The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

An XCCDF Rule

Details
Profiles

Description

Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III.

ID: SV-239977r666337_rule
Version: CASA-VN-000610
Severity: Medium
References: CCI-001188
Updated: 5 days ago

Remediation Templates

Configure the ASA to have FIPS-mode enabled as shown in the example below.

ASA1(config)# fips enable 
ASA1(config)# end

Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted.

The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

Description

Remediation Templates

A Manual Procedure