| AID | 75 |
|---|---|
| Severity | medium |
| Audit | The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session. |
| Guidance | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the revocation list configured for use by the VPN server is checked to see if the certificate is valid. If the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint. |
| Recommendations | Configure the VPN Gateway to reject machine certificates that have been revoked when using DOD PKI for authentication. |
| Procedure | Verify the VPN Gateway rejects machine certificates that have been revoked when using DOD PKI for authentication. If the VPN Gateway does not configure OCSP and/or CRL to reject revoked machine credentials that are prohibited from establishing an allowed session, this is a finding. |
| NIST SP 800-53 | For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |
| STIG | Virtual Private Network (VPN) Security Requirements Guide Release: 3 Benchmark Date: 30 Jan 2025 |
Remote Access VPN Security Audit
Review this entry