The ICS must be configured to use TLS 1.2, at a minimum.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258586	IVCS-VN-000060	SV-258586r930446_rule		High

Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. NIST SP 800-52 Rev2 provides guidance for client negotiation on either DOD-only or public-facing servers. Satisfies: SRG-NET-000062-VPN-000200, SRG-NET-000371-VPN-001650, SRG-NET-000530-VPN-002340, SRG-NET-000540-VPN-002350

Description

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. NIST SP 800-52 Rev2 provides guidance for client negotiation on either DOD-only or public-facing servers. Satisfies: SRG-NET-000062-VPN-000200, SRG-NET-000371-VPN-001650, SRG-NET-000530-VPN-002340, SRG-NET-000540-VPN-002350

STIG	Date
Ivanti Connect Secure VPN Security Technical Implementation Guide	2023-10-17

Details

Check Text ( C-62326r930444_chk )
Determine if the ICS uses TLS 1.2 to protect remote access transmissions. In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options. 1. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked. 2. Navigate to System >> Configuration >> Outbound SSL Options. 3. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked. If the ICS does not use TLS 1.2, at a minimum, this is a finding.

Check Text ( C-62326r930444_chk )

Determine if the ICS uses TLS 1.2 to protect remote access transmissions.

In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
1. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked.
2. Navigate to System >> Configuration >> Outbound SSL Options.
3. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked.

If the ICS does not use TLS 1.2, at a minimum, this is a finding.

Fix Text (F-62235r930445_fix)
Configure the ICS to uses TLS 1.2 to protect remote access transmissions. In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options. 1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)". 2. Click "Save Changes". 3. Click "Proceed" for acceptance of Cipher Change. Navigate to System >> Configuration >> Outbound SSL Options. 1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)". 2. Click "Save Changes". 3. Click "Proceed" for acceptance of Cipher Change.

Fix Text (F-62235r930445_fix)

Configure the ICS to uses TLS 1.2 to protect remote access transmissions.

In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)".
2. Click "Save Changes".
3. Click "Proceed" for acceptance of Cipher Change.

Navigate to System >> Configuration >> Outbound SSL Options.
1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)".
2. Click "Save Changes".
3. Click "Proceed" for acceptance of Cipher Change.