If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18680	SRC-NAC-010	SV-20300r1_rule		Medium

Description
In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server. Thus, an unmanaged device does not have a pre-installed agent which has been obtained from and configured by an approved DoD source. A device is also considerd unmanaged if the authorized agent is not operating properly and cannot communicate with the server. Devices that are both non-GFE and unmanaged cannot be used. To be authenticated to the network, the authentication information must be pre-configured by the site's system administrator and the device and the user must be authorized by the DAA for access to the system. Trusted computing environments require a process for ensuring that users and devices are authenticated and authorized. In certain environments such as a development network, unmanaged devices may be justified by government policy or the mission. Automated policy assessment may be implemented in various ways to increase trust and manage the risk posed by these guest devices.

Description

In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server. Thus, an unmanaged device does not have a pre-installed agent which has been obtained from and configured by an approved DoD source. A device is also considerd unmanaged if the authorized agent is not operating properly and cannot communicate with the server. Devices that are both non-GFE and unmanaged cannot be used. To be authenticated to the network, the authentication information must be pre-configured by the site's system administrator and the device and the user must be authorized by the DAA for access to the system. Trusted computing environments require a process for ensuring that users and devices are authenticated and authorized. In certain environments such as a development network, unmanaged devices may be justified by government policy or the mission. Automated policy assessment may be implemented in various ways to increase trust and manage the risk posed by these guest devices.

STIG	Date
Remote Access Policy STIG	2016-03-28

Details

Check Text ( C-22462r1_chk )
Verify that the device filter setting of the network authentication appliance is configured to force endpoint devices on the untrusted subnetwork to authenticate when attempting to access the network. In an environment where unmanaged devices are allowed remote access, devices on the untrusted side will not be set to bypass authentication. Filter lists may be set to use MAC, IP, or subnet address, and should automatically assign user roles to devices. Filters will not be configured to allow devices to bypass authentication or posture assessment.

Check Text ( C-22462r1_chk )

Verify that the device filter setting of the network authentication appliance is configured to force endpoint devices on the untrusted subnetwork to authenticate when attempting to access the network.

In an environment where unmanaged devices are allowed remote access, devices on the untrusted side will not be set to bypass authentication.

Filter lists may be set to use MAC, IP, or subnet address, and should automatically assign user roles to devices. Filters will not be configured to allow devices to bypass authentication or posture assessment.

Fix Text (F-19390r1_fix)
Ensure the policy assessment device is configured to authenticate the endpoint devices before allowing access unto the trusted network.