SV-215680r521266_rule
V-215680
SRG-APP-000156-NDM-000250
CISC-ND-000530
CAT II
10
Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below.
R1(config)#ip ssh version 2
R1(config)#ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a user tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
Review the Cisco router configuration to verify that SSH is configured to use FIPS-140-2 compliant HMACs as shown in the example below.
ip ssh version 2
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
V-215680
False
CISC-ND-000530
Review the Cisco router configuration to verify that SSH is configured to use FIPS-140-2 compliant HMACs as shown in the example below.
ip ssh version 2
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
M
4014