STIGQter STIGQter: STIG Summary: Network Devices Security Technical Implementation Guide Version: 8 Release: 23 Benchmark Date: 25 Jan 2019: The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network.

DISA Rule

SV-3008r1_rule

Vulnerability Number

V-3008

Group Title

IPSec VPN is not configured as a tunnel type VPN.

Rule Version

NET1800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Establish the VPN as a tunneled VPN.

Terminate the tunneled VPN outside of the firewall.

Ensure all host-to-host VPN are established between trusted known hosts.

Check Contents

Have the SA display the configuration settings that enable this feature.

Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples:

In CISCO
Router(config)# crypto ipsec transform-set transform-set-name transform1
Router(cfg-crypto-tran)# mode tunnel

OR in Junos
edit security ipsec security-association sa-name] mode tunnel

Vulnerability Number

V-3008

Documentable

False

Rule Version

NET1800

Severity Override Guidance

Have the SA display the configuration settings that enable this feature.

Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples:

In CISCO
Router(config)# crypto ipsec transform-set transform-set-name transform1
Router(cfg-crypto-tran)# mode tunnel

OR in Junos
edit security ipsec security-association sa-name] mode tunnel

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

522

Comments