The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of PKI is not used for authenticating remote endpoint.

Associated with IA controls: ECSC-1

SV-40985r1_rule The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.

Vulnerability discussion

Using shared secrets between two IPSec endpoints is easy to implement but are also easy to compromise. Regardless of the strength of the password, they can be cracked using software tools that are readily available. Furthermore, implementation using shared secrets is not scalable since all VPN gateways and software clients would need to be configured with the shared secrets. In addition, there cannot be a preshared key for every user because the VPN gateway server does not know the client’s identity (the IP address is commonly used). Hence, remote users must use a group-based preshared key for authentication. When an individual leaves the group, changing the key must be coordinated with the other users of the group. PKI mitigates the risk involved with group passwords because each user has a certificate.PKI offers a scalable way to authenticate all IPSec endpoints in a secure manner. Every VPN gateway or remote client that needs to participate in IPSec VPN is issued a digital certificate by the Certification Authority (CA). The digital certificate binds the identity information of a VPN gateway (e.g., hostname or IP address) to the device’s public key by means of digital signature. This involves the use of public key cryptography algorithms, such as RSA. Based on this binding, any device that trusts the CA certificate, i.e., trusts the signature of the CA, would accept the identity inside the signed certificate. This model enables all VPN gateways and clients that trust the same CA to authenticate each other.

Check content

Review the VPN gateway configuration to determine if certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Fix text

Configure the VPN gateway to use certificate-based authentication for IPSec peers and clients. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer