| V-207190 | | The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-207193 | | The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. | Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, stor... |
| V-207209 | | The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-207223 | | The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE). | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar2 for... |
| V-207230 | | The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-207244 | | The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The... |
| V-207245 | | The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communications can be intercepted a... |
| V-207252 | | The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hash... |
| V-207257 | | The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-207261 | | The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptogr... |
| V-207262 | | The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptogr... |
| V-207184 | | The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-207185 | | The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used ... |
| V-207186 | | The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | The user must acknowledge the banner before being allowed access to the network. This provides assurance that the user has seen the message and accept... |
| V-207189 | | The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. | VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowe... |
| V-207191 | | The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. | Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of maliciou... |
| V-207192 | | The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. | Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
SHA-1 is considered a comprom... |
| V-207194 | | If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic. | L2TPv3 sessions can be used to transport layer-2 protocols across an IP backbone. These protocols were intended for link-local scope only and are ther... |
| V-207197 | | The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-207198 | | The VPN Gateway must generate log records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
I... |
| V-207200 | | The VPN Gateway must produce log records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-207202 | | The VPN Gateway log must protect audit information from unauthorized modification when stored locally. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossib... |
| V-207203 | | The VPN Gateway must protect audit information from unauthorized deletion when stored locally. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossib... |
| V-207204 | | The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-207205 | | The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-207206 | | The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F. | The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have... |
| V-207207 | | For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. | Unlike GRE (a simple encapsulating header) L2TP is a full-fledged communications protocol with control channel, data channels, and a robust command st... |
| V-207208 | | The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-207210 | | The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. | Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the inf... |
| V-207211 | | The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-207212 | | The IPsec VPN Gateway must use anti-replay mechanisms for security associations. | Anti-replay is an IPsec security mechanism at a packet level, which helps to avoid unwanted users from intercepting and modifying an ESP packet.... |
| V-207213 | | The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architecture... |
| V-207214 | | The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-207215 | | The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-207216 | | The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. | The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security... |
| V-207217 | | The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-207218 | | The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar2 for... |
| V-207219 | | The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a VPN gateway that provides oppor... |
| V-207220 | | The VPN Gateway must be configured to route sessions to an IDPS for inspection. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase r... |
| V-207222 | | The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide co... |
| V-207224 | | The VPN Gateway must invalidate session identifiers upon user logoff or other session termination. | Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previo... |
| V-207225 | | The VPN Gateway must recognize only system-generated session identifiers. | VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can gues... |
| V-207226 | | The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. | Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulner... |
| V-207227 | | The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. VP... |
| V-207228 | | The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, in... |
| V-207229 | | The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed. | Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped... |
| V-207234 | | The VPN Gateway must off-load audit records onto a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-207235 | | The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-207237 | | The VPN Gateway must renegotiate the IPsec security association (SA) after eight hours or less. | The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A... |
| V-207238 | | The VPN Gateway must renegotiate the IKE security association (SA) after eight hours or less. | When a VPN gateway creates an IPsec SA, resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint in... |
| V-207239 | | The VPN Gateway must accept the Common Access Card (CAC) credential. | The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated... |
| V-207240 | | The VPN Gateway must electronically verify the Common Access Card (CAC) credential. | DoD has mandated the use of the CAC as the Personal Identity Verification (PIV) credential to support identity management and personal authentication ... |
| V-207241 | | The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architect... |
| V-207242 | | The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Secur... |
| V-207243 | | The VPN Gateway must disable split-tunneling for remote clients VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizati... |
| V-207247 | | For accounts using password authentication, the site-to-site VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-207248 | | The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate,... |
| V-207249 | | The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes. | FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvali... |
| V-207250 | | The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. | FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvali... |
| V-207251 | | The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptogr... |
| V-207254 | | The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
Howe... |
| V-207255 | | The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. | If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users... |
| V-207256 | | For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs). | PSKs need to be protected at all times, and encryption is the standard method for protecting passwords. If PSKs are not encrypted, they can be plainly... |
| V-207258 | | The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-207259 | | The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-207260 | | The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safe... |
| V-207263 | | The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-251044 | | The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period. | This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
Best prac... |
| V-264328 | | The VPN Gateway must employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective. | DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organization... |
| V-264329 | | The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. | Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa... |
| V-264330 | | The VPN Gateway must establish organization-defined alternate communications paths for system operations organizational command and control. | An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational ... |
| V-264331 | | The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-264332 | | The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session. | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate exp... |
| V-264333 | | The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session. | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate exp... |
| V-264334 | | The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions. | Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD sys... |
| V-264335 | | The TLS VPN must be configured to limit authenticated client sessions to initial session source IP. | Limiting authenticated client sessions to the initial session source IP for TLS VPNs is a safeguard against session hijacking, replay, and man-in-the-... |
| V-264336 | | The VPN Gateway must use Always On VPN connections for remote computing. | Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gatew... |
| V-207195 | | The VPN Gateway must generate log records containing information to establish what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |
| V-207196 | | The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
VP... |
| V-207199 | | The VPN Gateway must generate log records containing information to establish the source of the events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. ... |
| V-207201 | | The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack... |
| V-207221 | | The VPN Gateway must terminate all network connections associated with a communications session at the end of the session. | Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously co... |
