07-10-2018 01:15 PM - edited 02-21-2020 07:58 AM
I have an ASA 5508-X and my bank offers a complimentary service to scan my network for PCI compliance. Everything has been good for a couple of years now. But last month it failed. I checked the results and my IPSec and SSH ciphers were failing. I upped my IPSec to IKEv2 group 14 and moved to AES and SHA256 and that is now passing. However, the SSH keys are still failing. I set the ciphers to 'only high' options and I put the SSH key exchange to group 14. And just for kicks, I set the RSA keys to 4096 strength. Even now the unit is still failing the PCI Scan for the SSH keys and I am not sure what I can do.
I am on ASA 9.8 (2). Here is my SSH Running Config:
aaa authentication ssh console LOCAL
no ssh stricthostkeycheck
ssh Y.Y.Y.Y 255.255.255.255 outside
ssh X.X.X.X 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
Here is the vendors 'failed' message:
Description:
SSH data integrity is protected by including with each packet a MAC that is computed from a shared secret, packet sequence number, and the contents of the packet. The algorithms supported by this SSH server use cryptographically weak hashing (MAC) algorithms for data integrity.
Remediation:
Configure the SSH service to no longer support weak hashing algorithms (aka: MACs)
Now, I do not see a way to do that with the current contexts. Is there an ASA update from 9.8 that will support higher SSH hashing algorithms? Or maybe by turning it to high, I still need to some how disable the weaker ones?
Thanks.
Solved! Go to Solution.
07-10-2018 11:37 PM
The scan report doesn't tell you what is an acceptable hash?
As of right now, here're the supported algorithms on an ASA (an ASAv running the current latest release 9.9(2) in this case):
cielab-asa# sh ver | i bin
System image file is "disk0:/asa992-smp-k8.bin"
ccielab-asa# sh ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
Integrity Algorithms:
all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
medium: hmac-sha1 hmac-sha1-96
fips: hmac-sha1
high: hmac-sha1
ccielab-asa#
You can check what your session has negotiated with the command
show ssh sessions detail
07-10-2018 05:57 PM
can you do
HUB#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha1 Session started user
0 2.0 OUT aes256-ctr hmac-sha1 Session started user
this should tell you what MAC you are using. (like hmac above)
you can change to:
HUB(config)#ip ssh client algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)
and that is pretty much the flavours you have
07-10-2018 06:11 PM
Thanks for the reply. I am not seeing those commands or any items close to it. I believe you are working on an older ASA or a router.
07-10-2018 11:37 PM
The scan report doesn't tell you what is an acceptable hash?
As of right now, here're the supported algorithms on an ASA (an ASAv running the current latest release 9.9(2) in this case):
cielab-asa# sh ver | i bin
System image file is "disk0:/asa992-smp-k8.bin"
ccielab-asa# sh ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
Integrity Algorithms:
all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
medium: hmac-sha1 hmac-sha1-96
fips: hmac-sha1
high: hmac-sha1
ccielab-asa#
You can check what your session has negotiated with the command
show ssh sessions detail
07-11-2018 06:49 AM
I appreciate that info. By this then, there is no way to get the 5508-X firewall to be PCI compliant and I really dont believe that is the case. I will need to work with the PCI scanning vendor and figure out if I am not reading it correctly or if their scans are not working properly.
What is fips, and should I worry about it in this scenario?
07-11-2018 08:16 PM
FIPS is an abbreviation for Federal Information Processing Standard.
There are several standards describing security guidelines (notably FIPS 140-1 and 140-2). Using "FIPS mode" turns on the applicable settings for the ASA. It also includes other measure which must be followed such as physical security and tamper-proofing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide