Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18846 | SRC-NAC-180 | SV-20599r1_rule | Low |
| Description |
|---|
| A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy. When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network. If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network. After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization. NOTE: This policy does not mandate automated remediation. |
| STIG | Date |
|---|---|
| Remote Access Policy STIG | 2016-03-28 |
Details
| Check Text ( C-22603r1_chk ) |
|---|
| Verify that remediation server is configured as follows: – Will be separated from the policy assessment server on a separate subnet; – Will be separated from the internal protected enclave by a separate subnet; – The subnet configuration will comply with the requirement of the Network Infrastructure STIG; – Will incorporate and leverage use of DoD remediation tools when available; and – Will comply with the requirements of the applicable operating system STIG. |
| Fix Text (F-19521r1_fix) |
|---|
| Ensure remediation server is configured as requrired, at a minimum. |