UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19832 SRC-RAP-020 SV-21995r1_rule Medium
Description
The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of the existing network inspection architecture will ensure remote communications are subject to the same rigorous standards as other network traffic and lower the risk of misconfiguration presented by multiple traffic inspection systems.
STIG Date
Remote Access Policy STIG 2016-03-28

Details

Check Text ( C-25055r1_chk )
Ensure remote access device traffic is configured using an approved architecture. All ingress traffic will be directed for inspected by the firewall and Network IDS/IPS. Because this traffic is required to be in an encrypted tunnel, the site may implement one of two approved architectures.

1. Terminate the tunnel at the external NIDS located between the site’s Approved Gateway (Service Delivery Router) and the premise router; or

2. Terminate at the remote access gateway and route the traffic to the IDS/IPS for inspection prior to forwarding into the protected LAN.
Fix Text (F-19139r1_fix)
Architecture must use one of the approved options for ensuring that remote access ingress traffic will pass through and be inspected by the firewall and Network IDS/IPS.