Free DISA STIG and SRG Library | Vaulted

V-30966

The VPN gateway must use AES for IPSec cryptographic encryption operations required to ensure privacy of the IPSec session.

Finding ID
NET-VPN-140
Rule ID
SV-41008r1_rule
Severity
Cat I
CCE
(None)
Group Title
AES not being used for IPSec cryptographic encrypt.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

While there is much debate about the security and performance of Advance Encryption Standard (AES), there is a consensus it is significantly more secure than any of the algorithms supported by IPSec implementations today. AES is available in three key sizes: 128, 192 and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES. Hence, AES must be used to ensure the privacy of the IPSec tunnel.

Fix Text

Configure all IPSec transform sets to use AES for performing cryptographic encryption operations.

Check Content

Review all transform sets defined in IPSec profiles and crypto maps and verify that AES has been enabled for performing cryptographic encryption operations.

Responsibility

Information Assurance Officer

IA Controls

ECSC-1