The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-239977 | SRG-NET-000234-VPN-000810 | CASA-VN-000610 | SV-239977r666337_rule | 2024-08-22 | 2 |
| Description |
|---|
| Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III. |
| ℹ️ Check |
|---|
| Review the ASA configuration to verify that FIPS mode has been enabled as shown in the example below. ASA Version x.x ! hostname ASA1 fips enable If the ASA is not configured to be enabled in FIPS mode, this is a finding. |
| ✔️ Fix |
|---|
| Configure the ASA to have FIPS-mode enabled as shown in the example below. ASA1(config)# fips enable ASA1(config)# end Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted. |