| Finding ID |
Severity |
Title |
Description |
|
V-207262
|
High |
The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network. |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated.
NIST cryptographic algorithms approved by NSA to... |
|
V-207261
|
High |
The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network. |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated.
NIST cryptographic algorithms approved by NSA to... |
|
V-207257
|
High |
The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
A block cipher mode is an algorithm that features the... |
|
V-207252
|
High |
The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). |
Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys.
An IPsec SA is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations... |
|
V-207245
|
High |
The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information. |
Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted and either read or altered.
This requirement also applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices,... |
|
V-207244
|
High |
The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. |
PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2... |
|
V-207230
|
High |
The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
AES is the FIPS-validated cipher block cryptographic algorithm approved for... |
|
V-207223
|
High |
The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE). |
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured... |
|
V-207209
|
High |
The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. |
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.
Factors include:
(i) Something you... |
|
V-207193
|
High |
The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. |
Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key... |
|
V-207190
|
High |
The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. |
|
V-264336
|
Medium |
The VPN Gateway must use Always On VPN connections for remote computing. |
Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will be disconnected from the internet until the issue is solved.
"Always On" is a term that describes a VPN connection... |
|
V-264335
|
Medium |
The TLS VPN must be configured to limit authenticated client sessions to initial session source IP. |
Limiting authenticated client sessions to the initial session source IP for TLS VPNs is a safeguard against session hijacking, replay, and man-in-the-middle attacks, maintaining integrity and confidentiality of communication between clients and servers. |
|
V-264334
|
Medium |
The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions. |
Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.... |
|
V-264333
|
Medium |
The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session. |
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.
When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or... |
|
V-264332
|
Medium |
The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session. |
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. One example is if the certificate is known to have been compromised.
When an incoming Internet Key Exchange (IKE) session is initiated for a remote... |
|
V-264331
|
Medium |
The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g.,... |
|
V-264330
|
Medium |
The VPN Gateway must establish organization-defined alternate communications paths for system operations organizational command and control. |
An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about... |
|
V-264329
|
Medium |
The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. |
Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through... |
|
V-264328
|
Medium |
The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective. |
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A... |
|
V-251044
|
Medium |
The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period. |
This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must take into consideration the risk to the mission... |
|
V-207263
|
Medium |
The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. |
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.
Certification path validation includes checks such as certificate issuer trust,... |
|
V-207260
|
Medium |
The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. |
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
SNMPv3 supports authentication, authorization, access control, and privacy, while previous versions of the protocol contained well-known security weaknesses, which were easily... |
|
V-207259
|
Medium |
The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to public-facing or external-facing devices such as TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as... |
|
V-207258
|
Medium |
The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. |
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as... |
|
V-207256
|
Medium |
For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs). |
PSKs need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and must not be used as a replacement for... |
|
V-207255
|
Medium |
The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
Logout messages for access, for example, can be displayed... |
|
V-207254
|
Medium |
The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway. |
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to... |
|
V-207251
|
Medium |
The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
|
V-207250
|
Medium |
The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. |
FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that... |
|
V-207249
|
Medium |
The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes. |
FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plain text. If the agency specifies that... |
|
V-207248
|
Medium |
The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Log records can be generated from various components within the information system (e.g.,... |
|
V-207247
|
Medium |
For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as... |
|
V-207243
|
Medium |
The VPN Gateway must disable split-tunneling for remote clients VPNs. |
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has... |
|
V-207242
|
Medium |
The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by... |
|
V-207241
|
Medium |
The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection. |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication... |
|
V-207240
|
Medium |
The VPN Gateway must electronically verify the Common Access Card (CAC) credential. |
DoD has mandated the use of the CAC as the Personal Identity Verification (PIV) credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. |
|
V-207239
|
Medium |
The VPN Gateway must accept the Common Access Card (CAC) credential. |
The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC as the PIV credential to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered... |
|
V-207238
|
Medium |
The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less. |
When a VPN gateway creates an IPsec SA, resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange... |
|
V-207237
|
Medium |
The VPN Gateway must renegotiate the IPsec security association (SA) after eight hours or less. |
The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use... |
|
V-207235
|
Medium |
The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide... |
|
V-207234
|
Medium |
The VPN Gateway must off-load audit records onto a different system or media than the system being audited. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
This requirement only applies to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This... |
|
V-207229
|
Medium |
The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed. |
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped.
Remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement... |
|
V-207228
|
Medium |
The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity. |
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through... |
|
V-207227
|
Medium |
The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VPN gateways that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection... |
|
V-207226
|
Medium |
The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. |
Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. |
|
V-207225
|
Medium |
The VPN Gateway must recognize only system-generated session identifiers. |
VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised.
Unique session IDs address man-in-the-middle attacks, including session hijacking... |
|
V-207224
|
Medium |
The VPN Gateway must invalidate session identifiers upon user logoff or other session termination. |
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.
Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session identifiers or IDs are the opposite of sequentially... |
|
V-207222
|
Medium |
The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised.
VPN gateways utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is... |
|
V-207220
|
Medium |
The VPN Gateway must be configured to route sessions to an IDPS for inspection. |
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.
Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an... |
|
V-207219
|
Medium |
The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides opportunity for intruders to compromise resources within the network infrastructure.
This requirement only applies to components where this is specific to the function of the device or has the... |
|
V-207218
|
Medium |
The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification. |
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured... |
|
V-207217
|
Medium |
The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. |
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
This requirement only applies to components where this is specific to the function of the device or has the concept... |
|
V-207216
|
Medium |
The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. |
The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is... |
|
V-207215
|
Medium |
The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key. |
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead... |
|
V-207214
|
Medium |
The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality... |
|
V-207213
|
Medium |
The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection. |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the... |
|
V-207212
|
Medium |
The IPsec VPN Gateway must use anti-replay mechanisms for security associations. |
Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet. |
|
V-207211
|
Medium |
The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts. |
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by... |
|
V-207210
|
Medium |
The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
Multifactor solutions that require devices separate from information systems gaining... |
|
V-207208
|
Medium |
The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of... |
|
V-207207
|
Medium |
For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. |
Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command structure. In addition to PPP, other link layer types (called pseudowires) can be and are defined for delivery in L2TP by separate RFC documents. Further complexity is created by... |
|
V-207206
|
Medium |
The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F. |
The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. Encryption and authentication are both weak. |
|
V-207205
|
Medium |
The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Use of IKEv2 leverages DoS protections because of improved bandwidth management and... |
|
V-207204
|
Medium |
The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
DoD continually assesses the ports, protocols, and services that can be used... |
|
V-207203
|
Medium |
The VPN Gateway must protect audit information from unauthorized deletion when stored locally. |
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
This requirement can be achieved... |
|
V-207202
|
Medium |
The VPN Gateway log must protect audit information from unauthorized modification when stored locally. |
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
This requirement pertains to securing the VPN log as it is stored locally, on the box temporarily, or while being encapsulated.
This requirement can be... |
|
V-207200
|
Medium |
The VPN Gateway must produce log records containing information to establish the outcome of the events. |
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network.
Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state... |
|
V-207198
|
Medium |
The VPN Gateway must generate log records containing information to establish where the events occurred. |
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know where events occurred, such as VPN gateway components,... |
|
V-207197
|
Medium |
The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event. |
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. |
|
V-207194
|
Medium |
If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic. |
L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are therefore less defended and not as well-known. As stated in DoD IPv6 IA Guidance for MO3 (S4-C7-1), the L2TP tunnels can also carry IP packets that are... |
|
V-207192
|
Medium |
The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. |
Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions.
The remote... |
|
V-207191
|
Medium |
The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. |
Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.
Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an... |
|
V-207189
|
Medium |
The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. |
VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does... |
|
V-207186
|
Medium |
The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
The user must acknowledge the banner before being allowed access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the user does not acknowledge the consent banner, DOD will not be in compliance with system use notifications required by... |
|
V-207185
|
Medium |
The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network. |
|
|
V-207184
|
Medium |
The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. |
Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.
VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected... |
|
V-207221
|
Low |
The VPN Gateway must terminate all network connections associated with a communications session at the end of the session. |
Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the... |
|
V-207201
|
Low |
The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally. |
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured VPN gateway. Thus, it is imperative that the collected log data from the various... |
|
V-207199
|
Low |
The VPN Gateway must generate log records containing information to establish the source of the events. |
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.
In addition to logging... |
|
V-207196
|
Low |
The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred. |
Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions).... |
|
V-207195
|
Low |
The VPN Gateway must generate log records containing information to establish what type of events occurred. |
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative... |
