CASA-VN-000170 – The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.

Details

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Solution

Configure the ASA to use NIST FIPS-validated cryptography for IKE Phase 1.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption aes-192

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

800-53|SC-13
CAT|II
CCI|CCI-002450
Rule-ID|SV-239953r666265_rule
STIG-ID|CASA-VN-000170
Vuln-ID|V-239953

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles