acceptedRemote Access Policy STIGDISASTIG.DOD.MILRelease: 11 Benchmark Date: 22 Apr 20162I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>MOA for unmanaged remote endpoints<GroupDescription></GroupDescription>SRC-EPT-015Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization. <VulnDiscussion>To provide the maximum level of security for both the DoD network and the remote corporate enterprise, an MOA is needed that allows administrative oversight and confiscation of compromised equipment.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Define written agreements for contractors, partners, and other remote users to begin maintaining administrative oversight and control privileges.
Ensure the site maintains administrative oversight and control privileges of the computers.
NOTE: The MOA will contain an agreement that allows the site to maintain administrative oversight and control privileges of the remote end point.
Vendor-supported OS version and updates<GroupDescription></GroupDescription>SRC-RAP-080Ensure the use a vendor-supported version of the remote access server, remote access policy server, NAC appliance, VPN, and/or communications server software. <VulnDiscussion>Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities. The system administrator must monitor IAVM, OS, or OEM patch or vulnerability notices for the remote access, VPN, or communications appliance(s). Patches, upgrades, and configuration changes should be tested to the greatest extent possible prior to installation. The vendor may be consulted to determine if the specific device is vulnerable. If the vendor does not recommend installing a patch or upgrade, and has stated that the device is not vulnerable, the administrator will retain this documentation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658When the system administator is notified that previously installed versions of the remote access device, the version will be tested and installed as soon as the mission permits. However, previous version with security vulnerabilities must be documented in a Plan of Action and Milestones (POAM).Verify remote access gateway release and maintenance level. Research the vendor's vulnerability list and current version/revision. This can be obtained on the vendor's support page of their website.Unnecessary services, ports, and protocols<GroupDescription></GroupDescription>SRC-RAP-090Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users. <VulnDiscussion>When services, ports, and protocols are enabled by default or are not regularly used, SAs can neglect to secure or updates them. These services can then become a path for exploitation since they are often well known vulnerabilities to attackers. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658The IAO will ensure unused management interfaces, ports, protocols and services are removed or disabled on devices providing remote access services to remote users. Have the SA display the services running on the remote access device or underlying OS. CAVEAT: Anti-virus software running on the OS would be an exception to the above requirement. In fact, it is recommended that anti-virus software be implemented on any gateway, if supported. However, there are currently no specific configuration guidance.Centralized remote access security policy<GroupDescription></GroupDescription>SRC-RAP-070Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access. <VulnDiscussion>A centralized policy manager provides a consistent security policy, particularly in environments with multiple remote access devices such as multiple VPNs or RAS devices. This is a best practice for centralized management in networks with multiple remote access gateways or products. Use a single remote access policy server or configure a centralized access server which serves this purpose.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Network Security Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Implement a centralized remote access policy for configuring and controlling access for remote users.Review the configuration of the remote access device (RAS/VPN).
Verify the remote access policy is the primary means for configuring access control for user access. The centralized remote access policy should apply to all remote access devices so that there is a consistent security policy. Remote access portals and network extension are also handled in this access control policy.
NOTE: Portal configuration and network extension configuration is handled in the access control policy.Device separation based on levels of trust<GroupDescription></GroupDescription>SRC-RAP-060The remote access policy will provide separation of traffic based on sensitivity and user trust levels.
<VulnDiscussion>Device authentication must be performed at the perimeter or on a subnet separated from the trusted internal enclave. User authentication ensures the user is authorized for access. However, user authentication does not mitigate the risk from an improperly configured client device. Devices must be tested for policy compliance and assigned a trust level based on the results of a thorough integrity check. This approach checks that devices connecting to the network are authenticated and compliant with network policy prior to allowing access to network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Separate the users by conditions and assigned resources based on required minimum security conditions.Have the site representative display the evidence of compliance. This feature must be implemented using a central access policy such as in a gateway or access control appliance.
- Government-owned and managed endpoints;
- Personally-owned but managed endpoints;
- Unmanaged endpoints such as public kiosks or personal computers should limited access to Web-based applications;
- Privileged or Administrative access;
- Endpoints compliant with DoD required security configurations such as firewalls, antivirus, etc.
- Endpoints not compliant with DoD required security configurations such as firewalls, antivirus software, etc.
Unmanaged device authentication<GroupDescription></GroupDescription>SRC-NAC-010If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access.<VulnDiscussion>In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server. Thus, an unmanaged device does not have a pre-installed agent which has been obtained from and configured by an approved DoD source. A device is also considerd unmanaged if the authorized agent is not operating properly and cannot communicate with the server.
Devices that are both non-GFE and unmanaged cannot be used. To be authenticated to the network, the authentication information must be pre-configured by the site's system administrator and the device and the user must be authorized by the DAA for access to the system.
