Hi team,
I need a support in CMMC AC.L2-3.1.13 remote session as in that link https://www.expertcmmc.com/cmmcPractices.php?viewPracticeID=31
How can I check and secure the encryption of VPN remote sessions to meet CMMC requirement?
Thanks,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To check and secure the encryption of VPN remote sessions on FortiGate to meet the requirements of the Cybersecurity Maturity Model Certification (CMMC), you can follow these steps:
1. Verify encryption settings: Ensure that the VPN connection uses strong encryption algorithms like AES-256 or higher, and secure authentication methods such as certificate-based or two-factor authentication.
2. Configure split-tunneling: Split-tunneling ensures that only the traffic that needs to be encrypted is sent through the VPN, while other traffic remains unencrypted, improving performance and reducing the risk of data breaches.
3. Enable firewall policies: Use firewall policies to restrict access to sensitive information, such as preventing incoming connections from unknown sources, and allowing only specific IP addresses or ports to be used.
4. Monitor VPN activity: Enable auditing and logging on the FortiGate firewall to monitor VPN activity, including the source and destination of VPN connections, and the time and duration of the connection.
5. Update software regularly: Regularly update the FortiGate FortiOS and Forticlient software to ensure that the latest security patches and features are in place, protecting against known and emerging threats.
By following these steps, you can secure the encryption of VPN remote sessions on FortiGate and meet the requirements of the CMMC.
To check and secure the encryption of VPN remote sessions on FortiGate to meet the requirements of the Cybersecurity Maturity Model Certification (CMMC), you can follow these steps:
1. Verify encryption settings: Ensure that the VPN connection uses strong encryption algorithms like AES-256 or higher, and secure authentication methods such as certificate-based or two-factor authentication.
2. Configure split-tunneling: Split-tunneling ensures that only the traffic that needs to be encrypted is sent through the VPN, while other traffic remains unencrypted, improving performance and reducing the risk of data breaches.
3. Enable firewall policies: Use firewall policies to restrict access to sensitive information, such as preventing incoming connections from unknown sources, and allowing only specific IP addresses or ports to be used.
4. Monitor VPN activity: Enable auditing and logging on the FortiGate firewall to monitor VPN activity, including the source and destination of VPN connections, and the time and duration of the connection.
5. Update software regularly: Regularly update the FortiGate FortiOS and Forticlient software to ensure that the latest security patches and features are in place, protecting against known and emerging threats.
By following these steps, you can secure the encryption of VPN remote sessions on FortiGate and meet the requirements of the CMMC.
Created on 02-06-2023 04:11 AM Edited on 02-06-2023 04:15 AM
Thanks for your clarification.
How to check SSL VPN encryption algorithms as I don't see that in SSL VPN config like IPsec ?
Another question
I saw an article about FIPS mode, Is that mode is helpful ?
Created on 02-07-2023 12:55 AM Edited on 02-07-2023 01:08 AM
Note that the encryption algorithms used by SSL VPNs on FortiGate are typically determined by the capabilities of the client device, and not by the configuration of the FortiGate firewall. When a client connects to an SSL VPN, the client and the FortiGate firewall negotiate a common encryption algorithm based on the capabilities of both devices.
The SSL/TLS provide a mechanism for negotiating the cipher suite used for a secure connection between a client and a server. During the negotiation process, the client and server agree on a common cipher suite that they both support and use that cipher suite to secure the data transmitted between them.
A cipher suite is a combination of encryption algorithms used to secure the data that is being transmitted over a network. In the case of SSL/TLS connections, the cipher suite defines the key exchange algorithm, the bulk data encryption algorithm, and the message authentication code (MAC) algorithm used for a secure connection.
For example, if the client supports AES-256 encryption and the FortiGate firewall supports AES-256 encryption, then AES-256 encryption will be used for the SSL VPN connection.
If you need to modify the cipher suite used by an SSL VPN, refer to the below commands;
CLI Syntax:
config vpn ssl settings
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
end
Technical Tip: How to control the SSL version and cipher suite for SSL VPN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-the-SSL-version-and-cipher-...
When FIPS mode is enabled on a FortiGate firewall, the firewall will only use approved encryption algorithms and protocols for VPN connections, system authentication, and data encryption.
Refer to the below KB article for more information:
** https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629
SSL VPNs on FortiGate are typically determined by the capabilities of the client device
Client device means the device itself not Forticlient, Is it right?
For further details, see the Knowledge Base article linked below:
https://community.fortinet.com/t5/FortiClient/Technical-Note-How-to-limit-the-SSL-and-TLS-versions-o...
One more question
Is the server certificate in Fortigate SSL-VPN settings plays a role in SSL connection ?
Thanks.
Yes, the server certificate in Fortigate SSL-VPN settings plays a important role in the SSL connection. The server certificate is used to establish an encrypted connection between the client and the server. The certificate contains information about the identity of the server, including its domain name, public key, and digital signature from a trusted certificate authority.
When a client attempts to connect to the server using SSL, the client verifies the authenticity of the server certificate to ensure that the connection is secure. If the server certificate is invalid, expired, or not signed by a trusted certificate authority, the client will not trust the connection and the SSL connection will fail.
Therefore, it is important to ensure that the server certificate in the Fortigate SSL-VPN settings is valid, up-to-date, and signed by a trusted certificate authority to ensure secure and reliable SSL connections.
Thank you very much for all clarifications :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.