Free DISA STIG and SRG Library | Vaulted

V-30948

The VPN gateway server must enforce a policy to the remote software client to check for the presence of a personal firewall before enabling access to the VPN.

Finding ID
NET-VPN-230
Rule ID
SV-40990r1_rule
Severity
Cat II
CCE
(None)
Group Title
The VPN gateway server does not enforce personal firewall.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The security posture of the remote PC connecting to the enclave via VPN is vital to the overall security of the enclave. While on-site hosts are behind the enclave’s perimeter defense, a remote PC is not and therefore is exposed to many vulnerabilities existing in the Internet when connected to a service provider via dial-up or broadband connection. Though it is policy to have a firewall installed on the remote PC according to the Secure Remote Computing Endpoint STIG (SRC-EPT-405), it is imperative the VPN gateway enforce the policy to the software client to verify the firewall is active prior to enabling access to the VPN.

Fix Text

Configure the ISAKMP client configuration groups used to push policy to remote software clients to check for the presence of a personal firewall before enabling access to the VPN.

Check Content

Review all ISAKMP client configuration groups used to push policy to remote software clients and determine if the software client will check for the presence of a personal firewall before enabling access to the VPN.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1