Skip to content
Log In

Virtual Private Network (VPN) Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-NET-000510

    Group
    Show

  • The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.

    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards ...
    Rule Medium Severity
    Show

  • SRG-NET-000512

    Group
    Show

  • SRG-NET-000518

    Group
    Show

  • The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.

    If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions inc...
    Rule Medium Severity
    Show

  • SRG-NET-000519

    Group
    Show

  • The VPN Client must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

    If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session...
    Rule Medium Severity
    Show

  • SRG-NET-000522

    Group
    Show

  • SRG-NET-000525

    Group
    Show

  • SRG-NET-000530

    Group
    Show

  • The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

    Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requ...
    Rule Medium Severity
    Show

  • SRG-NET-000540

    Group
    Show

  • The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.

    Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requ...
    Rule Medium Severity
    Show

  • SRG-NET-000550

    Group
    Show

  • The VPN Gateway that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.

    Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other device...
    Rule Medium Severity
    Show

  • SRG-NET-000565

    Group
    Show

  • SRG-NET-000565

    Group
    Show

  • The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.

    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards ...
    Rule High Severity
    Show

  • SRG-NET-000580

    Group
    Show

  • SRG-NET-000213

    Group
    Show

  • The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.

    This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment. Best practice is to terminate inactive user sessions aft...
    Rule Medium Severity
    Show

  • SRG-NET-000705

    Group
    Show

  • SRG-NET-000715

    Group
    Show

  • The VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

    Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic o...
    Rule Medium Severity
    Show

  • SRG-NET-000760

    Group
    Show

  • SRG-NET-000345

    Group
    Show

  • The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

    Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). This requirement only applies...
    Rule Medium Severity
    Show

  • SRG-NET-000580

    Group
    Show

  • The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.

    Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. One example is if the certificate is know...
    Rule Medium Severity
    Show

  • SRG-NET-000580

    Group
    Show

  • SRG-NET-000355

    Group
    Show

  • SRG-NET-000019

    Group
    Show

  • The TLS VPN must be configured to limit authenticated client sessions to initial session source IP.

    Limiting authenticated client sessions to the initial session source IP for TLS VPNs is a safeguard against session hijacking, replay, and man-in-the-middle attacks, maintaining integrity and confi...
    Rule Medium Severity
    Show

  • SRG-NET-000230

    Group
    Show

  • The VPN Gateway must use Always On VPN connections for remote computing.

    Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will be discon...
    Rule Medium Severity
    Show

  • The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

    The user must acknowledge the banner before being allowed access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the user does ...
    Rule Medium Severity
    Show

  • The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.

    Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. SHA-1 is considered a compromised hashing standard and is being phased out o...
    Rule Medium Severity
    Show

  • The VPN Gateway must generate log records containing information to establish where the events occurred.

    Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment,...
    Rule Medium Severity
    Show

  • The VPN Gateway must produce log records containing information to establish the outcome of the events.

    Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the ne...
    Rule Medium Severity
    Show

  • The VPN Gateway log must protect audit information from unauthorized modification when stored locally.

    If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. This requirement pertains to se...
    Rule Medium Severity
    Show

  • The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

    In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable...
    Rule Medium Severity
    Show

  • The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.

    The PPTP and L2F are obsolete method for implementing virtual private networks. Both protocols may be easy to use and readily available, but they have many well-known security issues and exploits. ...
    Rule Medium Severity
    Show

  • The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

    Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise...
    Rule Medium Severity
    Show

  • The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.

    A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...
    Rule Medium Severity
    Show

  • The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.

    Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), the d...
    Rule Medium Severity
    Show

  • The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.

    The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through...
    Rule Medium Severity
    Show

  • The VPN Gateway must invalidate session identifiers upon user logoff or other session termination.

    Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens...
    Rule Medium Severity
    Show

  • The VPN Gateway must recognize only system-generated session identifiers.

    VPN gateways (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manu...
    Rule Medium Severity
    Show

  • The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.

    Remote access devices, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access manage...
    Rule Medium Severity
    Show

  • The VPN Gateway administrator accounts or security policy must be configured to allow the system administrator to immediately disconnect or disable remote access to devices and/or users when needed.

    Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking progress would not be immediately stopped. Remote access functionality must have the ca...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules