| Checked | Name | Title |
|---|
| ☐ | SV-207184r695317_rule | The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. |
| ☐ | SV-207185r608988_rule | The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. |
| ☐ | SV-207186r608988_rule | The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-207187r608988_rule | The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-207188r608988_rule | The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). |
| ☐ | SV-207189r608988_rule | The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. |
| ☐ | SV-207190r608988_rule | The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission. |
| ☐ | SV-207191r608988_rule | The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. |
| ☐ | SV-207192r608988_rule | The VPN Gateway must be configured to use IPsec with SHA-1 or greater for hashing to protect the integrity of remote access sessions. |
| ☐ | SV-207193r608988_rule | The IPsec VPN must implement a FIPS 140-2 validated Diffie-Hellman (DH) group. |
| ☐ | SV-207194r608988_rule | If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic. |
| ☐ | SV-207195r608988_rule | The VPN Gateway must generate log records containing information to establish what type of events occurred. |
| ☐ | SV-207196r608988_rule | The VPN Gateway must generate log records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-207197r608988_rule | The VPN Gateway must generate log records containing information that establishes the identity of any individual or process associated with the event. |
| ☐ | SV-207198r608988_rule | The VPN Gateway must generate log records containing information to establish where the events occurred. |
| ☐ | SV-207199r608988_rule | The VPN Gateway must generate log records containing information to establish the source of the events. |
| ☐ | SV-207200r608988_rule | The VPN Gateway must produce log records containing information to establish the outcome of the events. |
| ☐ | SV-207201r608988_rule | The VPN Gateway must protect log information from unauthorized read access if all or some of this data is stored locally. |
| ☐ | SV-207202r608988_rule | The VPN Gateway log must protect audit information from unauthorized modification when stored locally. |
| ☐ | SV-207203r608988_rule | The VPN Gateway must protect audit information from unauthorized deletion when stored locally. |
| ☐ | SV-207204r608988_rule | The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-207205r608988_rule | The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations. |
| ☐ | SV-207206r608988_rule | The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F. |
| ☐ | SV-207207r608988_rule | For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. |
| ☐ | SV-207208r608988_rule | The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-207209r608988_rule | The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. |
| ☐ | SV-207210r608988_rule | The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-207211r608988_rule | The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| ☐ | SV-207212r608988_rule | The IPsec VPN Gateway must use anti-replay mechanisms for security associations. |
| ☐ | SV-207213r608988_rule | The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection. |
| ☐ | SV-207214r608988_rule | The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| ☐ | SV-207215r608988_rule | The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key. |
| ☐ | SV-207216r608988_rule | The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication. |
| ☐ | SV-207217r608988_rule | The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. |
| ☐ | SV-207218r608988_rule | The VPN Gateway must use FIPS-validated SHA-1 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification ( |
| ☐ | SV-207219r608988_rule | The VPN Gateway must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
| ☐ | SV-207220r608988_rule | The VPN Gateway must be configured to route sessions to an IDPS for inspection. |
| ☐ | SV-207221r608988_rule | The VPN Gateway must terminate all network connections associated with a communications session at the end of the session. |
| ☐ | SV-207222r608988_rule | The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. |
| ☐ | SV-207223r608988_rule | The IPsec VPN Gateway must use Internet Key Exchange (IKE) with SHA-1 or greater to protect the authenticity of communications sessions. |
| ☐ | SV-207224r608988_rule | The VPN Gateway must invalidate session identifiers upon user logoff or other session termination. |
| ☐ | SV-207225r608988_rule | The VPN Gateway must recognize only system-generated session identifiers. |
| ☐ | SV-207226r608988_rule | The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. |
| ☐ | SV-207227r608988_rule | The VPN Gateway must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-207228r608988_rule | The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity. |
| ☐ | SV-207229r608988_rule | The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed. |
| ☐ | SV-207230r608988_rule | The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. |
| ☐ | SV-207231r608988_rule | The VPN Gateway must transmit organization-defined access authorization information using FIPS 140-2-validated cryptography to a compliant authentication server, which enforces access control decisions. |
| ☐ | SV-207232r608988_rule | The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). |
| ☐ | SV-207233r608988_rule | The VPN Gateway must provide centralized management and configuration of the content to be captured in log records generated by all network components. |
| ☐ | SV-207234r608988_rule | The VPN Gateway must off-load audit records onto a different system or media than the system being audited. |
| ☐ | SV-207235r608988_rule | The VPN Gateway must generate a log record or an SNMP trap that can be forwarded as an alert to, at a minimum, the SCA and ISSO, of all log failure events where the detection and/or prevention function is unable to write events to either local storage or |
| ☐ | SV-207236r608988_rule | When communications with the Central Log Server is lost, the VPN Gateway must continue to queue traffic log records locally. |
| ☐ | SV-207237r608988_rule | The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period. |
| ☐ | SV-207238r608988_rule | The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization. |
| ☐ | SV-207239r608988_rule | The VPN Gateway must accept the Common Access Card (CAC) credential. |
| ☐ | SV-207240r608988_rule | The VPN Gateway must electronically verify the Common Access Card (CAC) credential. |
| ☐ | SV-207241r608988_rule | The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection. |
| ☐ | SV-207242r608988_rule | The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. |
| ☐ | SV-207243r608988_rule | The VPN Gateway must disable split-tunneling for remote clients VPNs. |
| ☐ | SV-207244r608988_rule | The IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. |
| ☐ | SV-207245r608988_rule | The VPN Gateway and Client must be configured to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-207246r695315_rule | The IPsec VPN Gateway must use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organization's sites or between a gateway and remote end-stations. |
| ☐ | SV-207247r608988_rule | For site-to-site VPN, for accounts using password authentication, the VPN Gateway must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. |
| ☐ | SV-207248r608988_rule | The VPN Gateway must generate log records when successful and/or unsuccessful VPN connection attempts occur. |
| ☐ | SV-207249r608988_rule | The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes. |
| ☐ | SV-207250r608988_rule | The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. |
| ☐ | SV-207251r608988_rule | The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. |
| ☐ | SV-207252r608988_rule | The IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). |
| ☐ | SV-207253r608988_rule | The VPN Gateway must not accept certificates that have been revoked when using PKI for authentication. |
| ☐ | SV-207254r608988_rule | The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway. |
| ☐ | SV-207255r608988_rule | The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-207256r608988_rule | For site-to-site VPN Gateway must store only cryptographic representations of Pre-shared Keys (PSKs). |
| ☐ | SV-207257r608988_rule | The IPsec VPN must use Advanced Encryption Standard (AES) encryption for the IPsec proposal to protect the confidentiality of remote access sessions. |
| ☐ | SV-207258r608988_rule | The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. |
| ☐ | SV-207259r608988_rule | The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0. |
| ☐ | SV-207260r608988_rule | The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. |
| ☐ | SV-207261r608988_rule | The VPN Gateway must use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network. |
| ☐ | SV-207262r608988_rule | The IPsec VPN Gateway Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. |
| ☐ | SV-207263r608988_rule | The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. |
| ☐ | SV-207264r608988_rule | The VPN Gateway must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). |
STIGQter: STIG Summary: