Navigate

Check: SRG-NET-000166-VPN-000590

Virtual Private Network (VPN) SRG: SRG-NET-000166-VPN-000590 (in versions v3 r3 through v1 r0.1)

Title

The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication. (Cat II impact)

Discussion

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. This requirement only applies to components where this is specific to the function of the device or has the concept of a user (e.g., VPN or ALG. This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).

Check Content

Verify the VPN Gateway maps the authenticated identity to the user account for PKI-based authentication. If the VPN Gateway does not map the authenticated identity to the user account for PKI-based authentication, this is a finding.

Fix Text

Configure the VPN Gateway to map the authenticated identity to the user account for PKI-based authentication.

Additional Identifiers

Rule ID: SV-207217r608988_rule

Vulnerability ID: V-207217

Group Title: SRG-NET-000166

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000187	For public key-based authentication, map the authenticated identity to the account of the individual or group.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5(2)	Pki-based Authentication