Trusted computing environments require a process for ensuring that users and devices are authenticated and authorized. In certain environments such as a development network, unmanaged devices may be justified by government policy or the mission. Automated policy assessment may be implemented in various ways to increase trust and manage the risk posed by these guest devices.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure the policy assessment device is configured to authenticate the endpoint devices before allowing access unto the trusted network.Verify that the device filter setting of the network authentication appliance is configured to force endpoint devices on the untrusted subnetwork to authenticate when attempting to access the network.
In an environment where unmanaged devices are allowed remote access, devices on the untrusted side will not be set to bypass authentication.
Filter lists may be set to use MAC, IP, or subnet address, and should automatically assign user roles to devices. Filters will not be configured to allow devices to bypass authentication or posture assessment. Device authentication<GroupDescription></GroupDescription>SRC-NAC-020Ensure remote endpoint policy assessment proceeds only after the endpoint attempting remote access has been identified using an approved method such as 802.1x or EAP tunneled within PPP.
<VulnDiscussion>Trusted computing shoud require authentication and authorization of both the user's identity and the identity of the computing device. It is possible that an authorized user may be accessing the network remotely from a computer that does not meet DoD standards. This may compromise user information, particularly before or after a VPN tunnel is established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658The IAO will ensure that the end point attempting remote access are valid before proceeding with security assessment or remediation activities.Verify that access filters are set to perform device authentication before policy assessment is perfomed.
Verify that an approved method for device authentication is used (i.e., 802.1x or EAP tunnelled within PPP (for dial-up). Remediation notification to endpoint<GroupDescription></GroupDescription>SRC-NAC-030When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.
<VulnDiscussion>Notification will let the user know that installation is in progress and may take a while. This notice may deter the user from disconnecting and retrying the connection before the remediation is completed. Premature disconnections may increase network demand and frustrate the user.
NOTE: This policy does not require remediation but will apply if remediation services are used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.This setting may be sent from the assessment server, a central server, or from the remediation server.
Verify that the user is notified and accepts (e.g., using an accept button) that remediation is needed and is about to begin.
Flag devices for future remediation<GroupDescription></GroupDescription>SRC-NAC-050Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation. <VulnDiscussion>Devices not compliant with DoD secure configuration policies will not be permitted to use DoD licensed software.
The device status will be updated on the network and in the HBSS agent. A reminder will be sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Manager</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Configure the remote access policy server or other enforcement device. Ensure endpoints that fail the NAC policy assessment that are not automatically remediated are flagged for manual or automated remediation. Verifty compliance by viewing the remote access policy server.
Verify the remediation status for these machines and also the HBSS agent on the client is updated .
Verify that a reminder is sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.Procedure for blacklist and termination<GroupDescription></GroupDescription>SRC-NAC-070During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated.
<VulnDiscussion>Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure during security policy assessment, a procedure exists such that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediatly on the “blacklist” and the connection will be terminated. Verify existence of a procedure for blacklisting and terminating when critical security issues are found during a security policy assessment.DMZ device communications<GroupDescription></GroupDescription>SRC-NAC-060Configure the devices and servers in the network access control solution (e.g., NAC, assessment server, policy decision point) so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself.<VulnDiscussion>Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts would be suspect traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that the policy assessment appliance or service is not allowed to communicate with unrelated host in the DMZ.Verify that the policy assessment device is not allowed to communicate with other hosts in the DMZ that do not perform security policy assement or remediation services.Policy assessment - required security checks<GroupDescription></GroupDescription>SRC-NAC-080If a policy assessment server or service is used as part of an automated access control decision point (for authentication and authorization of unmanaged remote endpoints to the network), the remote access solution must include the minimum required policy assessment checks for unmanaged devices prior to allowing remote access to the network.<VulnDiscussion>Automated policy assessment must validate the organization's minimum security requirements so entry control decisions do not put the organization at risk because of a compromised remote device. Outdated or disabled security functions on remote endpoints present an immediate threat to the trusted network if allowed entry based solely on the user’s access and authorization, particularly if the user has elevated access or management access to data and systems. The goal of this policy is centralized policy assessment for remote access devices. Each of the checks required in this policy serves to mitigate known risks to the trusted network using the endpoint as an attack vector, thus all must be configured to meet this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. The following are a minimum set of required checks:
- Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date
- Check host-based firewall is installed, enabled, and up-to-date
- Check Host-based IDS (HIDS) is installed, enabled, and up-to-date
- Check operating system is at minimum required version and update level
- Check for the presence of file-sharing and peer-to-peer applications
- Scan for known and unknown (zero-day) virus outbreaksReview the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below:
- Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date
- Check host-based firewall is installed, enabled, and up-to-date
- Check Host-based IDS (HIDS) is installed, enabled, and up-to-date
- Check operating system is at minimum required version and update level
- Check for the presence of file-sharing and peer-to-peer applications
- Scan for known and unknown (zero-day) virus outbreaks
If the remote access policy assessment solution does not include checks for all of the minimum required checks above, this is a finding.Assessment of unmanaged devices<GroupDescription></GroupDescription>SRC-NAC-090Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN. <VulnDiscussion>Unmanaged devices that are not controlled or configured by DoD should not be used on the network. Contractor and partner equipment must also comply with DoD endpoint configuration requirements and kept updated. Automated assessment will allow these devices to be used safely while minimizing risk to the Enclave. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that for endpoints that are not inspected and controlled by the site, the access control system/solution performs automated assessment.Verify compliance by checking the filter and configuration of the access control service/solution.
Note: For unmanaged devices, only devices that have passed the scan will be admitted for full access. Remediation may not be possible since this often requires administrative access and the user should not have this access on his client PC. However, the device must be manually remediation by the owning entity and then re-assessed prior to allowing access.NIAP compliance of the automated access control <GroupDescription></GroupDescription>SRC-NAC-100Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements.<VulnDiscussion>DOD requires that products used for IA be NIAP compliant. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Use automated entry control components (e.g., NAC appliance, policy server) that is NIAP compliant.Verify compliance by asking the site personel to provide documentation.Encryped communications with policy agent <GroupDescription></GroupDescription>SRC-NAC-130Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP).<VulnDiscussion>Communications between the remote client and the system which makes the decision to allow or terminate access to the network is privileged traffic. Privileged communication should be separated and/or encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that the communication between the endpoint agent and the policy enforcement device is encrypted.Verify compliance by checking the configuration of the policy assessment server or other component which communicates with the HBSS client on the endpoint devices.
Verify that communications are set for encrypted access.Agent integrity check<GroupDescription></GroupDescription>SRC-NAC-140The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised.<VulnDiscussion>Remote access devices are often lost or stolen. They represent a threat to the enclave if the agent is compromised as this is the data collection entity in the policy assessment solution. An integrity check allows for detection in case the agent is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that a method of integrity checking (e.g., a file or other check). Ensure that the installed endpoint agent .enforcement system has an integrity checking mechanism. Check compliance by interviewing the site representative. Ask if the enforcement system has an integrity checking mechanism. Do not document details of the procedure used.Unmanaged agents pre-configured <GroupDescription></GroupDescription>SRC-NAC-150Client agents which have been customized with DoD restricted, non-public information or information which may divulge network details (e.g., internal IP ranges or network host names) will not be installed on unmanaged, non-government client endpoints such as kiosks and public computers.<VulnDiscussion>Unmanaged clients such as partner or contractor-owned devices should not contain restricted government informaiton.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure unmanaged endpoints, when allowed, are not preconfigued with agents containing sensitive network access information such as IP address ranges.Interview the site personnel. If unmanaged endpoints are permitted access, ask if the agent is preconfigued with IP address ranges and other government information.Policy server user authentication service<GroupDescription></GroupDescription>SRC-NAC-160The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication. <VulnDiscussion>The remote user policy assessment/enforcement device will be installed on a separate host from the authentication server. This device interacts directly with public networks and devices and should not contain user authentication information for all users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure the authentication configuration of the policy assessment/enforcement device is configured to use a separate authentication server to perform user authentication. Review the authentication configuration of the policy assessment/enforcement device. Verify that it is configured to use a separate authentication server to perform user authentication. Remediation server - traffic separation<GroupDescription></GroupDescription>SRC-NAC-180Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).<VulnDiscussion>A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy. When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network. If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network. After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization.
NOTE: This policy does not mandate automated remediation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure remediation server is configured as requrired, at a minimum.Verify that remediation server is configured as follows:
– Will be separated from the policy assessment server on a separate subnet;
– Will be separated from the internal protected enclave by a separate subnet;
– The subnet configuration will comply with the requirement of the Network Infrastructure STIG;
– Will incorporate and leverage use of DoD remediation tools when available; and
– Will comply with the requirements of the applicable operating system STIG.Approved action configuration<GroupDescription></GroupDescription>SRC-NAC-190If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy.
<VulnDiscussion>If a device fails the sites approved security policy assessment test, then it may contain compromised data. Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the failure is either redirected for remediation or the communication terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure filters for the policy assessment device are set to take one of the approved action choices upon failure.Review the configuration of the device. Verify filters for the policy assessment device are set to take one of the approved action choices upon failure.
Site is compliant if one of the following actions is perfomed in accordance with site policy.
