Check: CASA-VN-000170
Cisco ASA VPN STIG:
CASA-VN-000170
(in versions v1 r3 through v1 r2)
Title
The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1. (Cat II impact)
Discussion
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Check Content
Verify the ASA uses a NIST FIPS-validated cryptography for IKE Phase 1 as shown in the example below. crypto ikev2 policy 1 encryption aes-256 If the ASA is not configured to use NIST FIPS-validated cryptography for IKE Phase 1, this is a finding.
Fix Text
Configure the ASA to use NIST FIPS-validated cryptography for IKE Phase 1. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption aes-256
Additional Identifiers
Rule ID: SV-239953r916122_rule
Vulnerability ID: V-239953
Group Title: SRG-NET-000510-VPN-002180
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Controls
Number | Title |
---|---|
SC-13 |
Cryptographic Protection |