For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207256	SRG-NET-000522-VPN-002320	SV-207256r803436_rule		Medium

Description
Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. NIST SP 800-52 Rev 2 provides guidance for using pre-shared keys with VPN gateways. PSKs may only be used in networks where both the client and server belong to the same organization. PSKs used for site-to-site VPNs are considered by the SRG as a type of password. If this shared secret is already encrypted and not in plaintext, this meets this requirement. This requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Use a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.

Description

Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. NIST SP 800-52 Rev 2 provides guidance for using pre-shared keys with VPN gateways. PSKs may only be used in networks where both the client and server belong to the same organization. PSKs used for site-to-site VPNs are considered by the SRG as a type of password. If this shared secret is already encrypted and not in plaintext, this meets this requirement. This requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Use a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.

STIG	Date
Virtual Private Network (VPN) Security Requirements Guide	2021-09-27

Details

Check Text ( C-7516r378389_chk )
Verify the VPN Gateway stores only cryptographic representations of the PSK. If the VPN Gateway does not store only cryptographic representations of the PSK, this is a finding.

Fix Text (F-7516r378390_fix)
Configure the VPN Gateway to store only cryptographic representations of the PSK.