| V-266983 | | AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. | Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
SHA-1 is considered a comprom... |
| V-266984 | | AOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-266986 | | AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Secur... |
| V-266987 | | AOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architecture... |
| V-266988 | | AOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architect... |
| V-266989 | | The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used ... |
| V-266991 | | For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. | Unlike Generic Routing Encapsulation (GRE) (a simple encapsulating header), L2TP is a full-fledged communications protocol with control channel, data ... |
| V-266992 | | AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traf... |
| V-266993 | | AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number. | VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowe... |
| V-266994 | | The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication. | The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Auth... |
| V-266995 | | The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-266996 | | The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period. | This requirement is in response to the DOD Office of Inspector General Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Env... |
| V-266997 | | AOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization. | When a VPN gateway creates an IPsec security association (SA), resources must be allocated to maintain the SA. These resources are wasted during perio... |
| V-266998 | | The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). | PPTP and L2F are obsolete methods for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have ma... |
| V-266999 | | AOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection. | Remote access devices, such as those providing remote access to network devices and information systems, that lack automated capabilities increase ris... |
| V-267000 | | AOS, when used as a VPN Gateway, must disable split-tunneling for remote client VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizati... |
| V-266990 | | AOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session. | Idle Transmission Control Protocol (TCP) sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continua... |
| V-266982 | | AOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The... |
| V-266985 | | AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-267001 | | AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hash... |
| V-268313 | | AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication. | Situations may arise in which the certificate issued by a certificate authority (CA) may need to be revoked before the lifetime of the certificate exp... |
