UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-264334 SRG-NET-000355-VPN-002433 SV-264334r984338_rule Medium
Description
Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE). This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.
STIG Date
Virtual Private Network (VPN) Security Requirements Guide 2024-07-02

Details

Check Text ( C-68247r984336_chk )
If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable.

Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions.

Verify both user and machine certificates are being validated when establishing VPN sessions.

If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.
Fix Text (F-68155r984337_fix)
Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.