Details

Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.

Solution

Configure the ASA to use a DH Group of 14 or greater as shown in the example below.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# group 24

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.

References

• 800-53|AC-17(2)
• CAT|I
• CCI|CCI-000068
• Rule-ID|SV-239957r666277_rule
• STIG-ID|CASA-VN-000210
• Vuln-ID|V-239957

Source

• Tenable.com/audits