topic Re: Firewall security on different services in Network Security

Firewall security on different services

M Talha — Fri, 21 Feb 2020 16:05:26 GMT

Dear All,

I have been running webvpn and other services on my Cisco ASA 5510 from a long time. Recently one of the bodies that inspect network security came up with different result concerning week points in my firewall which includes

1. Remote access service detected.

2. Weak diffie-hellman groups identified on vpn devices (currently using group 2)

3. Weak encryption ciphers identified on vpn devices

What should i need to do in order to resolve these week points in my firewall. These are my current crypto configurations.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

Re: Firewall security on different services

Ben Walters — Fri, 10 Aug 2018 15:18:08 GMT

Here is a pretty good document concerning next generation cryptography settings from Cisco:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

Here are the issues in the current crypto config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

encryption des
hash md5
group 2

You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.

Diffie-Hellman group 1 - 768 bit modulus - AVOID

Diffie-Hellman group 2 - 1024 bit modulus - AVOID

Diffie-Hellman group 5 - 1536 bit modulus - AVOID

Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE

Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE

Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption

Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption

Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

Re: Firewall security on different services

Rob Ingram — Fri, 10 Aug 2018 16:41:57 GMT

Hi,
I agree with Ben, however I don't believe your ASA 5510 will support the latest NGE algorithms due to hardware limitations, so you might be restricted to what algorithms you can use. For example I think you can only use DH group 5, you should be able to use AES instead of DES and SHA instead of MD5.

If your management are that concerned, suggest replacing with a newer 5500-X series, that will support NGE.

HTH

Re: Firewall security on different services

M Talha — Mon, 20 Aug 2018 17:46:52 GMT

Thanks a lot Ben and RJI. It was very helpful what you people suggested.

Regards,

Talha