AOS, in conjunction with a remote device, must prevent the device from simultaneously establishing nonremote connections with the system and communicating via some other connection to resources in external networks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266644 | ARBA-NT-000970 | SV-266644r1040422_rule | Medium |
| Description |
| Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement applies to virtual private network (VPN) concentrators and clients. It is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices and by preventing those configuration settings from being readily configurable by users. This requirement is implemented within the information system by the detection of split tunneling (or configuration settings that allow split tunneling) in the remote device and by prohibiting the connection if the remote device is using split tunneling. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as nonremote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing nonremote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling. |
| STIG | Date |
| HPE Aruba Networking AOS Wireless Security Technical Implementation Guide | 2024-10-29 |
Details
| Check Text (C-70568r1040420_chk) |
| Verify the AOS configuration with the following commands: show running-configuration | include split-tunnel show running-config | include double-encrypt If any instances of forward-mode split-tunnel are found or if double-encrypt is not enabled, this is a finding. |
| Fix Text (F-70471r1040421_fix) |
| Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Profiles. 2. Under "All Profiles", expand "Virtual AP". 3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. 4. Click Submit >> Pending Changes >> Deploy Changes. 5. In configuration mode (CLI), for each ap system-profile, run the following commands: ap system-profile <profile-name> double-encrypt exit write memory |