AOS, in conjunction with a remote device, must prevent the device from simultaneously establishing nonremote connections with the system and communicating via some other connection to resources in external networks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266644	SRG-NET-000369	ARBA-NT-000970	SV-266644r1040422_rule	2024-10-29	1

Description
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices and by preventing those configuration settings from being readily configurable by users. This requirement is implemented within the information system by the detection of split tunneling (or configuration settings that allow split tunneling) in the remote device and by prohibiting the connection if the remote device is using split tunneling. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as nonremote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing nonremote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

Description

Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices and by preventing those configuration settings from being readily configurable by users. This requirement is implemented within the information system by the detection of split tunneling (or configuration settings that allow split tunneling) in the remote device and by prohibiting the connection if the remote device is using split tunneling. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as nonremote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing nonremote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

ℹ️ Check
Verify the AOS configuration with the following commands: show running-configuration \| include split-tunnel show running-config \| include double-encrypt If any instances of forward-mode split-tunnel are found or if double-encrypt is not enabled, this is a finding.

✔️ Fix
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Profiles. 2. Under "All Profiles", expand "Virtual AP". 3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. 4. Click Submit >> Pending Changes >> Deploy Changes. 5. In configuration mode (CLI), for each ap system-profile, run the following commands: ap system-profile <profile-name> double-encrypt exit write memory

✔️ Fix

Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Profiles. 2. Under "All Profiles", expand "Virtual AP". 3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. 4. Click Submit >> Pending Changes >> Deploy Changes. 5. In configuration mode (CLI), for each ap system-profile, run the following commands: ap system-profile <profile-name> double-encrypt exit write memory