The firewall implementation must employ automated mechanisms to facilitate the monitoring and control of remote access methods.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000061-FW-000043	SRG-NET-000061-FW-000043	SRG-NET-000061-FW-000043_rule		Medium

Description
Remote access services enable users outside (external firewall interface) of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave's resources and data will not go undetected. Controlling access to the private network can be accomplished by assigning remote users to specific subnets that can enable firewalls and routers to control what resources the remote users can access. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates-most implementations do not allow this by default. If the firewall is configured to allow a loop back, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Description

Remote access services enable users outside (external firewall interface) of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave's resources and data will not go undetected. Controlling access to the private network can be accomplished by assigning remote users to specific subnets that can enable firewalls and routers to control what resources the remote users can access. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates-most implementations do not allow this by default. If the firewall is configured to allow a loop back, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000061-FW-000043_chk )
Review the firewall configuration statements used to create a group policy for remote clients and verify that IP address pools from specific subnets are used to assign IP addresses. Verify the policy enforces no split-tunneling to ensure all traffic from remote clients traverses the tunnel to the firewall. Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic. Review the configuration and verify it is not allowing traffic received from the IPSec tunnel to loop back to the NIPRNet/Internet. If the firewall is not configured accordingly to monitor and control remote access methods, this is a finding.

Check Text ( C-SRG-NET-000061-FW-000043_chk )

Review the firewall configuration statements used to create a group policy for remote clients and verify that IP address pools from specific subnets are used to assign IP addresses.
Verify the policy enforces no split-tunneling to ensure all traffic from remote clients traverses the tunnel to the firewall.
Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic.
Review the configuration and verify it is not allowing traffic received from the IPSec tunnel to loop back to the NIPRNet/Internet.

If the firewall is not configured accordingly to monitor and control remote access methods, this is a finding.

Fix Text (F-SRG-NET-000061-FW-000043_fix)
Configure a group policy for remote clients. The policy must require a unique IP address pool that must be used when assigning IP addresses. Disable split-tunneling. Deploy the firewall functioning as a VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a firewall upstream to inspect the outbound traffic.