CMCITD
asked on
PCI Compliance Scan Fail - UDP 500 ISAKMP Aggreessive Mode
We have a Cisco ASA 5510 that is being scanned for PCI Compliance. The scan fails with the message below regarding aggressive mode for our VPNs. We currently have 6 IPsec Site-toSite VPNs configured using preshared keys and also have the SSL Clientless VPN setup, but that is not really in use at all. I have read that if I disable the Aggressive Mode, then we lose the abillity to use preshared keys and could cause problems with our existing VPNs? Any suggestions on how I can alleviate this message without causing problems?
Here is the message from Security Metrics:
Description: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
Synopsis: The remote IKEv1 service supports Aggressive Mode with Pre-Shared key.
Impact: The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Share key (PSK) authentication. Such configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.
See also :
http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html https://www.ernw.de/download/pskattack.pdf http://www.vpnc.org/ietf- ipsec/99.ipsec/msg01451.ht ml http://www.securityfocus.com/bid/7423
Resolution: - Disable Aggressive Mode if supported. - Do not use Pre-Shared key for authentication if it's possible. - If using Pre-Shared key cannot be avoided, use very strong keys. - If possible, do not allow VPN connections from any IP addresses.
Note that this plugin does not run over IPv6.
Risk Factor: Medium/ CVSS2 Base Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A: N) CVE: CVE-2002-1623
Here is the message from Security Metrics:
Description: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
Synopsis: The remote IKEv1 service supports Aggressive Mode with Pre-Shared key.
Impact: The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Share key (PSK) authentication. Such configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.
See also :
http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html https://www.ernw.de/download/pskattack.pdf http://www.vpnc.org/ietf- ipsec/99.ipsec/msg01451.ht
Resolution: - Disable Aggressive Mode if supported. - Do not use Pre-Shared key for authentication if it's possible. - If using Pre-Shared key cannot be avoided, use very strong keys. - If possible, do not allow VPN connections from any IP addresses.
Note that this plugin does not run over IPv6.
Risk Factor: Medium/ CVSS2 Base Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I believe you would have to go certificate based to keep the IPSEC clients running, but I can't say that I've ever actually done this myself. My customers in the past always made their appeal and got an exception which gave them a pass.
Do you have to use the IPSEC client? Can you go with SSL VPN or use something like Citrix or VMWare View?
Do you have to use the IPSEC client? Can you go with SSL VPN or use something like Citrix or VMWare View?
ASKER
IPSEC Client isn't a must. We do have Citrix inplace and alternative methods for access. I will move towards making an appeal. Thanks for your guidance on this!
ASKER