CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 or greater for hashing to protect the integrity of IPsec remote access sessions - IKE Phase 1

Information

Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.

SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. DoD systems must not be configured to use SHA-1 for integrity of remote access sessions.

The remote access VPN provides access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.

Solution

Configure the ASA to use SHA-2 or greater for hashing to protect the integrity of IPsec remote access sessions as shown in the example below.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# integrity sha256
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
ASA1(config-ipsec-proposal)# protocol esp integrity sha-256
ASA1(config-ikev2-policy)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y22M04_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-001453, Rule-ID|SV-239978r769254_rule, STIG-ID|CASA-VN-000630, Vuln-ID|V-239978

Plugin: Cisco

Control ID: 57dfb3a4084b491705ec62be37b925658ad0b413850ed44282c659366bd12bbf