The mobile operating system must authenticate devices before establishing remote network (e.g., VPN) connections using bidirectional cryptographically based authentication between devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33094	SRG-OS-000116-MOS-000071	SV-43492r2_rule		Medium

Description
Without strong mutual authentication a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional cryptographically based authentication method mitigates this risk.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41353r2_chk )
Identify the network interfaces over which authentication may occur. For each of these, review the system documentation and operating system configuration to determine if the device authenticates devices prior to establishing a network connection. Note: This requirement also applies to a private VPN connection from the carrier's network to the DoD network that is designed to route all mobile device traffic directly to the DoD network. If the operating system does not perform this authentication, this is a finding.

Check Text ( C-41353r2_chk )

Identify the network interfaces over which authentication may occur. For each of these, review the system documentation and operating system configuration to determine if the device authenticates devices prior to establishing a network connection. Note: This requirement also applies to a private VPN connection from the carrier's network to the DoD network that is designed to route all mobile device traffic directly to the DoD network. If the operating system does not perform this authentication, this is a finding.

Fix Text (F-36994r1_fix)
Configure the operating system to authenticate devices before establishing remote connections.