UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Virtual Private Network (VPN) Security Requirements Guide


Overview

Date Finding Count (83)
2024-07-02 CAT I (High): 11 CAT II (Med): 67 CAT III (Low): 5
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-207245 High The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.
V-207193 High The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
V-207190 High The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.
V-207257 High The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
V-207230 High The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
V-207223 High The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).
V-207252 High The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
V-207244 High The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.
V-207209 High The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
V-207261 High The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
V-207262 High The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
V-251044 Medium The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.
V-207228 Medium The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.
V-207229 Medium The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.
V-207197 Medium The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.
V-207194 Medium If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
V-207192 Medium The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
V-207191 Medium The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.
V-207215 Medium The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.
V-207214 Medium The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-207217 Medium The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.
V-207216 Medium The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
V-207211 Medium The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.
V-207210 Medium The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-207198 Medium The VPN Gateway must generate log records containing information to establish where the events occurred.
V-207237 Medium The VPN Gateway must renegotiate the IPsec security association (SA) after eight hours or less.
V-207250 Medium The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
V-207235 Medium The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.
V-207234 Medium The VPN Gateway must off-load audit records onto a different system or media than the system being audited.
V-207255 Medium The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
V-207254 Medium The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.
V-207259 Medium The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.
V-207258 Medium The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
V-207239 Medium The VPN Gateway must accept the Common Access Card (CAC) credential.
V-207238 Medium The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less.
V-207213 Medium The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.
V-264329 Medium The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
V-264335 Medium The TLS VPN must be configured to limit authenticated client sessions to initial session source IP.
V-264334 Medium The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.
V-207212 Medium The IPsec VPN Gateway must use anti-replay mechanisms for security associations.
V-264331 Medium The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-264330 Medium The VPN Gateway must establish organization-defined alternate communications paths for system operations organizational command and control.
V-264333 Medium The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session.
V-264332 Medium The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.
V-207189 Medium The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.
V-207251 Medium The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
V-207256 Medium For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).
V-207219 Medium The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-207185 Medium The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.
V-207184 Medium The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
V-207187 Medium The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-207186 Medium The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-207208 Medium The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-207202 Medium The VPN Gateway log must protect audit information from unauthorized modification when stored locally.
V-207203 Medium The VPN Gateway must protect audit information from unauthorized deletion when stored locally.
V-207200 Medium The VPN Gateway must produce log records containing information to establish the outcome of the events.
V-207206 Medium The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.
V-207207 Medium For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.
V-207204 Medium The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-207205 Medium The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.
V-207224 Medium The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.
V-207225 Medium The VPN Gateway must recognize only system-generated session identifiers.
V-207226 Medium The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
V-207227 Medium The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-207220 Medium The VPN Gateway must be configured to route sessions to an IDPS for inspection.
V-207222 Medium The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
V-207249 Medium The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-207260 Medium The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.
V-207247 Medium For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.
V-207263 Medium The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
V-207242 Medium The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
V-207243 Medium The VPN Gateway must disable split-tunneling for remote clients VPNs.
V-207240 Medium The VPN Gateway must electronically verify the Common Access Card (CAC) credential.
V-207241 Medium The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.
V-207248 Medium The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.
V-264328 Medium The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.
V-264336 Medium The VPN Gateway must use Always On VPN connections for remote computing.
V-207218 Medium The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
V-207196 Low The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.
V-207195 Low The VPN Gateway must generate log records containing information to establish what type of events occurred.
V-207199 Low The VPN Gateway must generate log records containing information to establish the source of the events.
V-207201 Low The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.
V-207221 Low The VPN Gateway must terminate all network connections associated with a communications session at the end of the session.