11-30-2012 08:23 AM - edited 03-11-2019 05:30 PM
Customer had a scan done, and two things popped out that need to be resolved. So just wondering if the fix is to upgrade the IOS to 8.4 code from 8.0(33), or if there is something to change in the configuration. They use SSL VPN service, and EZVPN/ClientVPN, which appears to be where the below is coming from.
First one is
BEAST (Browser Exploit Against SSL/TLS) Vulnerability
The SSL protocol encrypts data by using CBC mode with chained
initialization vectors. This allows an attacker, which is has gotten
access to an HTTPS session via man-in-the-middle (MITM) attacks or
other means, to obtain plain text HTTP headers via a blockwise
chosen-boundary attack (BCBA) in conjunction with Javascript code
that uses the HTML5 WebSocket API, the Java URLConnection API,
or the Silverlight WebClient API. This vulnerability is more commonly
referred to as Browser Exploit Against SSL/TLS or "BEAST".
Second is
Aggressive Mode IKE supported on VPN Device
The remote host is a VPN concentrator that supports Aggressive
mode IKE. By creating a series of IKE aggressive mode proposals,
and sending those proposals to the VPN concentrator, an acceptable
proposal for Aggressive Mode IKE was discovered. In Aggressive
Mode IKE, the response from the VPN concentrator includes an
authentication hash based on a pre-shared key (PSK). This hash is
not encrypted, so if it is captured in transit, a dictionary or brute force
attack against the hash can potentially allow for the recovery of the
PSK, and the exposure potentially sensitive information from VPN
sessions. In rare cases where the PSK is the sole means for
authentication to the VPN, attackers can use it to authenticate against
the VPN and intrude the network
12-03-2012 12:06 AM
For the time being regarding beast:
http://blogs.cisco.com/security/beat-the-beast-with-tls/
and
http://blog.phonefactor.com/2011/09/23/slaying-beast-mitigating-the-latest-ssltls-vulnerability/
If you have legacy Cisco VPN client you will most likely rely on Aggressive mode for connection.
You can migrate to Main Mode (using certificates for authentcation) or move to IKEv2+Anyconnect.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide