UCF STIG Viewer Logo

Cisco ASA VPN Security Technical Implementation Guide


Overview

Date Finding Count (41)
2021-08-16 CAT I (High): 10 CAT II (Med): 28 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-239979 High The Cisco VPN remote access server must be configured to use AES encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions.
V-239975 High The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.
V-239957 High The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 14 or greater for Internet Key Exchange (IKE) Phase 1.
V-239951 High The Cisco ASA must be configured to use Internet Key Exchange (IKE) for all IPsec security associations.
V-239950 High The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.
V-239959 High The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2.
V-239980 High The Cisco ASA VPN remote access server must be configured to use Advanced Encryption Standard (AES) encryption for the IPsec security association to protect the confidentiality of remote access sessions.
V-239968 High The Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network.
V-239985 High The Cisco ASA VPN remote access server must be configured to use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.
V-239962 High The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
V-239949 Medium The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.
V-239978 Medium The Cisco ASA remote access VPN server must be configured to use SHA-2 or greater for hashing to protect the integrity of IPsec remote access sessions.
V-239974 Medium The Cisco ASA remote access VPN server must be configured to produce log records containing information to establish the outcome of the events.
V-239977 Medium The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
V-239976 Medium The Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions.
V-239971 Medium The Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event.
V-239970 Medium The Cisco ASA remote access VPN server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network.
V-239972 Medium The Cisco ASA remote access VPN server must be configured to generate log records containing information to establish where the events occurred.
V-239956 Medium The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services.
V-239955 Medium The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-239954 Medium The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation.
V-239953 Medium The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.
V-239952 Medium The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.
V-239958 Medium The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 1.
V-239981 Medium The Cisco VPN remote access server must be configured to accept Common Access Card (CAC) credential credentials.
V-239969 Medium The Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client’s certificate to entries in the authentication server to determine authorization to access the network.
V-239984 Medium The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
V-239963 Medium The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.
V-239960 Medium The Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies.
V-239961 Medium The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection.
V-239966 Medium The Cisco ASA remote access VPN server must be configured to use LDAP over SSL to determine authorization for granting access to the network.
V-239967 Medium The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.
V-239964 Medium The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.
V-239965 Medium The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.
V-239947 Medium The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.
V-239948 Medium The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events.
V-239982 Medium The Cisco ASA VPN remote access server must be configured to disable split-tunneling for remote clients.
V-239983 Medium The Cisco ASA VPN remote access server must be configured to generate log records when successful and/or unsuccessful VPN connection attempts occur.
V-239973 Low The Cisco ASA remote access VPN server must be configured to generate log records containing information to establish the source of the events.
V-239945 Low The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred.
V-239946 Low The Cisco ASA must be configured to generate log records containing information to establish when the events occurred.