Cisco ASA VPN PCI failure due to weak SSL encryption - part 2

We continue to fail a PCI scan on our Cisco ASA firewall due to cipher vulnerabilities as following (Note - all on UDP port 500,  TLS minimum set to TLS1.1);
- Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device.
- Weak Diffie-Hellman groups identified on VPN Device. Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.

We use the Cisco Anyconnect client for connections, with all clients accessing AES256

After setting the firewall DH group level to 5 and Cipher security level to MEDIUM (no DES/3DES support) I am still seeing PCI failures due to DES/3DES and a DH group level of 2.
Can anyone explain this (and how to resolve)? Does the ASA require a reload to use the new settings?

Following is the cipher information from the firewall;
asa1234x# sh ssl cipher
Current cipher configuration:
default (custom): AES256-SHA:AES128-SHA
  AES256-SHA
  AES128-SHA
tlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.2 (medium):
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
asa1234x#
LVL 1
agradminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Should go for TLS1.2 to get a good scoring which means only have SHA 2 suite instead of SHA

https://www.google.com.sg/amp/s/glazenbakje.wordpress.com/2015/11/17/cisco-asa-disable-ssl-3-0-settings-and-change-it-to-tls-v1-2/amp/
0
agradminAuthor Commented:
I agree  and am aware TLS 1.2 would be preferred but am concerned about the client side.
0
Christopher Jay WolffWiggle My Legs, OwnerCommented:
Did you update all Cisco software?  Apparently Cisco had some problems a while back.  Described here below.  I don't pretend to know or understand all this, but thought it worth mentioning to see if you think it is relevant.


CVE-2014-3393: Security Appliance Turned Security Risk

A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework. An attacker could exploit this vulnerability by modifying some of the customization objects in the RAMFS cache file system. An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.



From this link.
https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

btanExec ConsultantCommented:
Only anyconnect 4.x support TLS 1.2 and ASA 9.3(2).
New Features in AnyConnect 4.0.00048

AnyConnect now supports TLS version 1.2 with the following additional cipher suites:
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
AES256-SHA256
AES128-SHA256

Note - AnyConnect TLS 1.2 requires a secure gateway that also supports TLS 1.2. This is available in release 9.3(2) of the ASA on 5500-X models.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/release/notes/b_Release_Notes_AnyConnect_4_0.html#reference_467195CDD71947948872259D1DB91158
0
Pete LongTechnical ConsultantCommented:
If you are seeing these on ports 500 then thats ISAKMP my friend, this means you have an IKEv1 or IKEve Policy that using these settings - and that's typically (not always) for IPSEc VPN not AnyConnect.

Issue a 'show run crypto' press space bar  lot to page down, there at the bottom are you IKE policies, I bet one of them matches whatever the scan is moaning about.

run show run cry isa, and make sure you don't have any IKE/IPSEC tunnels up before you remove them.

:)
Pete
0
agradminAuthor Commented:
Thanks Pete, once again you have hit the nail on the head. These are likely remnants of our legacy iPSec VPN's. We use Anyconnect exclusively at this point, how would you suggest we proceed?

Here's the result of the h run cry isa;
sh run cry isa
crypto isakmp nat-traversal 3600
0
Pete LongTechnical ConsultantCommented:
oops I meant 'show cry isa' (tells you if you have any phase 1 VPN tunnels using ISAKMP)

Disabling Depends on your version (ASA Code)

If it newer than 8.4 (which is old!)

Then

no crypto ikev1 enable outside
no crypto ikev2 enable outside

Should do the trick

P
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
agradminAuthor Commented:
Thanks Pete, version is 9.8 as following so we should be good to go;
Cisco Adaptive Security Appliance Software Version 9.8(2)24


Here's the result of the command; let me know if your thoughts still hold true.

 sh cry isa
There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
  Active Tunnels:              0
  Previous Tunnels:            0
  In Octets:             1913224
  In Packets:               3581
  In Drop Packets:          2326
  In Notifys:                  6
  In P2 Exchanges:             0
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:    0
  Out Octets:             860524
  Out Packets:              4473
  Out Drop Packets:            0
  Out Notifys:              3237
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:          3567
  System Capacity Fails:       0
  Auth Fails:               1060
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 8

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                150
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:           15
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                            1696
  In Packets:                              4
  In Drop Packets:                         4
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:               1500
  Cookie Challenge Threshold:          Never
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
0
Pete LongTechnical ConsultantCommented:
Heres your clue :)

There are no IKEv1 SAs
There are no IKEv2 SAs

Good to go!!
0
agradminAuthor Commented:
Thanks Pete, that's what I thought/hoped, I'll move ahead.
0
Pete LongTechnical ConsultantCommented:
No bother!
0
agradminAuthor Commented:
Good news - Pete has come through yet again! I re-ran a scan after disabling IKE as suggested and it now comes back clean.

Thanks Pete!
1
agradminAuthor Commented:
Thanks to all for their expert input.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.