Title

The VPN Gateway must use Always On VPN connections for remote computing. (Cat II impact)

Discussion

Allowing remote users to manually toggle a VPN connection can create critical security risks. With Always On VPN, if a secured connection to the gateway is lost, hybrid-working users will be disconnected from the internet until the issue is solved. "Always On" is a term that describes a VPN connection that is secure and always on after the initial connection is established. An Always On VPN deployment automatically establishes a VPN connection with the client at startup. The remote client must not be able to access the internet without first establishing a VPN session with a DOD site. Note that device compliance checks, including the banner presentation, are still required prior to connecting to DOD resources. Although out of scope for this requirement, the connection process must ensure remote devices meet security standards before accessing DOD resources. Devices that fail to meet compliance requirements can be denied access, reducing the risk of compromised endpoints.

Check Content

Verify that the VPN Gateway uses an Always On VPN connection for remote computing. If the VPN Gateway does not use an Always On VPN connection for remote computing, this is a finding.

Fix Text

Configure the VPN Gateway to enable Always On VPN connections for all remote users. The remote client must not be able to access the internet without first establishing a VPN session with a DOD site.

Additional Identifiers

Rule ID: SV-264336r1056131_rule

Vulnerability ID: V-264336

Group Title: SRG-NET-000230

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.