The firewall implementation must route all remote access traffic through managed access control points.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000064-FW-000046	SRG-NET-000064-FW-000046	SRG-NET-000064-FW-000046_rule		Medium

Description
Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of the backbone networks used for transit between the user end-point and the remote access server (VPN appliance or firewall), remote connections must be secured and must not be given direct access to the private network. Traffic between the remote access server and the private network must be secured. Therefore, the remote access server must forward traffic destined to the private network to the firewall interface inspecting all private network ingress traffic. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates-most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Description

Remote access services enable users outside of the enclave (external interface) to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of the backbone networks used for transit between the user end-point and the remote access server (VPN appliance or firewall), remote connections must be secured and must not be given direct access to the private network. Traffic between the remote access server and the private network must be secured. Therefore, the remote access server must forward traffic destined to the private network to the firewall interface inspecting all private network ingress traffic. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates-most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000064-FW-000046_chk )
Review the policy that is pushed to the remote clients. The policy should enforce no split-tunneling to ensure all traffic from remote clients traverses the tunnel to the firewall. Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic. Review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet. If the firewall is not configured to route all remote access traffic through managed access control points, this is a finding.

Check Text ( C-SRG-NET-000064-FW-000046_chk )

Review the policy that is pushed to the remote clients. The policy should enforce no split-tunneling to ensure all traffic from remote clients traverses the tunnel to the firewall.
Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic.
Review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet.

If the firewall is not configured to route all remote access traffic through managed access control points, this is a finding.

Fix Text (F-SRG-NET-000064-FW-000046_fix)
Configure a group policy for remote clients. The policy must require the disabling of split-tunneling. Deploy the firewall functioning as a VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a firewall upstream to inspect the outbound traffic.