STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

HPE Aruba Networking AOS VPN Security Technical Implementation Guide

Version

V1R1

Release Date

Oct 29, 2024

SCAP Benchmark ID

HPE_Aruba_AOS_VPN_STIG

Total Checks

21

Tags

network
CAT I: 4CAT II: 16CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (21)

V-266982HIGHAOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.V-266983MEDIUMAOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.V-266984MEDIUMAOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-266985HIGHAOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.V-266986MEDIUMAOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.V-266987MEDIUMAOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection.V-266988MEDIUMAOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection.V-266989MEDIUMThe Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network.V-266990LOWAOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session.V-266991MEDIUMFor site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.V-266992MEDIUMAOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.V-266993MEDIUMAOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.V-266994MEDIUMThe Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.V-266995MEDIUMThe VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-266996MEDIUMThe Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.V-266997MEDIUMAOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization.V-266998MEDIUMThe Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).V-266999MEDIUMAOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection.V-267000MEDIUMAOS, when used as a VPN Gateway, must disable split-tunneling for remote client VPNs.V-267001HIGHAOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).V-268313HIGHAOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.