CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions.

Information

Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.

SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions.

The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.

Solution

Configure the ASA to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions as shown in the example below.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# integrity sha384
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
ASA1(config-ipsec-proposal)# protocol esp integrity sha-384
ASA1(config-ikev2-policy)# end

Item Details

Audit Name: DISA STIG Cisco ASA VPN v2r2

Category: ACCESS CONTROL

Plugin: Cisco

Control ID: 045205babbfa6d9fe3d5595a9bb5830463e8c8ec81bae1f73c7db165524f73c8

Detections

Analytics

CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions.

Information

Solution

See Also

Item Details