Ensure IPsec profiles do not specify use of insecure encryption algorithms

Description

This policy checks whether IPsec profiles specify the use of insecure encryption algorithms. It is essential to ensure that only secure encryption algorithms are used to protect data in transit. The use of insecure algorithms, such as DES, 3DES, and CBC-mode AES, can compromise the confidentiality and integrity of data. This check helps prevent the use of weak encryption algorithms that can be easily broken by attackers.

Code Example

terraform

resource "panos_ipsec_crypto_profile" "example" {
  name = "my_crypto_profile"
  encryptions = ["aes-256-gcm"]
}

Remediation

Ensure IPsec profiles use secure encryption algorithms, such as AES-GCM or ChaCha20-Poly1305. Update the 'encryptions' attribute in the panos_ipsec_crypto_profile or panos_panorama_ipsec_crypto_profile resource to use secure algorithms.

Rule Details

Field	Value
ID	IAC-1293
Severity	HIGH
IaC Type	Terraform
Frameworks	panos_ipsec_crypto_profile, panos_panorama_ipsec_crypto_profile
Checkov ID	CKV_PAN_11

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Ensure IPsec profiles do not specify use of insecure encryption algorithms

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Ensure IPsec profiles do not specify use of insecure encryption algorithms ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Ensure IPsec profiles do not specify use of insecure encryption algorithms

Description

Code Example

Remediation

Rule Details

References