AC-17 Remote Access

Baselines

Guidance

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

References 6

• SP 800-46 Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2.
• SP 800-77 Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1.
• SP 800-113 Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113.
• SP 800-114 Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1.
• SP 800-121 Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2.
• IR 7966 Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966.

Control Enhancements 10

• AC-17(01) Monitoring and Control L M H P
• AC-17(02) Protection of Confidentiality and Integrity Using Encryption L M H P
• AC-17(03) Managed Access Control Points L M H P
• AC-17(04) Privileged Commands and Access L M H P
• AC-17(05) Monitoring for Unauthorized Connections
• AC-17(06) Protection of Mechanism Information L M H P
• AC-17(07) Additional Protection for Security Function Access
• AC-17(08) Disable Nonsecure Network Protocols
• AC-17(09) Disconnect or Disable Access L M H P
• AC-17(10) Authenticate Remote Commands L M H P

Related controls 19

• AC-02 Account Management L M H P
• AC-03 Access Enforcement L M H P
• AC-04 Information Flow Enforcement L M H P
• AC-18 Wireless Access L M H P
• AC-19 Access Control for Mobile Devices L M H P
• AC-20 Use of External Systems L M H P
• CA-03 Information Exchange L M H P
• CM-10 Software Usage Restrictions L M H P
• IA-02 Identification and Authentication (Organizational Users) L M H P
• IA-03 Device Identification and Authentication L M H P
• IA-08 Identification and Authentication (Non-organizational Users) L M H P
• MA-04 Nonlocal Maintenance L M H P
• PE-17 Alternate Work Site L M H P
• PL-02 System Security and Privacy Plans L M H P
• PL-04 Rules of Behavior L M H P
• SC-10 Network Disconnect L M H P
• SC-12 Cryptographic Key Establishment and Management L M H P
• SC-13 Cryptographic Protection L M H P
• SI-04 System Monitoring L M H P