Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1598
Views
5
Helpful
5
Replies

STIG Items - Need answer or directions to location of documentation please

BillPeyton1693
Level 1
Level 1

‎04-13-2020 05:20 AM

Hello,

 

I'm trying to complete the newly published VPN Gateway STIG on a freshly deployed remote access VPN deployment - most items can be closed via specific references to actual system settings...  A few of the remaining items are more system build as I read them and I require some direction to provide the correct setting/wording please.

 

1) The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

 

2) Verify the VPN Gateway is configured to fail to a secure state if system initialization fails, shutdown fails, or aborts fail

 

3)  Verify the VPN Gateway invalidates session identifiers upon user logoff or other session termination.

 

4) Verify the VPN Gateway recognizes only system-generated session identifiers.

 

I have been unable to find specific documentation relative to the ASA 5516 headend device or the AnyConnect client software providing information on the above  - any help or direction to documentation is appreciated.

 

Best,

-Bill

Labels:
0 Helpful
5 Replies 5

GregoryPiocos9930
Level 1
Level 1

‎06-02-2020 10:38 AM

Hello Bill did you ever get any input from your post? I am also looking for the same input for an RMF evaluation we are currently going through. 

 

thanks

greg

 

0 Helpful

jason.a.knight6.ctr@mail.mol
Level 1
Level 1

‎08-18-2020 07:01 AM

Bill,

 

3.) You can artifact the monitor session of a user logoff.

 

4.) I just used a monitor session for this one as well for some user VPN connections and Admin management sessions.

 

I'm in the same boat as you though for 1 & 2.  I think I will open a TAC Case for them.  

 

Jay Knight

0 Helpful

K-Grev
Level 1
Level 1

‎12-13-2020 10:49 AM

Did you ever figure out 1 and 2?

0 Helpful

jason.a.knight6.ctr@mail.mol
Level 1
Level 1
In response to K-Grev

‎12-14-2020 06:18 AM

K-Grev,

 

1.)  See attached for FIPS and DRGB certification for ASAs.

2.)  See attached for Cisco's response for ASA fail in a secure state.

 

Hope this helps you out.

Preview file
187 KB
Preview file
245 KB

GregoryPiocos9930
Level 1
Level 1
In response to jason.a.knight6.ctr@mail.mol

‎12-14-2020 07:13 AM

awesome sauce. thanks everyone!!! have a safe holliday!!

 

greg

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents