An error occurred:

Check: SRG-NET-000145-VPN-000510

Virtual Private Network (VPN) SRG: SRG-NET-000145-VPN-000510 (in versions v2 r6 through v1 r0.1)

Title

The VPN Client must implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. (Cat II impact)

Discussion

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A non-privileged account is any information system account with authorizations of a non-privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).

Check Content

Verify the VPN Client implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the VPN Client does not implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Fix Text

Configure the VPN Client to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Additional Identifiers

Rule ID: SV-207210r953939_rule

Vulnerability ID: V-207210

Group Title: SRG-NET-000145

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001939

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2(7)

Network Access to Non-privileged Accounts - Separate Device