UCF STIG Viewer Logo

If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18847 SRC-NAC-190 SV-20600r1_rule Medium
Description
If a device fails the sites approved security policy assessment test, then it may contain compromised data. Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the failure is either redirected for remediation or the communication terminated.
STIG Date
Remote Access Policy STIG 2016-03-28

Details

Check Text ( C-22604r1_chk )
Review the configuration of the device. Verify filters for the policy assessment device are set to take one of the approved action choices upon failure.

Site is compliant if one of the following actions is perfomed in accordance with site policy.

– Terminate the connection and place the device a “blacklist” to prevent future connection attempts until action is taken to remove the device from the blacklist;
– Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server;
– Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the DAA);
– Allow the device and user full entry into the protected enclave but flag it for future remediation. With this option an automated reminder should be used to inform the user of the remediation status.
Fix Text (F-19522r1_fix)
Ensure filters for the policy assessment device are set to take one of the approved action choices upon failure.