– Terminate the connection and place the device a “blacklist” to prevent future connection attempts until action is taken to remove the device from the blacklist;
– Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server;
– Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the DAA);
– Allow the device and user full entry into the protected enclave but flag it for future remediation. With this option an automated reminder should be used to inform the user of the remediation status.
Bypass procedure<GroupDescription></GroupDescription>SRC-NAC-200The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution.<VulnDiscussion>Remote access connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the DAA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Document approval by the DAA for all access control bypass procedures.Verify that if the bypass procedure has been DAA approved by checking the documentation.Endpoints failing authentication<GroupDescription></GroupDescription>SRC-NAC-210For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied. <VulnDiscussion>Devices that fail authentication are not permitted on the network. These devices may contain malware or content which is harmful to the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Where unmanaged devices are not allowed access, the IAO will ensure that remote endpoints that fail the device authentication the remote access request will be terminated.Verify by examining the configuration of the policy assessment or enforcement server (e.g., NAC appliance). Examine the actions taken when the endpoint fails authentication comply with the requirement.Access to network from remediation LAN<GroupDescription></GroupDescription>SRC-NAC-220Endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.<VulnDiscussion>This type of access could permit an unauthorized endpoint onto the network. Depending on the critical nature of the authorization failure (e.g., virus detected) this type of access could place the enclave at risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.Verify compliance by interviewing the NSO. The configuration of the policy enforcement device should also be examined. There are several ways to achieve compliance. In each case, the endpoint should not receive an IP address that can be used on the trusted side of the network. A DMZ, VLAN, or direct host-host communications may be used.Reassessing unmanaged devices<GroupDescription></GroupDescription>SRC-NAC-230After remediation, unmanaged (non-DoD owned or controlled) endpoints will not be given access to network resources, but will be forced to reapply via the network policy assessment server and be reassessed for compliance. <VulnDiscussion>After initial remediation, unmanaged devices should be tested again prior to authorization and admittance. This will mitigate the risk that the remediation did not completely eliminate the cause of the initial assessment failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure that unmanaged devices are set to be reassessed once remediation actions are completed.
Verify configuration of the enforcement server/solution. Check to see if unmanaged devices are set to be reassessed once remediation actions are completed.Endpoint devices for remote privileged access<GroupDescription></GroupDescription>SRC-EPT-010Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies.<VulnDiscussion>If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at immediate risk. Devices are government owned (GFE), contractor owned, or personally owned. Devices are categorized as government owned (GFE), contractor owned, or personally owned.
A personally-owned device is not managed, owned, or leased by the government. Personally owned devices do not meet DoD security standards for privileged access. This type of access from an untrusted device puts the network at immediate risk since these devices may have ensured confidentiality and integrity requirements. These devices may be managed devices. However, even when subjected to policy assessment, personally owned devices are not allowed for processing classified or for remote access to privileged data or functions. The intention is to allow approved and limited usage (e.g., for email). However, note that a policy assessment solution must be in place for all unmanaged devices to enter trusted zones.
Contractor owned endpoints are provided in compliance with a government contract to perform management services. These endpoints must be STIG compliant using the OS STIG and other applicable STIGs and must follow DoD requirements for remaining compliant. The configuration and connection method for privileged access must also comply with government confidentiality and integrity requirements. Thus, the configuration of devices must be approved by the government as STIG compliant and kept up to date. Remote access for these devices must meet network access control and automated policy assessment requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Train individuals authorized to perform configuration, management, and other privileged tasks using remote access to use only government-owned or authorized devices. Establish a STIG compliance process. For contractor owned endpoints, obtain approval/authorization for configuration, access method, and compliance process from government representative. Configure systems for policy assessment (e.g., NAC) upon access if contractor devices are used.Interview the network administrator or site representatives.
Verify if system administrators are informed of the requirement to use only authorized endpoint devices when remotely accessing DoD networks and systems for configuration, management, or restricted access.
Verify there is a configuration management process that ensures STIG compliance. For contractor owned equipment, verify systems used are documented and approved by a government representative.SRC-EPT-040 User agreement <GroupDescription></GroupDescription>SRC-EPT-040Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training. <VulnDiscussion>Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to meet these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Develop documentation as required.Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows:
- The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless
access, mobile access).
- The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device.
- Incident handling and reporting procedures are identified along with a designated point of contact.
- The policy will contain general security requirements and practices and will be signed by the remote user.
- If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc.
- Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment.
If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding. Unmanaged endpoints<GroupDescription></GroupDescription>SRC-EPT-050Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements.
