Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239976 | CASA-VN-000560 | SV-239976r769253_rule | Medium |
| Description |
|---|
| Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. |
| STIG | Date |
|---|---|
| Cisco ASA VPN Security Technical Implementation Guide | 2024-06-10 |
Details
| Check Text ( C-43209r666332_chk ) |
|---|
| Verify the remote access ASA uses a FIPS-validated algorithms and hash function as shown in the example below. ssl server-version tlsv1.2 ssl cipher tlsv1.2 fips If the remote access ASA does not use a digital signature generated using FIPS-validated algorithms and hash function, this is a finding. |
| Fix Text (F-43168r666333_fix) |
|---|
| Configure the remote access ASA to use a digital signature generated using FIPS-validated algorithms and an approved hash. ASA1(config)# ssl cipher tlsv1.2 fips ASA1(config)# end |