STIGQter STIGQter: STIG Summary:

Virtual Private Network (VPN) Security Requirements Guide

Version: 2

Release: 3 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-207184r695317_ruleThe VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
SV-207185r608988_ruleThe Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.
SV-207186r608988_ruleThe Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-207187r608988_ruleThe publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-207188r608988_ruleThe VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
SV-207189r608988_ruleThe VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.
SV-207190r608988_ruleThe TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission.
SV-207191r608988_ruleThe remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.
SV-207192r608988_ruleThe VPN Gateway must be configured to use IPsec with SHA-1 or greater for hashing to protect the integrity of remote access sessions.
SV-207193r608988_ruleThe IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group.
SV-207194r608988_ruleIf the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
SV-207195r608988_ruleThe VPN Gateway must generate log records containing information to establish what type of events occurred.
SV-207196r608988_ruleThe VPN Gateway must generate log records containing information to establish when (date and time) the events occurred.
SV-207197r608988_ruleThe VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event.
SV-207198r608988_ruleThe VPN Gateway must generate log records containing information to establish where the events occurred.
SV-207199r608988_ruleThe VPN Gateway must generate log records containing information to establish the source of the events.
SV-207200r608988_ruleThe VPN Gateway must produce log records containing information to establish the outcome of the events.
SV-207201r608988_ruleThe VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally.
SV-207202r608988_ruleThe VPN Gateway log must protect audit information from unauthorized modification when stored locally.
SV-207203r608988_ruleThe VPN Gateway must protect audit information from unauthorized deletion when stored locally.
SV-207204r608988_ruleThe VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-207205r608988_ruleThe IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.
SV-207206r608988_ruleThe Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.
SV-207207r608988_ruleFor site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.
SV-207208r608988_ruleThe VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-207209r608988_ruleThe VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
SV-207210r608988_ruleThe VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-207211r608988_ruleThe TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-207212r608988_ruleThe IPsec VPN Gateway must use anti-replay mechanisms for security associations.
SV-207213r608988_ruleThe VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.
SV-207214r608988_ruleThe VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-207215r608988_ruleThe site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.
SV-207216r608988_ruleThe Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
SV-207217r608988_ruleThe VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.
SV-207218r608988_ruleThe VPN Gateway must use FIPS-validated SHA-1 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (
SV-207219r608988_ruleThe VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-207220r608988_ruleThe VPN Gateway must be configured to route sessions to an IDPS for inspection.
SV-207221r608988_ruleThe VPN Gateway must terminate all network connections associated with a communications session at the end of the session.
SV-207222r608988_ruleThe VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
SV-207223r608988_ruleThe IPsec VPN Gateway must use Internet Key Exchange (IKE) with SHA-1 or greater to protect the authenticity of communications sessions.
SV-207224r608988_ruleThe VPN Gateway must invalidate session identifiers upon user logoff or other session termination.
SV-207225r608988_ruleThe VPN Gateway must recognize only system-generated session identifiers.
SV-207226r608988_ruleThe VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
SV-207227r608988_ruleThe VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SV-207228r608988_ruleThe VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.
SV-207229r608988_ruleThe VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.
SV-207230r608988_ruleThe IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
SV-207231r608988_ruleThe VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions.
SV-207232r608988_ruleThe VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).
SV-207233r608988_ruleThe VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components.
SV-207234r608988_ruleThe VPN Gateway must off-load audit records onto a different system or media than the system being audited.
SV-207235r608988_ruleThe VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or
SV-207236r608988_ruleWhen communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally.
SV-207237r608988_ruleThe IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period.
SV-207238r608988_ruleThe VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization.
SV-207239r608988_ruleThe VPN Gateway must accept the Common Access Card (CAC) credential.
SV-207240r608988_ruleThe VPN Gateway must electronically verify the Common Access Card (CAC) credential.
SV-207241r608988_ruleThe VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.
SV-207242r608988_ruleThe VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
SV-207243r608988_ruleThe VPN Gateway must disable split-tunneling for remote clients VPNs.
SV-207244r608988_ruleThe IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.
SV-207245r608988_ruleThe VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information.
SV-207246r695315_ruleThe IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations.
SV-207247r608988_ruleFor site-to-site VPN, for accounts using password authentication, the VPN Gateway must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.
SV-207248r608988_ruleThe VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur.
SV-207249r608988_ruleThe VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.
SV-207250r608988_ruleThe VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
SV-207251r608988_ruleThe IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
SV-207252r608988_ruleThe IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
SV-207253r608988_ruleThe VPN Gateway must not accept certificates that have been revoked when using PKI for authentication.
SV-207254r608988_ruleThe VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.
SV-207255r608988_ruleThe VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
SV-207256r608988_ruleFor site-to-site VPN Gateway must store only cryptographic representations of Pre-shared Keys (PSKs).
SV-207257r608988_ruleThe IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
SV-207258r608988_ruleThe TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
SV-207259r608988_ruleThe TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.
SV-207260r608988_ruleThe VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.
SV-207261r608988_ruleThe VPN Gateway must use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.
SV-207262r608988_ruleThe IPsec VPN Gateway Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
SV-207263r608988_ruleThe VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
SV-207264r608988_ruleThe VPN Gateway must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).