<VulnDiscussion>Unmanaged endpoints must be configured according to the organization's security policy and standards before these devices can be allowed access to even the most non-sensitive areas of the network such as the DMZ. Unmanaged endpoints will never be allowed to traverse or access to the protected inner enclave regardless of configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658If unmanaged endpoints are used, ensure required documentation and agreements are completed in compliance with this requirementInspect a copy of the site’s remote user agreement and Service Level Agreements. Verify one of these documents include the requirements as follows:
– Are approved by the DAA;
– Use devices that are capable of complying with applicable STIG requirements to the greatest extent possible (i.e., comply with all CAT 1 requirements applicable to the OS and other technology used);
1. The owner signs forfeiture agreement in case of a security incident;
2. The security policy on the device is actively scanned prior to allowing access to the DoD Enclave by the IAO; and
3. Full access to the DoD internal protected enclave is not permitted. Access will be restricted to a limited access subnet.
User security checklist <GroupDescription></GroupDescription>SRC-EPT-060Develop a computer security checklist to be completed and signed by the remote user. This checklist will inform and remind the user of the potential security risks inherent with remote access methods. <VulnDiscussion>Lack of user training and understanding of responsibilities to safeguard the network are a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure a checklist or detailed user training is used to inform the users of their security responsibilities.Inspect a copy of the site’s security checklist, if available. This checklist may be incorporated into the user agreement or the user training. The checklist is different from the user agreement in that it incorporates all of the user's security responsibilities concerning remote computing and network security in general. Verify that documentation exists to show that users are required to read and sign this checklist or training material.Consent provision<GroupDescription></GroupDescription>SRC-EPT-070Remote user agreement will contain a Standard Mandatory Notice and Consent Provision. <VulnDiscussion>Lack of user training as evidenced by signed documentation may indicate the users lack understanding of their responsibilities to safeguard the network and be a significant vulnerability to the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure remote user agreement contains a Standard Mandatory Notice and Consent Provision.Inspect a copy of the site’s user agreement. Verify user agreement has the current consent provision exactly as written by DoD for legal purposes.User training - Home LAN<GroupDescription></GroupDescription>SRC-EPT-110Train users not to connect remote clients which process sensitive information directly into the broadband modem. <VulnDiscussion>If a telework devices connect directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device is directly accessible from the Internet and at high risk of being attacked. To prevent this from occurring, the home network should have a security device between the ISP and the telework device. This is most commonly accomplished by using a broadband router (e.g., cable modem router, DSL router) or a firewall appliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure the user is trained not to plug the connect directly to the broadband modem but rather to use a correctly configured security gateway.Inspect the user training material or the remote user checklist.
Verify that the users are trained not to plug the DoD endpoint directly into the broadband modem.
Users must be given assistace (e.g., checklist) on how to configure and and properly connect GFE into a properly configured broadband router or firewall appliance.NAT on home LAN<GroupDescription></GroupDescription>SRC-EPT-140Users who telework regularly are informed of the requirement to configure home networking router or firewall appliances to implement NAT. <VulnDiscussion>Configuring NAT on the network security gateway or firewall will help prevent hosts on the Internet from accessing the DOD teleworker computer directly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Update the remote user security checklist to include a check for the teleworker to configure the home networking router or firewall appliances to implement NAT. Review the user agreement or security checklist. Verify that it contains the instruction to configure home networking router or firewall appliances to implement NAT. Home LAN - Isolation<GroupDescription></GroupDescription>SRC-EPT-130Train users to configure the home networking router or firewall appliance to protect devices on the home network from each other (isolate), the devices are logically separated by the appliance or router (on a different logical segment of the network).<VulnDiscussion>If a personal firewall on a computer malfunctioned, the appliance or router would still protect the computer from unauthorized network communications from external computers. In some cases, the appliance or router also can protect devices on the home network from each other—if the devices are logically separated by the appliance or router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Update the remote access security checklist, the user agreement, or other training materials to show that users are trained to comply with the approved teleworker home network architecture.Review user agreement or security checklist. Ensure users have been informed that their home network be configured to use the router or firewall to isolate the DoD endpoint from the other devices on the home network.Home LAN - network devices<GroupDescription></GroupDescription>SRC-EPT-120Provide teleworkers training on best practices for operating a secure network.
<VulnDiscussion>Changing the default passwords on the devices helps protect against attackers using these LANs to gain access to the device. List of manufacturer default passwords are widely available on the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Train users as required.Review the security checklist or user agreement. Verify that users have received information on the following best practices.
– Changing device password on home network level devices such as routers and firewalls.
- Configuring the device so that it cannot be administered from outside the home network, preventing external attackers from taking control of the device.
– Configuring the device to silently ignore unsolicited requests sent to it, which essentially hides the device from malicious parties.
