UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.


Overview

Finding ID Version Rule ID IA Controls Severity
V-207247 SRG-NET-000400-VPN-001940 SV-207247r916235_rule Medium
Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-2 for integrity of remote access sessions. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Pre-shared key cipher suites may only be used in networks where both the client and server belong to the same organization. Cipher suites using pre-shared keys shall not be used with TLS 1.0 or 1.1 and shall not be used with TLS 1.2 when a Government client or server communicates with non-government systems.
STIG Date
Virtual Private Network (VPN) Security Requirements Guide 2024-04-09

Details

Check Text ( C-7507r803433_chk )
For accounts using password authentication, verify the VPN Gateway uses SHA-2 or later protocol to protect the integrity of the password authentication process.

For accounts using password authentication, if the VPN Gateway does not use SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.
Fix Text (F-7507r803434_fix)
For accounts using password authentication, configure the VPN Gateway to use SHA-2 or later protocol to protect the integrity of the password authentication process.