Where digital certificates are used for device authentication, the remote gateway will use DoD-approved PKI rather than default or proprietary device certificates which are preinstalled by the vendor.

From Remote Access VPN STIG

Part of SRC-NET-010 Default device certificates

Associated with IA controls: ECSC-1

SV-23753r1_rule Where digital certificates are used for device authentication, the remote gateway will use DoD-approved PKI rather than default or proprietary device certificates which are preinstalled by the vendor.

Vulnerability discussion

Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.

Check content

Review the PKI certificate menu in the device configuration to see if DoD PKI has been implement. The certificate used with contain "DoD". If a certificate is used but it is not DoD-approved, this as a finding.

Fix text

If PKI is used for DEVICE authentication then ensure that a DoD approved certificate is installed. If the device does not have the option to replace the default manufacturer certificate, then the product should be replaced.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer