Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18846	SRC-NAC-180	SV-20599r1_rule	ECSC-1	Low

Description
A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy. When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network. If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network. After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization. NOTE: This policy does not mandate automated remediation.

Description

A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy. When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network. If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network. After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization. NOTE: This policy does not mandate automated remediation.

STIG	Date
Remote Access Policy STIG	2015-09-16

Details

Check Text ( C-22603r1_chk )
Verify that remediation server is configured as follows: – Will be separated from the policy assessment server on a separate subnet; – Will be separated from the internal protected enclave by a separate subnet; – The subnet configuration will comply with the requirement of the Network Infrastructure STIG; – Will incorporate and leverage use of DoD remediation tools when available; and – Will comply with the requirements of the applicable operating system STIG.

Check Text ( C-22603r1_chk )

Verify that remediation server is configured as follows:

– Will be separated from the policy assessment server on a separate subnet;
– Will be separated from the internal protected enclave by a separate subnet;
– The subnet configuration will comply with the requirement of the Network Infrastructure STIG;
– Will incorporate and leverage use of DoD remediation tools when available; and
– Will comply with the requirements of the applicable operating system STIG.

Fix Text (F-19521r1_fix)
Ensure remediation server is configured as requrired, at a minimum.