Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19834 | SRC-RAP-050 | SV-21997r1_rule | ECSC-1 | High |
Description |
---|
If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised. |
STIG | Date |
---|---|
Remote Access Policy STIG | 2015-09-16 |
Check Text ( C-22223r1_chk ) |
---|
View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen. Verify that the configuration requires the following: 1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server; 2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and 3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES). Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG. |
Fix Text (F-20517r1_fix) |
---|
The remote access administrator will configure the remote access or VPN server to use the TACACS+, Radius or Diameter server for administrative access. |