Utilising Perfect Forward Secrecy for IPsec
Use PFS to ensure past IPsec keys can't be used if current ones are compromised.
Plain language
Perfect Forward Secrecy (PFS) is like changing the locks every time someone opens the door, ensuring that if a key is stolen, it can't be used to unlock the door in the future. This is important for securing communications because if someone gets hold of your current security keys, they won't be able to access past messages, keeping your sensitive information safe.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityTopic
Perfect Forward SecrecyOfficial control statement
PFS is used for IPsec connections.
Why it matters
Without IPsec PFS, a compromised key can allow decryption of previously captured VPN traffic, exposing sensitive data.
Operational notes
Ensure IPsec VPNs use PFS in phase 2 (ESP). Periodically verify IKE/IPsec proposals and rekey settings enforce PFS.
Implementation tips
- IT team should review current IPsec settings to ensure PFS is enabled. This involves checking the configuration files on network devices to see if PFS settings, like key group exchange methods, are turned on.
- The network administrator should configure devices to use encryption methods that support PFS. This can be done by consulting documentation for each device type, like routers or firewalls, and applying settings that specify using PFS-compatible algorithms.
- Managers should verify that all staff handling cybersecurity understand the importance of PFS in protecting past communications. They can arrange training sessions or workshops that explain how PFS works and its role in securing data.
- System owners should regularly update device firmware and patches to maintain PFS capabilities. This involves setting up a schedule to automatically check for vendor updates and apply them to all IPsec-connected devices.
- IT support staff should verify that PFS is operational after changes to the network. They can conduct regular tests using network traffic simulators to ensure that security keys are changing as expected with each new session.
Audit / evidence tips
-
Askthe PFS configuration documentation: Request the configuration settings or screenshots from network devices that show PFS is enabled
GoodDocumentation shows strong, up-to-date PFS settings enabled on all relevant devices
-
Asknetwork device firmware updates records: Verify records showing regular updates were applied to all devices supporting PFS
GoodUp-to-date logs indicating all critical devices are regularly patched with the latest PFS-supporting updates
-
Askdocumentation proving that relevant staff have been trained in PFS and its importance
GoodLists of participants along with materials that clearly explain PFS benefits and setup
-
Aska schedule of PFS testing: Request documentation showing when and how PFS effectiveness has been tested recently
GoodA routine testing record showing that PFS was successfully verified to be operational in all tests conducted
-
Asksecurity policy documents: Request the organisation's cybersecurity policy that includes mention of PFS
GoodA clearly written, formal document outlining PFS implementation and including recent updates or reviews
Cross-framework mappings
How ISM-1000 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1000 requires the use of PFS for IPsec connections to limit the impact of key compromise across sessions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.