UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IPSec VPN Gateway Security Technical Implementation Guide



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-30955 High IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.
V-15434 High The network element’s emergency account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-30966 High The VPN gateway must use AES for IPSec cryptographic encryption operations required to ensure privacy of the IPSec session.
V-30967 High The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.
V-3062 High The network element must be configured to ensure passwords are not viewable when displaying configuration information.
V-3143 High The network element must not have any default manufacturer passwords.
V-3210 High The network element must not use the default or well-known SNMP community strings public and private.
V-3012 High The network element must be password protected.
V-30941 High The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.
V-3056 High Group accounts must not be configured for use on the network device.
V-30950 High The VPN gateway must use Secure Hash Algorithm for IKE cryptographic hashing operations required for authentication and integrity verification.
V-30939 High The VPN gateway must use IKE for negotiating and establishing all IPSec security associations.
V-30964 High The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.
V-30952 High The VPN gateway must use AES for IKE cryptographic encryption operations required to ensure privacy of the IKE session.
V-3196 High The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-3085 Medium The network element must have HTTP service for administrative access disabled.
V-3080 Medium The router must have configuration auto-loading disabled.
V-3081 Medium The router must have IP source routing disabled.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium The network element must authenticate all NTP messages received from NTP servers and peers.
V-3043 Medium The network element must use different SNMP community names or groups for various levels of read and write access.
V-14717 Medium The network element must not allow SSH Version 1 to be used for administrative access.
V-3014 Medium The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-30947 Medium The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-31285 Medium The network element must authenticate all BGP peers within the same or between autonomous systems (AS).
V-30956 Medium The VPN gateway must enable anti-replay for all IPSec security associations.
V-5613 Medium The network element must be configured for a maximum number of unsuccessful SSH login attempts set at 3 before resetting the interface.
V-30944 Medium The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.
V-30946 Medium The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.
V-3160 Medium The network element must be running a current and supported operating system with all IAVMs addressed.
V-3034 Medium The network element must authenticate all IGP peers.
V-15432 Medium The network element must use two or more authentication servers for the purpose of granting administrative access.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-30948 Medium The VPN gateway server must enforce a policy to the remote software client to check for the presence of a personal firewall before enabling access to the VPN.
V-30960 Medium The VPN gateway must specify Perfect Forward Secrecy during IKE negotiation.
V-30945 Medium The VPN gateway server must enforce a policy to the software client to disallow the remote client from being able to save the logon password locally on the remote PC.
V-14669 Medium The network element must have BSDr commands disabled.
V-30951 Medium The VPN gateway server must enforce a no split-tunneling policy to all remote clients.
V-5612 Medium The network element must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-3969 Medium The network device must only allow SNMP read-only access.
V-30943 Medium The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.
V-3966 Medium In the event the authentication server is down or unavailable, there must only be one local account created for emergency use.
V-3013 Medium The network element must display the DoD approved login banner warning in accordance with the CYBERCOM DTM-08-060 document.
V-3021 Medium The network element must only allow SNMP access from addresses belonging to the management network.
V-19188 Medium The router must have control plane protection enabled.
V-17821 Medium The network element’s OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network elements management interface must be configured with both an ingress and egress ACL.
V-5611 Medium The network element must only allow management connections for administrative access from hosts residing in the management network.
V-30954 Medium The VPN gateway must ensure traffic from a remote client with an outbound destination does not bypass the enclaves perimeter defense mechanisms deployed for egress traffic.
V-30953 Medium The VPN gateway peer at a remote site must receive all ingress traffic and forward all egress traffic via the IPSec tunnel or other provisoned WAN links connected to the central or remote site.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-3967 Medium The network element must time out access to the console port after 10 minutes or less of inactivity.
V-5618 Medium The router must have gratuitous ARP disabled.
V-3086 Low The router must have Bootp service disabled.
V-14672 Low The router must use its loopback or OOB management interface address as the source address when originating TACACS+ or RADIUS traffic.
V-14675 Low The router must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
V-14676 Low The router must use its loopback or OOB management interface address as the source address when originating NetFlow traffic.
V-14677 Low The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
V-4584 Low The network element must log all messages except debugging and send all log data to a syslog server.
V-23747 Low The network element must use two or more NTP servers to synchronize time.
V-3078 Low The network element must have TCP & UDP small servers disabled.
V-3083 Low The router must have IP directed broadcast disabled on all layer 3 interfaces.
V-30965 Low The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.
V-30963 Low The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 2.
V-30961 Low The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.
V-14673 Low The router must use its loopback or OOB management interface address as the source address when originating syslog traffic.
V-3079 Low The network element must have the Finger service disabled.
V-14667 Low The network element must not be configured with rotating keys used for authenticating IGP peers that have a duration exceeding 180 days.
V-3072 Low The network element’s running configuration must be synchronized with the startup configuration after changes have been made and implemented.
V-17823 Low The network element’s management interface is not configured as passive for the IGP instance deployed in the managed network.
V-14674 Low The router must use its loopback or OOB management interface address as the source address when originating NTP traffic.
V-5614 Low The network element must have the PAD service disabled.
V-14681 Low The router must use its loopback interface address as the source address for all iBGP peering sessions.
V-30962 Low The VPN gateway must implement IPSec security associations that terminate within 8 hours or less.
V-30959 Low The VPN gateway must use a key size from Diffie-Hellman Group 2 or larger during IKE Phase 1.
V-30957 Low The VPN gateway must use IKE main mode for the purpose of negotiating an IPSec security association policy when pre-shared keys are used for authentication
V-5616 Low The network element must have identification support disabled.
V-5615 Low The network element must have TCP Keep-Alives enabled for TCP sessions.
V-7011 Low The network element’s auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3020 Low The network element must have DNS servers defined if it is configured as a client resolver.
V-3000 Low The network device must log all interface access control lists (ACL) deny statements.
V-3070 Low The network element must log all attempts to establish a management connection for administrative access.