Rule ID
SV-264334r984338_rule
Version
V3R4
CCIs
Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external Certificate Authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE). This requirement focuses on communications protection for the application session rather than for the network packet. VPN gateways that perform these functions must be able to identify which session identifiers were generated when the sessions were established. Certificates for both user and machines must be validated.
If the VPN Gateway does not provide PKI-based user authentication intermediary services, this is not applicable. Verify the VPN Gateway only allows the use of DOD PKI-established CA for verification when establishing VPN sessions. Verify both user and machine certificates are being validated when establishing VPN sessions. If the VPN Gateway does not validate user and machine certificates using DOD PKI-established certificate authorities, this is a finding.
Configure the VPN Gateway to only allow the use of DOD PKI-established CAs for the establishment of VPN sessions. Configure validation for both the user and machine certificates.