cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1412
Views
0
Helpful
1
Replies

PCI Compliancy assistance for SSL and ISAKMP

tahequivoice
Explorer
Explorer

Customer had a scan done, and two things popped out that need to be resolved.  So just wondering if the fix is to upgrade the IOS to 8.4 code from 8.0(33), or if there is something to change in the configuration.  They use SSL VPN service, and EZVPN/ClientVPN, which appears to be where the below is coming from.

First one is

BEAST (Browser Exploit Against SSL/TLS) Vulnerability

The SSL protocol encrypts data by using CBC mode with chained

initialization vectors. This allows an attacker, which is has gotten

access to an HTTPS session via man-in-the-middle (MITM) attacks or

other means, to obtain plain text HTTP headers via a blockwise

chosen-boundary attack (BCBA) in conjunction with Javascript code

that uses the HTML5 WebSocket API, the Java URLConnection API,

or the Silverlight WebClient API. This vulnerability is more commonly

referred to as Browser Exploit Against SSL/TLS or "BEAST".

Second is

Aggressive Mode IKE supported on VPN Device

The remote host is a VPN concentrator that supports Aggressive

mode IKE. By creating a series of IKE aggressive mode proposals,

and sending those proposals to the VPN concentrator, an acceptable

proposal for Aggressive Mode IKE was discovered. In Aggressive

Mode IKE, the response from the VPN concentrator includes an

authentication hash based on a pre-shared key (PSK). This hash is

not encrypted, so if it is captured in transit, a dictionary or brute force

attack against the hash can potentially allow for the recovery of the

PSK, and the exposure potentially sensitive information from VPN

sessions. In rare cases where the PSK is the sole means for

authentication to the VPN, attackers can use it to authenticate against

the VPN and intrude the network

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

For the time being regarding beast:

http://blogs.cisco.com/security/beat-the-beast-with-tls/

and

http://blog.phonefactor.com/2011/09/23/slaying-beast-mitigating-the-latest-ssltls-vulnerability/

If you have legacy Cisco VPN client you will most likely rely on Aggressive mode for connection.

You can migrate to Main Mode (using certificates for authentcation) or move to IKEv2+Anyconnect.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers