The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30944	NET-VPN-040	SV-40986r1_rule	ECSC-1	Medium

Description
When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization. Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized.

Description

When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization. Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-03-08

Details

Check Text ( C-39605r2_chk )
Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Check Text ( C-39605r2_chk )

Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Fix Text (F-34753r2_fix)
Configure the VPN gateway to enroll with a DoD-approved Certificate Authority.