Free DISA STIG and SRG Library | Vaulted

V-30943

The VPN gateway must use PKI or digital-signature for authenticating the remote server, peer, or client.

Finding ID
NET-VPN-030
Rule ID
SV-40985r1_rule
Severity
Cat II
CCE
(None)
Group Title
PKI is not used for authenticating remote endpoint.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Using shared secrets between two IPSec endpoints is easy to implement but are also easy to compromise. Regardless of the strength of the password, they can be cracked using software tools that are readily available. Furthermore, implementation using shared secrets is not scalable since all VPN gateways and software clients would need to be configured with the shared secrets. In addition, there cannot be a preshared key for every user because the VPN gateway server does not know the client’s identity (the IP address is commonly used). Hence, remote users must use a group-based preshared key for authentication. When an individual leaves the group, changing the key must be coordinated with the other users of the group. PKI mitigates the risk involved with group passwords because each user has a certificate. PKI offers a scalable way to authenticate all IPSec endpoints in a secure manner. Every VPN gateway or remote client that needs to participate in IPSec VPN is issued a digital certificate by the Certification Authority (CA). The digital certificate binds the identity information of a VPN gateway (e.g., hostname or IP address) to the device’s public key by means of digital signature. This involves the use of public key cryptography algorithms, such as RSA. Based on this binding, any device that trusts the CA certificate, i.e., trusts the signature of the CA, would accept the identity inside the signed certificate. This model enables all VPN gateways and clients that trust the same CA to authenticate each other.

Fix Text

Configure the VPN gateway to use certificate-based authentication for IPSec peers and clients. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.

Check Content

Review the VPN gateway configuration to determine if certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1