UCF STIG Viewer Logo

Virtual Private Network (VPN) Security Requirements Guide


Overview

Date Finding Count (81)
2021-09-27 CAT I (High): 11 CAT II (Med): 63 CAT III (Low): 7
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-207193 High The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 14 or greater for Internet Key Exchange (IKE) Phase 1.
V-207190 High The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.
V-207253 High The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication.
V-207257 High The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
V-207230 High The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
V-207223 High The IPSec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).
V-207252 High The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
V-207261 High The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
V-207209 High The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
V-207245 High The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.
V-207262 High The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
V-251044 Medium The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.
V-207248 Medium The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.
V-207228 Medium The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.
V-207229 Medium The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.
V-207197 Medium The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.
V-207194 Medium If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
V-207192 Medium The VPN Gateway must be configured to use IPsec with SHA-2 or greater for hashing to protect the integrity of remote access sessions.
V-207191 Medium The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.
V-207215 Medium The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.
V-207214 Medium The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-207217 Medium The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.
V-207216 Medium The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
V-207211 Medium The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-207210 Medium The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-207198 Medium The VPN Gateway must generate log records containing information to establish where the events occurred.
V-207237 Medium The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period.
V-207236 Medium When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally.
V-207234 Medium The VPN Gateway must off-load audit records onto a different system or media than the system being audited.
V-207255 Medium The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
V-207254 Medium The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.
V-207259 Medium The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.
V-207258 Medium The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
V-207239 Medium The VPN Gateway must accept the Common Access Card (CAC) credential.
V-207238 Medium The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization.
V-207203 Medium The VPN Gateway must protect audit information from unauthorized deletion when stored locally.
V-207213 Medium The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.
V-207222 Medium The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
V-207212 Medium The IPsec VPN Gateway must use anti-replay mechanisms for security associations.
V-207240 Medium The VPN Gateway must electronically verify the Common Access Card (CAC) credential.
V-207189 Medium The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.
V-207251 Medium The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
V-207256 Medium For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).
V-207250 Medium The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
V-207185 Medium The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.
V-207235 Medium The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
V-207187 Medium The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-207184 Medium The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
V-207208 Medium The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-207202 Medium The VPN Gateway log must protect audit information from unauthorized modification when stored locally.
V-207233 Medium The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components.
V-207200 Medium The VPN Gateway must produce log records containing information to establish the outcome of the events.
V-207186 Medium The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-207206 Medium The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.
V-207207 Medium For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.
V-207204 Medium The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-207224 Medium The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.
V-207225 Medium The VPN Gateway must recognize only system-generated session identifiers.
V-207226 Medium The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
V-207227 Medium The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-207220 Medium The VPN Gateway must be configured to route sessions to an IDPS for inspection.
V-207231 Medium The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions.
V-207205 Medium The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.
V-207249 Medium The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-207260 Medium The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.
V-207247 Medium For accounts using password authentication, the site-to-site VPN Gatewy must use SHA-2 or later protocol to protect the integrity of the password authentication process.
V-207244 Medium The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.
V-207263 Medium The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
V-207242 Medium The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
V-207243 Medium The VPN Gateway must disable split-tunneling for remote clients VPNs.
V-207241 Medium The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.
V-207246 Medium The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.
V-207219 Medium The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-207218 Medium The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
V-207188 Low The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
V-207196 Low The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.
V-207195 Low The VPN Gateway must generate log records containing information to establish what type of events occurred.
V-207199 Low The VPN Gateway must generate log records containing information to establish the source of the events.
V-207232 Low The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).
V-207201 Low The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.
V-207221 Low The VPN Gateway must terminate all network connections associated with a communications session at the end of the session.