• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5463
  • Last Modified:

PCI Compliance - ISAKMP Allows Weak IPsec Encryption

Experts, I need your help passing a PCI scan. The report keeps showing failed with the following vulnerability:

The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets.

We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210

Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1

I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.

The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.

Thanks for your help!
  • 3
  • 2
1 Solution
To check if your router allows DES:

1. Log in to the management GUI
2. Click on the ‘VPN’ button on the left side, and then click on the ‘Configure’ tab along the top.
3. From the ‘Security Association’ drop-down box, choose your SA
4. From the ‘Phase 1 Encryption/Authentication’ drop-down box, choose “3DES & MD5”.
5. From the ‘Phase 2 Encryption/Authentication’ drop-down box, choose “Strong Encrypt and
Authenticate (ESP 3DES HMAC MD5)”
Also, what tool was used to report this finding?  I can look up more information on the vulnerability if I know what tool it came from
agwarrenAuthor Commented:
I should have specified my router is running SonicOS Enhanced 5.8

I don't see the Configure tab under the VPN button. The VPN Settings lists the current policies (probably what was called Security Associations) that I can choose to edit, or create a new policy. The edit box has a 'Proposals' tab where I can choose the Encryption/Authentication methods, and DES/3DES/AES are all options in the drop-down box.

The tool used was by Aperia Solutions. The full report doesn't give much more detail.
Ok, my recommendation is to document this as a false finding and document mitigating controls in place, here's why.

This finding is based on a vulnerability scanner attempting to eatablish an SA with your device.  During the handshake your sonicwall reports that it allows DES/3DES and AES.  Thats it.  So since DES is included, it marks it as a fidning.

What is missing though is that to establish the SA, both sides have to agree on algorithms which the vuln scanner did not do.  YOUR VPN tunnel does agree on an algorithm, and since they are both configured to allow something better than DES (3DES or AES) they are going to default to that.

The vulnerability scanner is not capable of confirming this, because they do not have authorization to establish a full SA with your devices.

See this article: http://blogs.technet.com/b/networking/archive/2008/12/18/third-party-security-scanning-software-reports-weak-ipsec-encryption.aspx

PCI rules say nothing in writing about ISAKMP or the use of DES, so to say this is a "PCI finding" is false, it is more just best practice.  See rule 4.1 on page 15 in this document:

agwarrenAuthor Commented:
Thanks for the research and recommendation, southpau1. We submitted the exception report and are awaiting a response from the ASV.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now