| V-266282 | | The IPsec BIG-IP appliance must use IKEv2 for IPsec VPN security associations. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-266283 | | The F5 BIG-IP appliance IPsec VPN Gateway must renegotiate the IPsec Phase 1 security association after eight hours or less. | The IPsec security association (SA) and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded ... |
| V-266284 | | The F5 BIG-IP appliance IPsec VPN must renegotiate the IKE Phase 2 security association after eight hours or less. | When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during perio... |
| V-266288 | | The F5 BIG-IP appliance IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The... |
| V-266277 | | The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. | NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specif... |
| V-266278 | | The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-266279 | | The F5 BIG-IP appliance IPsec VPN must use AES256 or greater encryption for the IPsec proposal. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-266280 | | The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-266281 | | The F5 BIG-IP appliance IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hash... |
| V-266285 | | For accounts using password authentication, the F5 BIG-IP appliance site-to-site IPsec VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-266286 | | The F5 BIG-IP appliance IPsec VPN must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The VPN gateway must implement cryptographi... |
| V-266287 | | The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE). | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Although allowed by SP800-131Ar2 for... |
