Configure the IPSec VPN client to use attributes such as 3DES, tunnel encapsulation mode, and a FIPS 140-2 approved authentication algorithm.

From Remote Endpoint STIG

Part of SRC-EPT-630 IPSec tunnel encapsulation

Associated with IA controls: ECSC-1

SV-6822r1_rule Configure the IPSec VPN client to use attributes such as 3DES, tunnel encapsulation mode, and a FIPS 140-2 approved authentication algorithm.

Vulnerability discussion

An approved algorithm must be used in order to protect data during the VPN session. (Remote Only)

Check content

Interview the network administrator to ensure both the VPN appliance and the client software use IPSec tunneling protocol to secure traffic sent between the network and remote access devices. That is, the tunneling protocol selected in the VPN configuration must be IPSec only. Next, navigate to the IPSec configuration tab of the VPN appliance; the IPSec attribute values selected must be AES, ESP, and MD5. The above settings are controlled in the VPN network appliance configuration, but encryption protocol and authentication protocol settings in the client configuration must be compatible or the client’s remote connection request will be unsuccessful. Configuration of the network device is beyond the scope of this requirement, however, these settings are addressed in the VPN procedures document required in SRC-EPT-620. View the dial-up VPN client communications security properties using the following steps. Select “Setting” from the Start Menu. Select “Network and Dial-up Connections”. Select the VPN connection used for connection to the remote network. (Hint: The type will be Virtual Private Network). Right click and select “properties” and select the “Security” tab. Verify data encryption is turned on. Refer to SRC-EPT-800 for instructions on verifying Tunnel mode is enabled on the client. If the IPSec tunneling protocol is not enabled for VPN communications between the client and VPN appliance, this is a finding. If the concentrator is not configured to use ESP and AES, this is a finding. If the VPN client used is not FIPs 140-1/2 compliant, this is a finding.

Fix text

Ensure that IPSEC is being used.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer