IPsec profile uses insecure authentication algorithms on Palo Alto Networks devices
Description
This policy detects whether IPsec profiles in Palo Alto Networks devices use insecure authentication algorithms. Specifically, the policy checks that IPsec profiles do not use 'none', 'md5', or 'sha1' for ESP (Encapsulating Security Payload) authentication, as these algorithms are considered weak and vulnerable to attacks. Strong authentication algorithms are crucial for ensuring the confidentiality and integrity of IPsec VPN connections.
Code Example
yaml
- name: Example
...
tasks:
- name: ipsec
paloaltonetworks.panos.panos_ipsec_profile:
...
- esp_authentication: ['md5'] # Unacceptable authentication algorithm
+ esp_authentication: ['sha256'] # AcceptableRemediation
Palo Alto Networks
- Resource: panos_ipsec_profile
- Attribute: esp_authentication
To mitigate risks, configure your panos_ipsec_profile resources to use stronger algorithms like 'sha256' or 'sha512' to ensure robust authentication. Avoid using weak algorithms such as 'none', 'md5', or 'sha1' as the ESP authentication algorithm.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1294 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_12 |