Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The VPN gateway must enable anti-replay for all IPSec security associations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-30956 | NET-VPN-180 | SV-40998r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped. |
| STIG | Date |
|---|---|
| IPSec VPN Gateway Security Technical Implementation Guide | 2018-03-08 |
Details
| Check Text ( C-39616r1_chk ) |
|---|
| Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default. |
| Fix Text (F-34766r2_fix) |
|---|
| Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command. |