An error occurred:

Check: SRG-NET-000145-VPN-000510

Virtual Private Network (VPN) SRG: SRG-NET-000145-VPN-000510 (in versions v3 r3 through v3 r1)

Title

The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. (Cat II impact)

Discussion

Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DOD CAC. A nonprivileged account is any information system account with authorizations of a nonprivileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).

Check Content

Verify the VPN Client implements multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the VPN Client does not implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Fix Text

Configure the VPN Client to implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Additional Identifiers

Rule ID: SV-207210r984299_rule

Vulnerability ID: V-207210

Group Title: SRG-NET-000145

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-004046

Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check