Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1626
Views
0
Helpful
3
Replies

Firewall security on different services

Go to solution
M Talha
Level 1
Level 1

‎08-09-2018 11:05 PM - edited ‎02-21-2020 08:05 AM

Dear All,

 

I have been running webvpn and other services on my Cisco ASA 5510 from a long time. Recently one of the bodies that inspect network security came up with different result concerning week points in my firewall which includes 

1. Remote access service detected.

2. Weak diffie-hellman groups identified on vpn devices (currently using group 2)

3. Weak encryption ciphers identified on vpn devices

 

What should i need to do in order to resolve these week points in my firewall. These are my current crypto configurations. 

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ben Walters
Level 4
Level 4

‎08-10-2018 08:18 AM

Here is a pretty good document concerning next generation cryptography settings from Cisco:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

 

Here are the issues in the current crypto config:

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

encryption des
hash md5
group 2

 

You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ben Walters
Level 4
Level 4

‎08-10-2018 08:18 AM

Here is a pretty good document concerning next generation cryptography settings from Cisco:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

 

Here are the issues in the current crypto config:

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

encryption des
hash md5
group 2

 

You should probably switch from 3DES and MD5 to AES-256 and SHA512, as for the DH here are the groups related to the document I linked, I wouldn't use anything below group 14.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Ben Walters

‎08-10-2018 09:41 AM

Hi,
I agree with Ben, however I don't believe your ASA 5510 will support the latest NGE algorithms due to hardware limitations, so you might be restricted to what algorithms you can use. For example I think you can only use DH group 5, you should be able to use AES instead of DES and SHA instead of MD5.

If your management are that concerned, suggest replacing with a newer 5500-X series, that will support NGE.

HTH
0 Helpful

Go to solution
M Talha
Level 1
Level 1
In response to Rob Ingram

‎08-20-2018 10:46 AM

Thanks a lot Ben and RJI. It was very helpful what you people suggested.

 

Regards,

Talha

0 Helpful
Review Cisco Networking for a $25 gift card
Top