UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).


Overview

Finding ID Version Rule ID IA Controls Severity
V-207256 SRG-NET-000522-VPN-002320 SV-207256r953950_rule Medium
Description
Pre-shared keys need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. NIST SP 800-52 Rev 2 provides guidance for using pre-shared keys with VPN gateways. PSKs may only be used in networks where both the client and server belong to the same organization. PSKs used for site-to-site VPNs are considered by the SRG as a type of password. If this shared secret is already encrypted and not in plaintext, this meets this requirement. This requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Use a keyed hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.
STIG Date
Virtual Private Network (VPN) Security Requirements Guide 2024-04-09

Details

Check Text ( C-7516r378389_chk )
Verify the VPN Gateway stores only cryptographic representations of the PSK.

If the VPN Gateway does not store only cryptographic representations of the PSK, this is a finding.
Fix Text (F-7516r378390_fix)
Configure the VPN Gateway to store only cryptographic representations of the PSK.