The ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258583	IVCS-VN-000010	SV-258583r930437_rule		Medium

Description
Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.

Description

Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.

STIG	Date
Ivanti Connect Secure VPN Security Technical Implementation Guide	2023-10-17

Details

Check Text ( C-62323r930435_chk )
In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control. 1. Verify that an Access Control Policy exists. 2. Verify the Access Control Policy is not configured to allows all IPv4/IPv6 addresses or all TCP/UDP ports. If the ICS does not use one or more Access Control Policies to restrict inbound and outbound traffic compliance with the sites documented information flow control policy, this is a finding.

Check Text ( C-62323r930435_chk )

In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control.
1. Verify that an Access Control Policy exists.
2. Verify the Access Control Policy is not configured to allows all IPv4/IPv6 addresses or all TCP/UDP ports.

If the ICS does not use one or more Access Control Policies to restrict inbound and outbound traffic compliance with the sites documented information flow control policy, this is a finding.

Fix Text (F-62232r930436_fix)
Establish Access Control policy in accordance with the site's system security plan. Policies will vary based on security policies and architecture. In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control. 1. Click "New Policy". 2. Enter a name. 3. Under IPv4 Resources, add all allowed ports and protocols required for users. Examples provided below: - For ICMP configure the following: icmp://10.0.0.0/255.255.255.0 to allow ICMP communications for the 10.0.0.0/24 subnet. - For TCP configure the following: tcp://:80,443 to allow TCP communications for all IPv4 addresses going to TCP port 80 and 443 (web traffic). - For UDP configure the following: udp://10.0.0.0/255.255.255.0:53,123 to allow UDP communications for the 10.0.0.0/24 IPv4 addresses going to UDP port 53 (DNS) and 123 (NTP). 4. Under IPv6 Resources, add all allowed ports and protocols required for users. Examples provided below: - For ICMP configure the following: icmpv6://[2001:db8:1::/64] to allow ICMPv6 communications for the 2001:db8:1::/64 subnet. - For TCP configure the following: tcp://[]:80,443 to allow TCP communications for all IPv6 addresses going to TCP port 80 and 443 (web traffic). - For UDP configure the following: udp://[2001:db8:2::/64]:53,123 to allow UDP communications for the 2001:db8:2::/64 IPv6 addresses going to UDP port 53 (DNS) and 123 (NTP). 5. For FQDN, add specific URLs to allow, if needed. 6. Select "Policy applies to SELECTED roles" and select the role that remote access VPN users are assigned. If there are multiple, select each one and click "Add". 7. Click "Allow Access". 8. Click "Save Changes".

Fix Text (F-62232r930436_fix)

Establish Access Control policy in accordance with the site's system security plan. Policies will vary based on security policies and architecture.

In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control.
1. Click "New Policy".
2. Enter a name.
3. Under IPv4 Resources, add all allowed ports and protocols required for users. Examples provided below:
- For ICMP configure the following: icmp://10.0.0.0/255.255.255.0 to allow ICMP communications for the 10.0.0.0/24 subnet.
- For TCP configure the following: tcp://*:80,443 to allow TCP communications for all IPv4 addresses going to TCP port 80 and 443 (web traffic).
- For UDP configure the following: udp://10.0.0.0/255.255.255.0:53,123 to allow UDP communications for the 10.0.0.0/24 IPv4 addresses going to UDP port 53 (DNS) and 123 (NTP).
4. Under IPv6 Resources, add all allowed ports and protocols required for users. Examples provided below:
- For ICMP configure the following: icmpv6://[2001:db8:1::/64] to allow ICMPv6 communications for the 2001:db8:1::/64 subnet.
- For TCP configure the following: tcp://[*]:80,443 to allow TCP communications for all IPv6 addresses going to TCP port 80 and 443 (web traffic).
- For UDP configure the following: udp://[2001:db8:2::/64]:53,123 to allow UDP communications for the 2001:db8:2::/64 IPv6 addresses going to UDP port 53 (DNS) and 123 (NTP).
5. For FQDN, add specific URLs to allow, if needed.
6. Select "Policy applies to SELECTED roles" and select the role that remote access VPN users are assigned. If there are multiple, select each one and click "Add".
7. Click "Allow Access".
8. Click "Save Changes".