STIGQter STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

Encapsulated and/or encrypted traffic received from another enclave must not bypass the network perimeter defense without being terminated and inspected before entering the enclaves private network.

DISA Rule

SV-15493r6_rule

Vulnerability Number

V-14737

Group Title

Tunnel is not terminated at perimeter for inspection.

Rule Version

NET-TUNL-026

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Move tunnel decapsulation to a secure end-point at the enclave's perimeter for filtering and inspection.

Check Contents

Review network device configurations and topology diagrams to validate encapsulated traffic received from other enclaves terminate at the perimeter for filtering and content inspection. If the tunnel is terminated on a VPN gateway, validate the traffic is inspected by a firewall and IDPS before gaining access to the private network.

If the tunnel is being provided by the perimeter router with a direct connection to the tenant's perimeter router, then the perimeter router (of the enclave providing the transient service) must be configured (examples: policy based routing or VRF bound to this interface with only a default route pointing out) to insure all traffic received by this connecting interface is forwarded directly to the NIPR/SIPR interface regardless of destination. If this isn't being done then the connecting interface will have to be treated as an external interface with all the applicable checks.

Secured connections such as SSL or TLS which are used for remote access, secure web access, etc. is also applicable to this rule. These types of connections like the other types above must terminate at the enclave perimeter, enclave DMZ, or an enclave service network for filtering and content inspection before passing into the enclave's private network.

If the tunnels do not meet any of the criteria above and bypass the enclave's perimeter without filtering and inspection, this is a finding.

Note: This vulnerability is not applicable for any VPN connectivity between multiple sites of the same enclave, nor is it applicable for VPN remote access to the enclave. For theses deployments, the implementation must be compliant with all requirements specified within IPsec VPN STIG.

Vulnerability Number

V-14737

Documentable

False

Rule Version

NET-TUNL-026

Severity Override Guidance

Review network device configurations and topology diagrams to validate encapsulated traffic received from other enclaves terminate at the perimeter for filtering and content inspection. If the tunnel is terminated on a VPN gateway, validate the traffic is inspected by a firewall and IDPS before gaining access to the private network.

If the tunnel is being provided by the perimeter router with a direct connection to the tenant's perimeter router, then the perimeter router (of the enclave providing the transient service) must be configured (examples: policy based routing or VRF bound to this interface with only a default route pointing out) to insure all traffic received by this connecting interface is forwarded directly to the NIPR/SIPR interface regardless of destination. If this isn't being done then the connecting interface will have to be treated as an external interface with all the applicable checks.

Secured connections such as SSL or TLS which are used for remote access, secure web access, etc. is also applicable to this rule. These types of connections like the other types above must terminate at the enclave perimeter, enclave DMZ, or an enclave service network for filtering and content inspection before passing into the enclave's private network.

If the tunnels do not meet any of the criteria above and bypass the enclave's perimeter without filtering and inspection, this is a finding.

Note: This vulnerability is not applicable for any VPN connectivity between multiple sites of the same enclave, nor is it applicable for VPN remote access to the enclave. For theses deployments, the implementation must be compliant with all requirements specified within IPsec VPN STIG.

Check Content Reference

M

Target Key

838

Comments