agwarren
asked on
PCI Compliance - ISAKMP Allows Weak IPsec Encryption
Experts, I need your help passing a PCI scan. The report keeps showing failed with the following vulnerability:
We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210
Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1
I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.
The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.
Thanks for your help!
The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets.
We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210
Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1
I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.
The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.
Thanks for your help!
Also, what tool was used to report this finding? I can look up more information on the vulnerability if I know what tool it came from
ASKER
I should have specified my router is running SonicOS Enhanced 5.8
I don't see the Configure tab under the VPN button. The VPN Settings lists the current policies (probably what was called Security Associations) that I can choose to edit, or create a new policy. The edit box has a 'Proposals' tab where I can choose the Encryption/Authentication methods, and DES/3DES/AES are all options in the drop-down box.
The tool used was by Aperia Solutions. The full report doesn't give much more detail.
I don't see the Configure tab under the VPN button. The VPN Settings lists the current policies (probably what was called Security Associations) that I can choose to edit, or create a new policy. The edit box has a 'Proposals' tab where I can choose the Encryption/Authentication methods, and DES/3DES/AES are all options in the drop-down box.
The tool used was by Aperia Solutions. The full report doesn't give much more detail.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the research and recommendation, southpau1. We submitted the exception report and are awaiting a response from the ASV.
1. Log in to the management GUI
2. Click on the ‘VPN’ button on the left side, and then click on the ‘Configure’ tab along the top.
3. From the ‘Security Association’ drop-down box, choose your SA
4. From the ‘Phase 1 Encryption/Authentication’
5. From the ‘Phase 2 Encryption/Authentication’
Authenticate (ESP 3DES HMAC MD5)”