| V-207245 | High | The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered.
This requirement... |
| V-207193 | High | The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group. | Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of... |
| V-207190 | High | The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
NIST SP... |
| V-207253 | High | The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication. | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to... |
| V-207257 | High | The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD non-public information... |
| V-207230 | High | The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD non-public information... |
| V-207223 | High | The IPsec VPN Gateway must use Internet Key Exchange (IKE) with SHA-1 or greater to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Although allowed by SP800-131Ar1 for some... |
| V-207252 | High | The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption... |
| V-207261 | High | The VPN Gateway must use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network. | Use of improperly configured or lower assurance equipment and solutions could compromise high-value information.
The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program... |
| V-207209 | High | The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor... |
| V-207262 | High | The IPsec VPN Gateway Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards... |
| V-207248 | Medium | The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-207242 | Medium | The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables... |
| V-207229 | Medium | The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed. | Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped.
Remote access functionality must have the... |
| V-207197 | Medium | The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine... |
| V-207194 | Medium | If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic. | L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are therefore less defended and not as well-known. As... |
| V-207192 | Medium | The VPN Gateway must be configured to use IPsec with SHA-1 or greater for hashing to protect the integrity of remote access sessions. | Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered... |
| V-207191 | Medium | The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. | Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.
Remote... |
| V-207215 | Medium | The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
The cornerstone of the PKI is the private key... |
| V-207214 | Medium | The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the... |
| V-207217 | Medium | The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
This... |
| V-207216 | Medium | The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. | The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework... |
| V-207211 | Medium | The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-207210 | Medium | The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect... |
| V-207198 | Medium | The VPN Gateway must generate log records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In order to compile an accurate risk... |
| V-207237 | Medium | The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period. | The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime... |
| V-207236 | Medium | When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally. | If the system were to continue processing after audit failure, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis.
Because of the importance of... |
| V-207234 | Medium | The VPN Gateway must off-load audit records onto a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage... |
| V-207255 | Medium | The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the... |
| V-207254 | Medium | The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
However, for some types of interactive sessions... |
| V-207259 | Medium | The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This... |
| V-207258 | Medium | The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This... |
| V-207239 | Medium | The VPN Gateway must accept the Common Access Card (CAC) credential. | The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC as the PIV credential to... |
| V-207238 | Medium | The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization. | When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could... |
| V-207203 | Medium | The VPN Gateway must protect audit information from unauthorized deletion when stored locally. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of... |
| V-207213 | Medium | The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures), the... |
| V-207222 | Medium | The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be... |
| V-207212 | Medium | The IPsec VPN Gateway must use anti-replay mechanisms for security associations. | Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet. |
| V-207240 | Medium | The VPN Gateway must electronically verify the Common Access Card (CAC) credential. | DoD has mandated the use of the CAC as the Personal Identity Verification (PIV) credential to support identity management and personal authentication for systems covered under HSPD 12, as well as... |
| V-207189 | Medium | The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. | VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in... |
| V-207251 | Medium | The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards... |
| V-207256 | Medium | For site-to-site VPN Gateway must store only cryptographic representations of Pre-shared Keys (PSKs). | Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use... |
| V-207250 | Medium | The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. | FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as... |
| V-207228 | Medium | The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access... |
| V-207185 | Medium | The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-207235 | Medium | The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
| V-207187 | Medium | The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with... |
| V-207184 | Medium | The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth... |
| V-207208 | Medium | The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-207202 | Medium | The VPN Gateway log must protect audit information from unauthorized modification when stored locally. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
This requirement pertains to... |
| V-207233 | Medium | The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components. | Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
| V-207200 | Medium | The VPN Gateway must produce log records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the... |
| V-207186 | Medium | The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If... |
| V-207206 | Medium | The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F. | The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits.... |
| V-207207 | Medium | For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. | Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer... |
| V-207204 | Medium | The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must... |
| V-207224 | Medium | The VPN Gateway must invalidate session identifiers upon user logoff or other session termination. | Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.
Session IDs are... |
| V-207225 | Medium | The VPN Gateway must recognize only system-generated session identifiers. | VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or... |
| V-207226 | Medium | The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. | Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable.
Use of a FIPS validated RNG that is not... |
| V-207227 | Medium | The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VPN gateways that fail suddenly and with no... |
| V-207220 | Medium | The VPN Gateway must be configured to route sessions to an IDPS for inspection. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management... |
| V-207231 | Medium | The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions. | Protecting authentication communications between the client, the VPN Gateway, and the authentication server keeps this critical information from being exploited.
In distributed information... |
| V-207205 | Medium | The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must... |
| V-207249 | Medium | The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes. | FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as... |
| V-207260 | Medium | The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other... |
| V-207247 | Medium | For site-to-site VPN, for accounts using password authentication, the VPN Gateway must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-207244 | Medium | The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The phase 2 (Quick Mode) Security Association... |
| V-207263 | Medium | The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to... |
| V-207264 | Medium | The VPN Gateway must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Use only SHA-2 for Digital signature generation applications and functions. SHA-2... |
| V-207243 | Medium | The VPN Gateway must disable split-tunneling for remote clients VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
A VPN hardware or software... |
| V-207241 | Medium | The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures),... |
| V-207246 | Medium | The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations. | ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for... |
| V-207219 | Medium | The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides opportunity for intruders to compromise resources... |
| V-207218 | Medium | The VPN Gateway must use FIPS-validated SHA-1 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification ( | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a... |
| V-207188 | Low | The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account... |
| V-207196 | Low | The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
VPN gateways often have a separate audit log for... |
| V-207195 | Low | The VPN Gateway must generate log records containing information to establish what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
VPN gateways often have a separate... |
| V-207199 | Low | The VPN Gateway must generate log records containing information to establish the source of the events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk... |
| V-207232 | Low | The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their account. Providing users with information deemed important by the organization may aid in the discovery of unauthorized access or... |
| V-207201 | Low | The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity... |
| V-207221 | Low | The VPN Gateway must terminate all network connections associated with a communications session at the end of the session. | Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If... |
