An error occurred:

Check: CSCO-NM-000530

Cisco ISE NDM STIG: CSCO-NM-000530 (in versions v1 r6 through v1 r4)

Title

The Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB. (Cat II impact)

Discussion

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012. This requirement is applicable to devices that use a web interface for device management.

Check Content

Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure the system to use a FIPS 140-2 approved Random Number Generator (RNG) using DRGB to generate unique session identifiers, this can be lowered to a CAT 3 finding.

Fix Text

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.

Additional Identifiers

Rule ID: SV-242658r879639_rule

Vulnerability ID: V-242658

Group Title: SRG-APP-000224-NDM-000270

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001188

The information system generates unique session identifiers for each session with organization-defined randomness requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23 (3)

Unique Session Identifiers With Randomization