The VPN gateway must authenticate the remote server, peer, or client prior to establishing an IPSec session.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-30941 | NET-VPN-020 | SV-40983r1_rule | ECSC-1 | High |
| Description |
|---|
| Both IPSec endpoints must authenticate each other to ensure the identity of each by additional means besides an IP address which can easily be spoofed. The objective of IPSec is to establish a secured tunnel with privacy between the two endpoints traversing an IP backbone network. In the case of teleworkers accessing the enclave using a laptop configured with an IPSec software client, the secured path will also traverse the Internet. The secured path will grant the remote site or client access to resources within the private network; thereby establishing a level of trust. Hence, it is imperative that some form of authentication is used prior to establishing an IPSec session for transporting data to and from the enclave from a remote site. |
| STIG | Date |
|---|---|
| IPSec VPN Gateway Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-39601r1_chk ) |
|---|
| Review the VPN gateway configuration to determine if either username/password or certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation. |
| Fix Text (F-34751r1_fix) |
|---|
| Configure the VPN gateway to authenticate the remote end-point prior to establishing an IPSec session. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association. |