UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Virtual Private Network (VPN) Security Requirements Guide


Overview

Date Finding Count (81)
2019-07-26 CAT I (High): 11 CAT II (Med): 63 CAT III (Low): 7
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-97053 High The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission.
V-97059 High The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group.
V-97139 High The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
V-97219 High The IPsec VPN Gateway Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
V-97217 High The VPN Gateway must use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.
V-97185 High The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.
V-97201 High The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication.
V-97199 High The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
V-97209 High The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
V-97125 High The IPsec VPN Gateway must use Internet Key Exchange (IKE) with SHA-1 or greater to protect the authenticity of communications sessions.
V-97089 High The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
V-97055 Medium The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.
V-97099 Medium The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-97057 Medium The VPN Gateway must be configured to use IPsec with SHA-1 or greater for hashing to protect the integrity of remote access sessions.
V-97051 Medium The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.
V-97177 Medium The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.
V-97091 Medium The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-97195 Medium The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
V-97093 Medium The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-97197 Medium The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
V-97191 Medium The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.
V-97097 Medium The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.
V-97193 Medium The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-97115 Medium The VPN Gateway must use FIPS-validated SHA-1 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).
V-97079 Medium The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-97117 Medium The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-97137 Medium The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.
V-97071 Medium The VPN Gateway must produce log records containing information to establish the outcome of the events.
V-97135 Medium The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.
V-97077 Medium The VPN Gateway must protect audit information from unauthorized deletion when stored locally.
V-97119 Medium The VPN Gateway must be configured to route sessions to an IDPS for inspection.
V-97075 Medium The VPN Gateway log must protect audit information from unauthorized modification when stored locally.
V-97131 Medium The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
V-97153 Medium The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period.
V-97087 Medium The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-97133 Medium The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-97085 Medium For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.
V-97223 Medium The VPN Gateway must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
V-97081 Medium The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.
V-97157 Medium The VPN Gateway must accept Personal Identity Verification (PIV) credentials.
V-97101 Medium The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.
V-97215 Medium The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.
V-97221 Medium The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
V-97083 Medium The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.
V-97043 Medium The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.
V-97041 Medium The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
V-97129 Medium The VPN Gateway must recognize only system-generated session identifiers.
V-97047 Medium The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-97189 Medium For site-to-site VPN, for accounts using password authentication, the VPN Gateway must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.
V-97045 Medium The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-97187 Medium The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations.
V-97213 Medium The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.
V-97207 Medium For site-to-site VPN Gateway must store only cryptographic representations of Pre-shared Keys (PSKs).
V-97183 Medium The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.
V-97181 Medium The VPN Gateway must disable split-tunneling for remote clients VPNs.
V-97203 Medium The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.
V-97123 Medium The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
V-97103 Medium The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
V-97211 Medium The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
V-97127 Medium The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.
V-97141 Medium The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions.
V-97147 Medium The VPN Gateway must off-load audit records onto a different system or media than the system being audited.
V-97065 Medium The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.
V-97145 Medium The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components.
V-97067 Medium The VPN Gateway must generate log records containing information to establish where the events occurred.
V-97225 Medium If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
V-97159 Medium The VPN Gateway must electronically verify Personal Identity Verification (PIV) credentials.
V-97155 Medium The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization.
V-97113 Medium The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.
V-97149 Medium The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
V-97205 Medium The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
V-97151 Medium When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally.
V-97179 Medium The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
V-97095 Medium The IPsec VPN Gateway must use anti-replay mechanisms for security associations.
V-97073 Low The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.
V-97049 Low The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
V-97121 Low The VPN Gateway must terminate all network connections associated with a communications session at the end of the session.
V-97069 Low The VPN Gateway must generate log records containing information to establish the source of the events.
V-97143 Low The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).
V-97061 Low The VPN Gateway must generate log records containing information to establish what type of events occurred.
V-97063 Low The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.