[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


PCI Compliance - ISAKMP Allows Weak IPsec Encryption

Posted on 2012-08-16
Medium Priority
Last Modified: 2012-08-23
Experts, I need your help passing a PCI scan. The report keeps showing failed with the following vulnerability:

The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets.

We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210

Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1

I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.

The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.

Thanks for your help!
Question by:agwarren
  • 3
  • 2

Expert Comment

ID: 38302187
To check if your router allows DES:

1. Log in to the management GUI
2. Click on the ‘VPN’ button on the left side, and then click on the ‘Configure’ tab along the top.
3. From the ‘Security Association’ drop-down box, choose your SA
4. From the ‘Phase 1 Encryption/Authentication’ drop-down box, choose “3DES & MD5”.
5. From the ‘Phase 2 Encryption/Authentication’ drop-down box, choose “Strong Encrypt and
Authenticate (ESP 3DES HMAC MD5)”

Expert Comment

ID: 38302195
Also, what tool was used to report this finding?  I can look up more information on the vulnerability if I know what tool it came from

Author Comment

ID: 38302473
I should have specified my router is running SonicOS Enhanced 5.8

I don't see the Configure tab under the VPN button. The VPN Settings lists the current policies (probably what was called Security Associations) that I can choose to edit, or create a new policy. The edit box has a 'Proposals' tab where I can choose the Encryption/Authentication methods, and DES/3DES/AES are all options in the drop-down box.

The tool used was by Aperia Solutions. The full report doesn't give much more detail.

Accepted Solution

southpau1 earned 825 total points
ID: 38302867
Ok, my recommendation is to document this as a false finding and document mitigating controls in place, here's why.

This finding is based on a vulnerability scanner attempting to eatablish an SA with your device.  During the handshake your sonicwall reports that it allows DES/3DES and AES.  Thats it.  So since DES is included, it marks it as a fidning.

What is missing though is that to establish the SA, both sides have to agree on algorithms which the vuln scanner did not do.  YOUR VPN tunnel does agree on an algorithm, and since they are both configured to allow something better than DES (3DES or AES) they are going to default to that.

The vulnerability scanner is not capable of confirming this, because they do not have authorization to establish a full SA with your devices.

See this article: http://blogs.technet.com/b/networking/archive/2008/12/18/third-party-security-scanning-software-reports-weak-ipsec-encryption.aspx

PCI rules say nothing in writing about ISAKMP or the use of DES, so to say this is a "PCI finding" is false, it is more just best practice.  See rule 4.1 on page 15 in this document:


Author Closing Comment

ID: 38324673
Thanks for the research and recommendation, southpau1. We submitted the exception report and are awaiting a response from the ASV.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month18 days, 20 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question