Link to home
Create AccountLog in
Avatar of CMCITD
CMCITDFlag for United States of America

asked on

PCI Compliance Scan Fail - UDP 500 ISAKMP Aggreessive Mode

We have a Cisco ASA 5510 that is being scanned for PCI Compliance.  The scan fails with the message below regarding aggressive mode for our VPNs.  We currently have 6 IPsec Site-toSite VPNs configured using preshared keys and also have the SSL Clientless VPN setup, but that is not really in use at all.  I have read that if I disable the Aggressive Mode, then we lose the abillity to use preshared keys and could cause problems with our existing VPNs?  Any suggestions on how I can alleviate this message without causing problems?

Here is the message from Security Metrics:

Description: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key

Synopsis: The remote IKEv1 service supports Aggressive Mode with Pre-Shared key.
 
Impact: The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Share key (PSK) authentication. Such configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.

See also :

http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html https://www.ernw.de/download/pskattack.pdf http://www.vpnc.org/ietf- ipsec/99.ipsec/msg01451.html http://www.securityfocus.com/bid/7423 

Resolution: - Disable Aggressive Mode if supported. - Do not use Pre-Shared key for authentication if it's possible. - If using Pre-Shared key cannot be avoided, use very strong keys. - If possible, do not allow VPN connections from any IP addresses.

Note that this plugin does not run over IPv6.

Risk Factor: Medium/ CVSS2 Base Score: 5.0

(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE: CVE-2002-1623
ASKER CERTIFIED SOLUTION
Avatar of rauenpc
rauenpc
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of CMCITD

ASKER

If we disable the aggressive mode which will in turn disable the IPSEC client, do we then use certificate based authentication for our clients that do connect to our hospital via the IPSEC Client?  I'd want to make sure that this is still functional.
I believe you would have to go certificate based to keep the IPSEC clients running, but I can't say that I've ever actually done this myself. My customers in the past always made their appeal and got an exception which gave them a pass.

Do you have to use the IPSEC client? Can you go with SSL VPN or use something like Citrix or VMWare View?
Avatar of CMCITD

ASKER

IPSEC Client isn't a must.  We do have Citrix inplace and alternative methods for access.  I will move towards making an appeal.  Thanks for your guidance on this!