Rule ID
SV-266644r1040422_rule
Version
V1R2
CCIs
CCI-002397
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices and by preventing those configuration settings from being readily configurable by users. This requirement is implemented within the information system by the detection of split tunneling (or configuration settings that allow split tunneling) in the remote device and by prohibiting the connection if the remote device is using split tunneling. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as nonremote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing nonremote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.
Verify the AOS configuration with the following commands: show running-configuration | include split-tunnel show running-config | include double-encrypt If any instances of forward-mode split-tunnel are found or if double-encrypt is not enabled, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Profiles. 2. Under "All Profiles", expand "Virtual AP". 3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. 4. Click Submit >> Pending Changes >> Deploy Changes. 5. In configuration mode (CLI), for each ap system-profile, run the following commands: ap system-profile <profile-name> double-encrypt exit write memory