Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30955 | NET-VPN-190 | SV-40997r2_rule | ECSC-1 | High |
Description |
---|
RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic user interface suites for deploying IPSec. Each suite provides choices for Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level. |
STIG | Date |
---|---|
IPSec VPN Gateway Security Technical Implementation Guide | 2018-03-08 |
Check Text ( C-39615r1_chk ) |
---|
Review all transform sets defined in IPSec profiles and crypto maps used for securing classified traffic to determine if they are compliant with Suite B requirements. According to NIST, AES with 128-bit keys, SHA-256, and ECDH and ECDSA using the 256-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to SECRET level. AES with 356-bit keys, SHA-384, and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to TOP SECRET level. Note: During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level. |
Fix Text (F-34765r1_fix) |
---|
Configure transform sets used for transporting classified packets to be compliant with Suite B requirements. |