authenticated client sessions to initial session source IP.
Verify that the VPN Gateway uses an Always On VPN connection for remote computing. If the VPN Gateway does not use an Always On VPN connection for remote computing, this is a finding.
Configure the VPN Gateway to enable Always On VPN connections for all remote users. The remote client must not be able to access the internet without first establishing a VPN session with a DOD site.