STIGQter STIGQter: STIG Summary: Cisco IOS XE Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

DISA Rule

SV-215844r531083_rule

Vulnerability Number

V-215844

Group Title

SRG-APP-000411-NDM-000330

Rule Version

CISC-ND-001200

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured.

Configure SSH and HTTPs to use FIPS-validated HMAC for remote maintenance sessions as shown in the following examples:

SSH Example

R1(config)#ip ssh version 2
R1(config)#ip ssh server algorithm mac hmac-sha1-96

HTTPS Example

R2(config)#ip http secure-ciphersuite aes-128-cbc-sha

Check Contents

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.

SSH Example

ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96

HTTPS Example

ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX

If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.

Vulnerability Number

V-215844

Documentable

False

Rule Version

CISC-ND-001200

Severity Override Guidance

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.

SSH Example

ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96

HTTPS Example

ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX

If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.

Check Content Reference

M

Target Key

4020

Comments