Free DISA STIG and SRG Library | Vaulted

V-30944

The VPN gateway must only accept certificates issued by a DoD-approved Certificate Authority when using PKI for authentication.

Finding ID
NET-VPN-040
Rule ID
SV-40986r1_rule
Severity
Cat II
CCE
(None)
Group Title
DoD-approved CA is not used for PKI authentication.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When using digital certificates, Internet Key Exchange (IKE) negotiation between peers is restricted by either manually configuring each peer with the public key for each peer to which it is allowed to connect, or enrolling each peer with a Certificate Authority (CA). All peers to which the peer is allowed to connect must enroll with the same CA server and belong to the same organization. Certificates are issued and signed by a CA. Hence, the signature on a certificate identifies the particular CA that issued a certificate. The CA in turn has a certificate that binds its identity to its public key, so the CA’s identity can be verified. The primary role of the CA is to digitally sign and publish the public key bound to a given user or device via a digital certificate. This is done using the CA's own private key, so that trust in the user’s key relies on trust in the validity of the CA's key. Hence, to establish trust in the certificate of the remote client or peer, the VPN gateway must be configured to validate the peer’s certificate with the DoD-approved CA, as well as validate the identity of the DoD-approved CA. If the peer’s certificate is not validated, there is a risk of establishing an IPSec Security Association with a malicious user or a remote client that is not authorized.

Fix Text

Configure the VPN gateway to enroll with a DoD-approved Certificate Authority.

Check Content

Review the VPN gateway configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the gateway has enrolled with. Verify this is a DoD or DoD-approved CA. This will ensure the gateway has enrolled and received a certificate from a trusted CA. A remote end-point’s certificate will always be validated by the gateway by verifying the signature of the CA on the certificate using the CA’s public key, which is contained in the gateways certificate it received at enrollment.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1