Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-19832 | SRC-RAP-020 | SV-21995r1_rule | Medium |
| Description |
|---|
| The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of the existing network inspection architecture will ensure remote communications are subject to the same rigorous standards as other network traffic and lower the risk of misconfiguration presented by multiple traffic inspection systems. |
| STIG | Date |
|---|---|
| Remote Access Policy STIG | 2016-03-28 |
Details
| Check Text ( C-25055r1_chk ) |
|---|
| Ensure remote access device traffic is configured using an approved architecture. All ingress traffic will be directed for inspected by the firewall and Network IDS/IPS. Because this traffic is required to be in an encrypted tunnel, the site may implement one of two approved architectures. 1. Terminate the tunnel at the external NIDS located between the site’s Approved Gateway (Service Delivery Router) and the premise router; or 2. Terminate at the remote access gateway and route the traffic to the IDS/IPS for inspection prior to forwarding into the protected LAN. |
| Fix Text (F-19139r1_fix) |
|---|
| Architecture must use one of the approved options for ensuring that remote access ingress traffic will pass through and be inspected by the firewall and Network IDS/IPS. |