UCF STIG Viewer Logo

Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14737 NET-TUNL-026 SV-15493r5_rule High
Description
Allowing encapsulated traffic to bypass the enclave's network perimeter without being filtered and inspected leaves the enclave vulnerable to malicious traffic that could result in compromise and denial of service. The destination of these packets could be servers that provide mission critical services and data.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2016-12-22

Details

Check Text ( C-12959r6_chk )
Review network device configurations and topology diagrams to validate encapsulated traffic received from other enclaves terminate at the perimeter for filtering and content inspection. If the tunnel is terminated on a VPN gateway, validate the traffic is inspected by a firewall and IDPS before gaining access to the private network.

If the tunnel is being provided by the perimeter router with a direct connection to the tenant's perimeter router, then the perimeter router (of the enclave providing the transient service) must be configured (examples: policy based routing or VRF bound to this interface with only a default route pointing out) to insure all traffic received by this connecting interface is forwarded directly to the NIPR/SIPR interface regardless of destination. If this isn't being done then the connecting interface will have to be treated as an external interface with all the applicable checks.

Secured connections such as SSL or TLS which are used for remote access, secure web access, etc. is also applicable to this rule. These types of connections like the other types above must terminate at the enclave perimeter, enclave DMZ, or an enclave service network for filtering and content inspection before passing into the enclave's private network.

If the tunnels do not meet any of the criteria above and bypass the enclave's perimeter without filtering and inspection, this is a finding.

Note: This vulnerability is not applicable for any VPN connectivity between multiple sites of the same enclave, nor is it applicable for VPN remote access to the enclave. For theses deployments, the implementation must be compliant with all requirements specified within IPsec VPN STIG.
Fix Text (F-14203r3_fix)
Move tunnel decapsulation to a secure end-point at the enclave's perimeter for filtering and inspection.