cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1314
Views
0
Helpful
3
Replies

Firewall security on different services

M Talha
Level 1
Level 1

Dear All,

 

I have been running webvpn and other services on my Cisco ASA 5510 from a long time. Recently one of the bodies that inspect network security came up with different result concerning week points in my firewall which includes 

1. Remote access service detected.

2. Weak diffie-hellman groups identified on vpn devices (currently using group 2)

3. Weak encryption ciphers identified on vpn devices

 

What should i need to do in order to resolve these week points in my firewall. These are my current crypto configurations. 

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

1 Accepted Solution

Accepted Solutions

Ben Walters
Level 3
Level 3

Here is a pretty good document concerning next generation cryptography settings from Cisco:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

 

Here are the issues in the current crypto config:

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

encryption des
hash md5
group 2

 

You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

View solution in original post

3 Replies 3

Ben Walters
Level 3
Level 3

Here is a pretty good document concerning next generation cryptography settings from Cisco:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

 

Here are the issues in the current crypto config:

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

encryption des
hash md5
group 2

 

You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

Hi,
I agree with Ben, however I don't believe your ASA 5510 will support the latest NGE algorithms due to hardware limitations, so you might be restricted to what algorithms you can use. For example I think you can only use DH group 5, you should be able to use AES instead of DES and SHA instead of MD5.

If your management are that concerned, suggest replacing with a newer 5500-X series, that will support NGE.

HTH

Thanks a lot Ben and RJI. It was very helpful what you people suggested.

 

Regards,

Talha

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: