The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of The VPN gateway server does not enforce banner warning.

Associated with IA controls: ECSC-1

SV-40988r1_rule The VPN gateway server must enforce a policy to the software client to display a DoD approved warning banner prior to allowing access to the VPN.

Vulnerability discussion

All software remote clients must present a DoD approved warning banner prior allowing access to VPN. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the network is subject to monitoring to detect unauthorized usage. Failure to display the required warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. DoD CIO has issued new, mandatory policy standardizing the wording of “notice and consent” banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via USCYBERCOM CTO 08-008A.

Check content

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will display a DoD approved warning banner prior to allowing access to the VPN. Verify either Option A or Option B (for clients with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the client is incapable of displaying the required banner verbiage due to its size or the server is limited as to the banner to push to the client, a smaller banner must be used. The mandatory verbiage follows:“I've read & consent to terms in IS user agreem't.”

Fix text

Configure the ISAKMP client configuration groups used to push policy to remote software clients to display a DoD approved warning banner prior to allowing access to the VPN.

Pro Tips

Powered by sagemincer