– Checking for updates and applying them periodically, as explained in the vendor’s documentation—either automatically (typically daily or weekly) or manually (to be performed by the teleworker at least monthly) .
– For broadband routers, turning off or disabling built-in wireless access points (AP) that are not being used.
– The proper precautionary measures for a firewall appliance or broadband router vary.
Endpoint VPN connection<GroupDescription></GroupDescription>SRC-EPT-100When connected to a non-DoD owned network, remote users are trained to either disable the wireless radio or disconnect the network cable when communication is no longer needed or the VPN is disconnected. <VulnDiscussion>Endpoints that are directly connected to public networks are vulnerable to various forms of attack the longer they remain connected. A properly configured VPN adds defense in depth protection.
NOTE: Users who are trained and provide documentation (screen-prints) showing compliance with the telework isolation policy are compliant with the requirement. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Implement automated controls or train users to physically disconnect or disable NICs when no longer connected to the secure VPN.Verify by inspecting the training material or security checklist.
An automated method where the NIC is disabled may be implemented.Endpoints direct interenet acess<GroupDescription></GroupDescription>SRC-EPT-090When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client. <VulnDiscussion>The DoD architechure is extensive and is designed to protect the enclave and it's endpoints. When a remote user accesses the internet directly, this infrastucture is not leveraged. All connections for Government official business to the Internet via the hotel wireless network will be through the DoD VPN connection only. This requirement should be automatically enforced by an enforcement agent or other technical means on the endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Update the user training or security checklist.Review the user training or security checklist to verify that users are trained on this requirement. If this is automatically enforced, have the IAO demonstrate this feature.Telework devices without security<GroupDescription></GroupDescription>SRC-EPT-080Remote/telework endpoints not capable (e.g., lacks enough memory or resources) of meeting the compliance requirements for anti-virus, firewall, and web browser configuration will not be permitted access to the DoD network.<VulnDiscussion>If the client is incapable of employing critical security protections then allowing access to that devices could expose the network to potentially significant risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure the DAA and system administrator have a policy that devices must contain anti-virus and firewall software which are compliant with DoD requirements of the Desktop STIG.Interview the IAO. Ask if devices are permitted either through Service Level Agreements or DoD-owned which do not have anti-virus, firewall, or cannot be configured to meet DoD requirements.
If such devices are permitted, this is a finding.NSA certified solution for classified<GroupDescription></GroupDescription>SRC-EPT-030Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location.
<VulnDiscussion>Use of improperly configured or lower assurance equipment and solutions could compromise high value information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure use of compliant architechture and equipment.Verify use of NSA certified equipment and architecture by asking the site representative to demonstrate the products and encryption used.
Verify compliance with the following requirements:
– The solution is used in accordance with all NSA and DOD policy and guidelines.
– The solution will use a High Assurance (Type 1) Link Encryptor to provide high assurance link protection (confidentiality, integrity, and authentication), using NSA-certified cryptographic components, between the remote user and DOD enclaves or other computing environments. A High Assurance (Type 1) Media Encryptor to provide high assurance protection (confidentiality and integrity), using NSA-certified cryptographic components, to a remote user’s hard-drive and removable media.
– The NSA Type 1 link encryption device is kept in the user’s possession at all times or stored in accordance with policy applicable to classified storage.
– The NSA Type 1 link encryption device is stored separately from the computer when not in use.
Classified endpoints <GroupDescription></GroupDescription>SRC-EPT-020Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access.<VulnDiscussion>Equipment owned or controlled by non-DoD entities may contain malware or other vulnerabilities which may present a danger to the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure all equipment used for remote access solutions which process classified information is government owned and managed.Interview the IAO. Ask if remote access equipment, endpoints, and communications equipment is government owned.TLS VPN - RSA<GroupDescription></GroupDescription>SRC-VPN-050Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment. <VulnDiscussion>NOTE: TLS 1.0 and later uses the ephemeral Diffie-Hellman key establishment method, but this does not meet the requirements of NIST SP 800-56A. NIST has granted a waiver from this requirement for systems using SSL until the end of 2010 and this may be extended indefinitely. However, the current requirement for SSL key establishment now and beyond 2010 is the RSA method.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Manager</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure newly purchased systems have the capability to perform RSA key establishment.Ask the site representative for documentation or verify by inspecting the TLS configuration application.
NOTE: The systems may use the NIST-preferred method of ephemeral Diffie-Helman, but new systems will have the capability to use RSA. TLS VPN - HMAC-SHA-1 capability<GroupDescription></GroupDescription>SRC-VPN-060Ensure that devices to be used in FIPS-compliant applications will use FIPS-compliant functions and procedures. <VulnDiscussion>It is not enough to enable FIPS encryption. To gain the full security implied by the FIPS standard, the functions and procedures required by the FIPS 140-2 documents must also be implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Whe purchasing an TLS VPN, ensure the system has the capability to require HMAC-SHA-1.Interview site representative or inspect the VPN encryption configuration on the TLS VPN appliance or server.
NOTE: Prior to purchasing a TLS VPN, the site will verify the system has the capability to require HMAC-SHA-1. However, use of devices using SHA-1 hash functions is acceptable.Endpoint failing security checks <GroupDescription></GroupDescription>SRC-VPN-070Ensure that when TLS VPN is used, endpoints that fail “required” critical endpoint security checks will receive either no access or only limited access. <VulnDiscussion>Remote endpoint devices requesting TLS portal access will either be disconnected or given limited access as designated by the DAA and system owner if the device fails the authentication or security assessment. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure end point failing to pass minimum and required security configuration checks are not given full access to DoD non-public information with DAA approval.Verification will depend on the method used by the site to automate this functionality. Verify that end point failing to pass minimum and requried security configuration checks are not given full access to DoD non-public information with DAA approval.
NOTE: The user will be presented with a limited portal which does not include access options for sensitive resources. (Required security checks will be identified and approved by the DAA or designated representative).Type 1 encryption for access to Classiified<GroupDescription></GroupDescription>SRC-RAP-030Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location.<VulnDiscussion>Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Manager</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658The IAO will ensure classified information is not transmitted over any communications system unless it is transmitted using approved NSA security devices in addition to approved security procedures and practices. Interview the IAO. Ask if users are allowed to process classified information from remote locations.
Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows:
- C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic.
- Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs.
- Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM.
- Type 1 encryption will be employed.
- Must be documented in the DIACAP Implementation Plan (DIP)
- Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy.
**This check applies to Enhanced Compliance Validation visits.DIACAP information documents (DIP)<GroupDescription></GroupDescription>SRC-RAP-010Ensure the required accreditation documentation (e.g. DIP) is kept updated. <VulnDiscussion>The most critical part of a remote access solution is to create a centralized point of access and authentication close to the network edge. This device manages access to network resources on the internal LAN. DoD requires that all information technology devices attached to the network be documented in the DIP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Verify DIACAP equipment list reflects changes made to the site’s remote access network devices.The system owner will identify security domain requirements in the DIACAP documentation. Each DIP must include a description of the sites architecture with the remote access equipment shown on the drawing.
Verify that these documents will reflect the installation or modification of network communications devices used for network access devices that provide remote access services (e.g., appliances or servers such as RAS, VPN, remote security assessment, or policy appliances).Remote access traffic inspection - IDS<GroupDescription></GroupDescription>SRC-RAP-020Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.<VulnDiscussion>The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of the existing network inspection architecture will ensure remote communications are subject to the same rigorous standards as other network traffic and lower the risk of misconfiguration presented by multiple traffic inspection systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Architecture must use one of the approved options for ensuring that remote access ingress traffic will pass through and be inspected by the firewall and Network IDS/IPS. Ensure remote access device traffic is configured using an approved architecture. All ingress traffic will be directed for inspected by the firewall and Network IDS/IPS. Because this traffic is required to be in an encrypted tunnel, the site may implement one of two approved architectures.
1. Terminate the tunnel at the external NIDS located between the site’s Approved Gateway (Service Delivery Router) and the premise router; or
2. Terminate at the remote access gateway and route the traffic to the IDS/IPS for inspection prior to forwarding into the protected LAN.RAS uses a DMZ architecture. <GroupDescription></GroupDescription>SRC-RAP-040Ensure the remote access server (RAS) is located in a dual homed screened subnet.<VulnDiscussion>Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity for hackers to exploit.
NOTE: This check does not apply to the remote access VPN gateway. If an integrated RAS/VPN gateway is used where dial-up services are provided, then this check also applies. The DMZ architecture and placement will comply with the requirements of the applicable Network Infrastructure STIG.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Use the network diagram in the Network Infrastructure STIG for guidance for placement of RAS server in the appropriated DMZ subnets.
Review network architecture with the network administrator.
Verify compliance by inspecting the site network topology diagrams and the firewall interface configurations. Since many network diagrams are not kept up-to-date, walk through the connections with the network administrator to verify the diagrams are current.
If the network device does not use an approved network isolation method (e.g., DMZ), this is a finding.Remote privileged access<GroupDescription></GroupDescription>SRC-RAP-050Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant.<VulnDiscussion>If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Manager</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658The remote access administrator will configure the remote access or VPN server to use the TACACS+, Radius or Diameter server for administrative access.View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen.
Verify that the configuration requires the following:
1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server;
2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and
3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES).
Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture
complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG.
SRC-EPT-055 Use of public kiosks<GroupDescription></GroupDescription>SRC-EPT-055 Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls.<VulnDiscussion>There may be hardware or keyboard capture software which could monitor computer usage and keystrokes. Also, these computers may contain virus' and other malicious code which may infect DoD systems being accessed. This policy is in accordance with Directive-Type Memorandum (DTM) 08-027, 31 July 2009, Security of Unclassified DoD Information on Non-DoD Information Systems. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure users do not use public computers and kiosks to process, store, or transmit sensitive information without approal of the data owner.Verify the users are trained not to use public computers or kiosks to process government sensitive information. This may be placed in the User Agreement or the site's training materials.SRC-EPT-056 Email for remote users<GroupDescription></GroupDescription>SRC-EPT-056Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email.<VulnDiscussion>DoD Instruction 8510.01, “DoD Information Assurance Certification and Accreditation Process (DIACAP). Users need this capability to read and send digitally signed email and to ensure non-repudiation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Ensure the email solution on the remote access device has the ability to digitally sign messages.interview the SA and ask if PKI is implemented on the endpoint's computer and configured for use by the email program.. Complete user training for wireless remote access<GroupDescription></GroupDescription>WIR-WRA-001Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.<VulnDiscussion>Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>PRTN-1</IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Complete required training. Detailed Policy Requirements:
The ISSO and the site wireless device administrator must ensure all wireless remote access users receive training on the following topics before they are authorized to access a DoD network via a wireless remote access device:
- Maintaining physical control of the device.
- Reducing exposure of sensitive data.
- User authentication and content encryption requirements.
- Enabling wireless interfaces only when needed.
- Enable VPN connection to the DoD network immediately after establishing a wireless connection (using an approved VPN client).
- All Internet browsing will be done via the VPN connection to the DoD network.
- No split tunneling of VPN.
- Locations where wireless remote access is authorized or not authorized (i.e., home, airport, hotel, etc.).
- Wireless client configuration requirements.
- Use of WPA2 Personal (AES) on home WLAN.
- Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site ISSO.
Check Procedures:
Review site wireless device and/or IA awareness training material to verify it contains the required content.
Note: Some training content may be listed in the User Agreement signed by the user.
Verify site training records show authorized wireless remote access users received required training and training occurred before the users were issued a device. Check training records for approximately five users, picked at random.
If wireless remote access users have not received required training, this is a finding. Site has wireless remote access policy<GroupDescription></GroupDescription>WIR-WRA-002The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.<VulnDiscussion>Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Publish Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.Detailed Policy Requirements:
A site's Remote Access Policy will be written and signed by the site AO, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet):
- Device unlock password requirements.
- Client software patches kept up to date - Internet browsing through enterprise Internet gateway.
- Device security policy managed by centrally-managed policy manager.
- Procedures after client is lost, stolen, or other security incident occurs.
- Configuration requirements of wireless client - Home WLAN authentication requirements.
- Home WLAN SSID requirements.
- Separate WLAN access point required for home WLAN.
- 8+-character authentication password required for home WLAN.
- Use of third-party Internet portals (kiosks) (approved or not approved).
- Use of personally-owned or contractor-owned client devices (approved or not approved).
- Implementation of health check of client device before connection is allowed.
- Places where remote access is approved (home, hotels, airport, etc.).
- Roles and responsibilities:
--Which users or groups of users are and are not authorized to use organization's WLANs?
--Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment?
- WLAN infrastructure security:
--Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs.
--Types of information that may and may not be sent over WLANs, including acceptable use guidelines.
- WLAN client device security:
--The conditions under which WLAN client devices are and are not allowed to be used and operated.
--Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security.
--Limitations on how and when WLAN client’s device may be used, such as specific locations.
--Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol.
- Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents.
- Guidelines for the protection of WLAN client devices to reduce theft.
Check Procedures:
Interview the ISSO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site AO, Commander, Director, or other appropriate managers. If a wireless remote access policy does not exist or is not signed, this is a finding. Wireless remote access included in SSP<GroupDescription></GroupDescription>WIR-WRA-003The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.<VulnDiscussion>Wireless client, networks, and data could be compromised if unapproved wireless remote access is used. In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site’s overall network security controls are not configured to provide adequate security for unapproved devices. When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>DPMS Target Remote Access PolicyDISADPMS TargetRemote Access Policy1658Publish a site physical security policy that includes a statement if CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility. This requirement applies to mobile operating system (OS) CMDs.
Work with traditional reviewer to review site’s physical security policy. Verify the site addresses CMDs with embedded cameras.
If there is no written physical security policy outlining whether CMDs with cameras (still and video) are permitted or prohibited on or in the DoD facility, this is a finding.