The network device must route all remote access traffic through managed access control points.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000064-NDM-000044	SRG-NET-000064-NDM-000044	SRG-NET-000064-NDM-000044_rule		Medium

Description
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Virtual private networks (VPNs), when adequately provisioned with appropriate security controls, are considered internal networks, rather than a remote access method. The remote access server must forward traffic destined to the private network to the network device interface inspecting all private network ingress traffic. To allow traffic to u-turn, the network device would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the remote session terminates - most implementations do not allow this by default. If the network device is configured to allow a u-turn, then there must be another network device upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the network device or applicable proxy to perform the stateful inspection.

Description

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Virtual private networks (VPNs), when adequately provisioned with appropriate security controls, are considered internal networks, rather than a remote access method. The remote access server must forward traffic destined to the private network to the network device interface inspecting all private network ingress traffic. To allow traffic to u-turn, the network device would have to be configured to NAT for the pool of remote client addresses on the outside interface (the same global address), as well as have a configuration statement to allow traffic to egress out the same interface in which the remote session terminates - most implementations do not allow this by default. If the network device is configured to allow a u-turn, then there must be another network device upstream to inspect this outbound traffic or the traffic must be forwarded (policy based routed) towards the network device or applicable proxy to perform the stateful inspection.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000064-NDM-000044_chk )
Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic. Review the configuration and verify it is not allowing traffic received from the remote access server to u-turn back out towards the NIPRNet/Internet. If the network device is not configured to route all remote access traffic through managed access control points, this is a finding.

Check Text ( C-SRG-NET-000064-NDM-000044_chk )

Verify traffic from a remote client with an outbound destination does not bypass the enclave's perimeter defense mechanisms deployed for egress traffic.
Review the configuration and verify it is not allowing traffic received from the remote access server to u-turn back out towards the NIPRNet/Internet.

If the network device is not configured to route all remote access traffic through managed access control points, this is a finding.

Fix Text (F-SRG-NET-000064-NDM-000044_fix)
Deploy the network device functioning as a VPN gateway within a DMZ or configure the device to not permit u-turn traffic. If it must allow u-turn traffic, then deploy a network device upstream to inspect the outbound traffic.