topic Re: ASA uses crackable transforms in Network Security

ASA uses crackable transforms

Mokhalil82 — Fri, 21 Feb 2020 16:53:42 GMT

I have a PCI compliancy vulnerability that states

"Your firewall/VPN system allows a crackable transform to be used. Transforms are a combination of encryption cipher, hashes, authentication types and mod key exchanges.
This is used to support encryption over a VPN connection. Crackable transforms (e.g. using DES or DH Group 1) could potentially be attacked by users."

How can I go about disabling certain transform sets. I have 3 IPSEC VPNs on the firewalls. One of the VPNs does have DES and 3DES available in the proposal, can I just remove DES from the proposal without affecting the VPN. What other action may be required.

TIA

Re: ASA uses crackable transforms

Rob Ingram — Mon, 04 Mar 2019 17:43:26 GMT

Hi,
Do you control both devices at either end of the VPN?

You need to determine whether those algorithms are actually in use. For those 3 VPN's check the output of
"show crypto ikev1 sa" or "show crypto isakmp sa" and "show crypto ipsec sa" and determine from there which algorithms are in use. If not in use you can remove them.

You should probably look to use at least AES-GCM or AES-CBC encryption, SHA-256 integrity and DH group 19 or 21 etc.

HTH

Re: ASA uses crackable transforms

Mokhalil82 — Wed, 06 Mar 2019 20:59:46 GMT

I don not manage the other end of the VPN, so am I right in saying that I will need to check whether any of the tunnels use an crackable transform, and then liaise with the other party to work on re-configuring both ends to use more secure transforms?

Re: ASA uses crackable transforms

Rob Ingram — Wed, 06 Mar 2019 21:19:20 GMT

Hi,
Yes, that's correct. Using the commands previously provided should identify which tunnel is using what algorithms and you can proceed from there.

HTH