SV-215844r531083_rule
V-215844
SRG-APP-000411-NDM-000330
CISC-ND-001200
CAT I
10
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured.
Configure SSH and HTTPs to use FIPS-validated HMAC for remote maintenance sessions as shown in the following examples:
SSH Example
R1(config)#ip ssh version 2
R1(config)#ip ssh server algorithm mac hmac-sha1-96
HTTPS Example
R2(config)#ip http secure-ciphersuite aes-128-cbc-sha
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
SSH Example
ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.
V-215844
False
CISC-ND-001200
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
SSH Example
ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.
M
4020