The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260893	SRG-NET-000355-VPN-002433	SV-260893r964445_rule		Medium

Description
Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE). This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.

Description

Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE). This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.

STIG	Date
Virtual Private Network (VPN) Security Requirements Guide	2024-04-09

Details

Check Text ( C-64622r964444_chk )
If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable. Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions. Verify both user and machine certificates are being validated when establishing VPN sessions. If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.

Check Text ( C-64622r964444_chk )

If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable.

Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions.

Verify both user and machine certificates are being validated when establishing VPN sessions.

If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.

Fix Text (F-64530r962247_fix)
Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.