UCF STIG Viewer Logo

IPSec VPN Gateway Security Technical Implementation Guide



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-4582 High The network device must require authentication for console access.
V-3175 High The network device must require authentication prior to establishing a management connection for administrative access.
V-30955 High IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.
V-15434 High The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.
V-30966 High The VPN gateway must use AES for IPSec cryptographic encryption operations required to ensure privacy of the IPSec session.
V-30967 High The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.
V-3062 High Network devices must be configured to ensure passwords are not viewable when displaying configuration information.
V-3143 High Network devices must not have any default manufacturer passwords.
V-3210 High The network device must not use the default or well-known SNMP community strings public and private.
V-3012 High Network devices must be password protected.
V-30941 High The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.
V-3056 High Group accounts must not be configured for use on the network device.
V-30950 High The VPN gateway must use Secure Hash Algorithm for IKE cryptographic hashing operations required for authentication and integrity verification.
V-30939 High The VPN gateway must use IKE for negotiating and establishing all IPSec security associations.
V-30964 High The VPN gateway must use ESP tunnel mode for establishing secured paths to transport traffic between the organization’s sites or between a gateway and remote end-stations.
V-30952 High The VPN gateway must use AES for IKE cryptographic encryption operations required to ensure privacy of the IKE session.
V-3196 High The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
V-3085 Medium Network devices must have HTTP service for administrative access disabled.
V-3080 Medium The Configuration auto-loading feature must be disabled when connected to an operational network.
V-3081 Medium IP source routing must be disabled.
V-3069 Medium Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
V-14671 Medium Network devices must authenticate all NTP messages received from NTP servers and peers.
V-3043 Medium The network device must use different SNMP community names or groups for various levels of read and write access.
V-14717 Medium The network device must not allow SSH Version 1 to be used for administrative access.
V-3014 Medium The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity.
V-30947 Medium The VPN gateway must not accept certificates that have been revoked when using PKI for authentication.
V-3057 Medium Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
V-31285 Medium Network devices must authenticate all BGP peers within the same or between autonomous systems (AS).
V-30956 Medium The VPN gateway must enable anti-replay for all IPSec security associations.
V-5613 Medium The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface.
V-30944 Medium The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.
V-30946 Medium The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.
V-3160 Medium Network devices must be running a current and supported operating system with all IAVMs addressed.
V-3034 Medium Network devices must authenticate all IGP peers.
V-15432 Medium Network devices must use two or more authentication servers for the purpose of granting administrative access.
V-5646 Medium The network device must drop half-open TCP connections through filtering thresholds or timeout periods.
V-30948 Medium The VPN gateway server must enforce a policy to the remote software client to check for the presence of a personal firewall before enabling access to the VPN.
V-30960 Medium The VPN gateway must specify Perfect Forward Secrecy during IKE negotiation.
V-30945 Medium The VPN gateway server must enforce a policy to the software client to disallow the remote client from being able to save the logon password locally on the remote PC.
V-14669 Medium Network devices must have BSDr commands disabled.
V-30951 Medium The VPN gateway server must enforce a no split-tunneling policy to all remote clients.
V-5612 Medium The network devices must be configured to timeout after 60 seconds or less for incomplete or broken SSH sessions.
V-3969 Medium Network devices must only allow SNMP read-only access.
V-30943 Medium The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.
V-3966 Medium In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
V-3013 Medium Network devices must display the DoD-approved logon banner warning.
V-3021 Medium Network devices must only allow SNMP access from addresses belonging to the management network.
V-19188 Medium The network device must have control plane protection enabled.
V-17821 Medium The network devices OOBM interface must be configured with an OOBM network address.
V-17822 Medium The network devices management interface must be configured with both an ingress and egress ACL.
V-5611 Medium The network devices must only allow management connections for administrative access from hosts residing in the management network.
V-30954 Medium The VPN gateway must ensure traffic from a remote client with an outbound destination does not bypass the enclaves perimeter defense mechanisms deployed for egress traffic.
V-30953 Medium The VPN gateway peer at a remote site must receive all ingress traffic and forward all egress traffic via the IPSec tunnel or other provisoned WAN links connected to the central or remote site.
V-3058 Medium Unauthorized accounts must not be configured for access to the network device.
V-3967 Medium The network devices must time out access to the console port at 10 minutes or less of inactivity.
V-5618 Medium Gratuitous ARP must be disabled.
V-3086 Low BOOTP services must be disabled.
V-14672 Low The network device must use its loopback or OOB management interface address as the source address when originating authentication services traffic.
V-14675 Low The network device must use its loopback or OOB management interface address as the source address when originating SNMP traffic.
V-14676 Low The network device must use its loopback or OOB management interface address as the source address when originating IP Flow/NetFlow traffic.
V-14677 Low The network device must use its loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
V-4584 Low The network device must log all messages except debugging and send all log data to a syslog server.
V-23747 Low Network devices must use at least two NTP servers to synchronize time.
V-3078 Low Network devices must have TCP and UDP small servers disabled.
V-3083 Low IP directed broadcast must be disabled on all layer 3 interfaces.
V-30965 Low The VPN gateway must implement IKE Security Associations that terminate within 24 hours or less.
V-30963 Low The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 2.
V-30961 Low The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.
V-14673 Low The network device must use its loopback or OOB management interface address as the source address when originating syslog traffic.
V-3079 Low Network devices must have the Finger service disabled.
V-14667 Low Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
V-3072 Low The running configuration must be synchronized with the startup configuration after changes have been made and implemented.
V-17823 Low The management interface must be configured as passive for the IGP instance deployed in the managed network.
V-14674 Low The network device must use its loopback or OOB management interface address as the source address when originating NTP traffic.
V-5614 Low Network devices must have the PAD service disabled.
V-14681 Low The network device must use its loopback interface address as the source address for all iBGP peering sessions.
V-30962 Low The VPN gateway must implement IPSec security associations that terminate within 8 hours or less.
V-30959 Low The VPN gateway must use a key size from Diffie-Hellman Group 14 or larger during IKE Phase 1.
V-30957 Low The VPN gateway must use IKE main mode for the purpose of negotiating an IPSec security association policy when pre-shared keys are used for authentication
V-5616 Low Network devices must have identification support disabled.
V-5615 Low Network devices must have TCP Keep-Alives enabled for TCP sessions.
V-7011 Low The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication.
V-3020 Low Network devices must have DNS servers defined if it is configured as a client resolver.
V-3000 Low The network device must log all interface access control lists (ACL) deny statements.
V-3070 Low Network devices must log all attempts to establish a management connection for administrative access.