DISA HPE Aruba Networking AOS VPN STIG v1r1

Audit Details

Name: DISA HPE Aruba Networking AOS VPN STIG v1r1

Updated: 7/6/2026

Authority: DISA STIG

Plugin: ArubaOS

Revision: 1.0

Estimated Item Count: 21

File Details

Filename: DISA_STIG_HPE_Aruba_Networking_AOS_VPN_v1r1.audit

Size: 71.3 kB

MD5: db2f5a1f5aad2c4fe42d40402137434a
SHA256: f4547c129591abe8860dd943f549afa960b959697710c823085237579c83b0ec

Audit Items

DescriptionCategories
ARBA-VN-000040 - AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

ACCESS CONTROL

ARBA-VN-000110 - The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network.

ACCESS CONTROL

ARBA-VN-000170 - AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.

ACCESS CONTROL

ARBA-VN-000220 - AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-000470 - The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).

CONFIGURATION MANAGEMENT

ARBA-VN-000480 - For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.

CONFIGURATION MANAGEMENT

ARBA-VN-000490 - The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-000540 - AOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection.

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-000560 - AOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-000580 - The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-000710 - AOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection.

SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-000720 - AOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session.

SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-000721 - The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-001090 - AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-001300 - AOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization.

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-001370 - AOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection.

IDENTIFICATION AND AUTHENTICATION

ARBA-VN-001460 - AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.

SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-001620 - AOS, when used as a VPN Gateway, must disable split-tunneling for remote client VPNs.

SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-001640 - AOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.

SYSTEM AND COMMUNICATIONS PROTECTION

ARBA-VN-002220 - AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

ARBA-VN-002430 - AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.

IDENTIFICATION AND AUTHENTICATION