Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP TMOS VPN Security Technical Implementation Guide
SRG-NET-000230-VPN-000780
SRG-NET-000230-VPN-000780
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000230-VPN-000780
1 Rule
The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).
High Severity
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems must not be configured to use SHA-2 for integrity of remote access sessions. This requirement is applicable to the configuration of IKE Phase 1 and Phase 2.