Detections
Analytics
F5BI-VN-300041 - The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).
Information
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems must not be configured to use SHA-2 for integrity of remote access sessions.
This requirement is applicable to the configuration of IKE Phase 1 and Phase 2.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
From the BIG-IP GUI:1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the name of the IKE peer.
5. Configure SHA-2 or higher for the following:
IKE Phase 1 Algorithms >> Authentication Algorithm
IKE Phase 1 Algorithms >> Pseudo-Random Function
6. Click "Update".
From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IPsec Policies.
4. Click the name of the IPsec Policy.
5. Configure SHA-2 or higher for the following:
IKE Phase 2 >> Authentication Algorithm
6. Click "Update".
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_TMOS_Y24M09_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP TMOS VPN STIG v1r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-23, CAT|I, CCI|CCI-001184, Rule-ID|SV-266287r1024762_rule, STIG-ID|F5BI-VN-300041, Vuln-ID|V-266287
Plugin: F5
Control ID: c2b4d87c50192ff8472f6c98cf1493f5a0091607b4a45654d34eeffad5db886a