The VPN gateway must ensure traffic from a remote client with an outbound destination does not bypass the enclaves perimeter defense mechanisms deployed for egress traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30954	NET-VPN-200	SV-40996r1_rule	ECSC-1	Medium

Description
Packets from a remote client destined outbound must be inspected and proxied the same as any other traffic that will egress the enclave. Otherwise, there is the risk that the return traffic that will ingress the IPSec tunnel could compromise the remote client and possibly the remote LAN. This scenario can exist with a VPN-on-a-stick implementation that allows traffic to u-turn—that is, traffic from the remote site that traverses the IPSec tunnel is immediately forwarded out the same interface towards the NIPRNet and Internet with no upstream firewall. If a remote LAN is breached, the entire enclave could be exposed via the secured tunnel or any other provisioned link between the compromised remote LAN and other remote sites and the central site. Hence, it is imperative that traffic from the remote site that is destined outbound does not bypass the applicable inspection and proxy services deployed for the enclave’s perimeter defense.

Description

Packets from a remote client destined outbound must be inspected and proxied the same as any other traffic that will egress the enclave. Otherwise, there is the risk that the return traffic that will ingress the IPSec tunnel could compromise the remote client and possibly the remote LAN. This scenario can exist with a VPN-on-a-stick implementation that allows traffic to u-turn—that is, traffic from the remote site that traverses the IPSec tunnel is immediately forwarded out the same interface towards the NIPRNet and Internet with no upstream firewall. If a remote LAN is breached, the entire enclave could be exposed via the secured tunnel or any other provisioned link between the compromised remote LAN and other remote sites and the central site. Hence, it is imperative that traffic from the remote site that is destined outbound does not bypass the applicable inspection and proxy services deployed for the enclave’s perimeter defense.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39614r3_chk )
Deploying the VPN gateway within a DMZ or service network will eliminate any risks associated with u-turn traffic. The traffic exiting the IPSec tunnel leaving the DMZ destined to either the private network or the NIPRNet/Internet will have to pass through the DMZ firewall and therefore, be subject to the applicable policy. If the VPN gateway is a firewall, which could be either on or outside the DMZ, review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (PAT the same global address), as well as a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates—most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Check Text ( C-39614r3_chk )

Deploying the VPN gateway within a DMZ or service network will eliminate any risks associated with u-turn traffic. The traffic exiting the IPSec tunnel leaving the DMZ destined to either the private network or the NIPRNet/Internet will have to pass through the DMZ firewall and therefore, be subject to the applicable policy.

If the VPN gateway is a firewall, which could be either on or outside the DMZ, review the configuration and verify it is not allowing traffic received from the IPSec tunnel to u-turn back out towards the NIPRNet/Internet. To allow traffic to u-turn, the firewall would have to be configured to NAT for the pool of remote client addresses on the outside interface (PAT the same global address), as well as a configuration statement to allow traffic to egress out the same interface in which the IPSec tunnel terminates—most implementations do not allow this by default. If the firewall is configured to allow a u-turn, then there must be another firewall upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the firewall or applicable proxy to perform the stateful inspection.

Fix Text (F-34764r2_fix)
Deploy the VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a firewall upstream to inspect the outbound traffic.