IPsec profile uses insecure authentication protocols on Palo Alto Networks devices
Description
This policy detects whether IPsec profiles in Palo Alto Networks devices use insecure protocols. Specifically, it emphasizes avoiding the AH (Authentication Header) protocol in IPsec configurations due to its lack of encryption and lower security compared to ESP (Encapsulating Security Payload). It promotes the use of ESP for secure IPsec tunnels.
Code Example
yaml
- name: Example
...
tasks:
- name: ipsec
paloaltonetworks.panos.panos_ipsec_profile:
...
- ah_authentication: 'sha1' # Unencrypted AH should not be used
+ esp_encryption: ['aes-256-gcm'] # Encrypted ESP, not unencrypted AH, should be usedRemediation
Palo Alto Networks
- Resource: panos_ipsec_profile
- Attribute: ah_authentication
To mitigate this risk, do not configure the ah_authentication attribute in your panos_ipsec_profile resources. Omitting this attribute ensures the use of ESP, which provides both authentication and encryption, enhancing the security of your IPsec VPN connections.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1295 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_13 |