Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
1
Replies

PCI Compliancy assistance for SSL and ISAKMP

tahequivoice
Explorer
Explorer

‎11-30-2012 08:23 AM - edited ‎03-11-2019 05:30 PM

Customer had a scan done, and two things popped out that need to be resolved.  So just wondering if the fix is to upgrade the IOS to 8.4 code from 8.0(33), or if there is something to change in the configuration.  They use SSL VPN service, and EZVPN/ClientVPN, which appears to be where the below is coming from.

First one is

BEAST (Browser Exploit Against SSL/TLS) Vulnerability

The SSL protocol encrypts data by using CBC mode with chained

initialization vectors. This allows an attacker, which is has gotten

access to an HTTPS session via man-in-the-middle (MITM) attacks or

other means, to obtain plain text HTTP headers via a blockwise

chosen-boundary attack (BCBA) in conjunction with Javascript code

that uses the HTML5 WebSocket API, the Java URLConnection API,

or the Silverlight WebClient API. This vulnerability is more commonly

referred to as Browser Exploit Against SSL/TLS or "BEAST".

Second is

Aggressive Mode IKE supported on VPN Device

The remote host is a VPN concentrator that supports Aggressive

mode IKE. By creating a series of IKE aggressive mode proposals,

and sending those proposals to the VPN concentrator, an acceptable

proposal for Aggressive Mode IKE was discovered. In Aggressive

Mode IKE, the response from the VPN concentrator includes an

authentication hash based on a pre-shared key (PSK). This hash is

not encrypted, so if it is captured in transit, a dictionary or brute force

attack against the hash can potentially allow for the recovery of the

PSK, and the exposure potentially sensitive information from VPN

sessions. In rare cases where the PSK is the sole means for

authentication to the VPN, attackers can use it to authenticate against

the VPN and intrude the network

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-03-2012 12:06 AM

For the time being regarding beast:

http://blogs.cisco.com/security/beat-the-beast-with-tls/

and

http://blog.phonefactor.com/2011/09/23/slaying-beast-mitigating-the-latest-ssltls-vulnerability/

If you have legacy Cisco VPN client you will most likely rely on Aggressive mode for connection.

You can migrate to Main Mode (using certificates for authentcation) or move to IKEv2+Anyconnect.

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents