Detections
Analytics
F5BI-VN-300005 - The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
Information
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network.
AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
From the BIG-IP GUI:1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the Name of the IKE peer.
5. Configure an AES256 encryption algorithm under IKE Phase 1 Algorithms >> Encryption Algorithm.
6. Click "Update".
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_TMOS_Y24M09_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP TMOS VPN STIG v1r1
Category: ACCESS CONTROL
References: 800-53|AC-17(2), CAT|I, CCI|CCI-000068, Rule-ID|SV-266278r1024913_rule, STIG-ID|F5BI-VN-300005, Vuln-ID|V-266278
Plugin: F5
Control ID: 132cf1f3eba645f9f34f2b01ccec9ced5f52ec448c6e1357ed912904032fe2b2