The Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242658	CSCO-NM-000530	SV-242658r714284_rule		Medium

Description
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012. This requirement is applicable to devices that use a web interface for device management.

Description

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012. This requirement is applicable to devices that use a web interface for device management.

STIG	Date
Cisco ISE NDM Security Technical Implementation Guide	2021-09-27

Details

Check Text ( C-45933r714282_chk )
Navigate to Administration >> System >> Settings >> FIPS Mode. Verify FIPS Mode is enabled. If the Cisco ISE does not generate unique session identifiers using a FIPS 140-2 approved RNG, this is a finding.

Fix Text (F-45890r714283_fix)
Enable FIPS Mode in Cisco ISE to ensure DRBG is used for all RNG functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node.