The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266277 | F5BI-VN-300004 | SV-266277r1024911_rule | CCI-000068 | high |
| Description | ||||
| NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B. | ||||
| STIG | Date | |||
| F5 BIG-IP TMOS VPN Security Technical Implementation Guide | 2024-09-09 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-266277r1024911_chk)
From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the IKE Peer Name.
5. In "IKE Phase 1 Algorithms", verify "MODP4096" or higher is selected for "Perfect Forward Secrecy".
If the BIG-IP appliance is not configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1, this is a finding.
Fix Text (F-70104r1024910_fix)
From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the IKE Peer Name.
5. In "IKE Phase 1 Algorithms", select "MODP4096" or higher for "Perfect Forward Secrecy".
6. Click "Update".