CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions - IPsec SA

Information

Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.

SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions.

The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.

Solution

Configure the ASA to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions as shown in the example below.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# integrity sha384
ASA1(config-ikev2-policy)# exit
ASA1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC_TRANS
ASA1(config-ipsec-proposal)# protocol esp integrity sha-384
ASA1(config-ikev2-policy)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-001453, Rule-ID|SV-239978r916146_rule, STIG-ID|CASA-VN-000630, Vuln-ID|V-239978

Plugin: Cisco

Control ID: 045205babbfa6d9fe3d5595a9bb5830463e8c8ec81bae1f73c7db165524f73c8