The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of DoD-approved CA is not used for PKI authentication.

Associated with IA controls: ECSC-1

SV-40986r1_rule The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.

Vulnerability discussion

When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization.Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized.

Check content

Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Fix text

Configure the VPN gateway to enroll with a DoD-approved Certificate Authority.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer