Advisory ID: cisco-sa-20160210-asa-ike

krjohnson · ‎02-12-2016

The subject advisory would require memory upgrades to a few of our affected devices and that process will take too long. These devices run both remote access for users as well as lan-to-lan tunnels. Since remote access for users is not important, if we disable remote access are the devices still vulnerable to attack from the outside world? I realize the boxes are vulnerable because of the lan-to-lan vpn config but we're not that concerned about an attack originating from inside our network.

So the question is, does eliminating remote access lessen our vulnerability to only attacks from the inside?

thanks

kj

Marvin Rhoads · ‎02-12-2016

It is binding IPsec IKEv1 to the interface that presents the vulnerability.

So as long as you have site-site or the old IPsec IKEv1 clients being used on the outside interface, you will have a publicly identified vulnerability.

It's no less if you disable client access.

krjohnson · ‎02-12-2016

Thanks Marvin -- that's what we feared, but we were hoping.

What if we were to put a filter in place that only allows IKE between the peer addresses, blocks all other udp 500/4500, and apply the ACL to the control plane of the outside interface.

Marvin Rhoads · ‎02-13-2016

That's a good question re your suggested workaround.

While the SA says "there are no workarounds", your approach would seem to make sense - if you take care as you noted to use a control plane type ACL.

Cisco may have a reason for stating it like they did; but I would think that your approach would be at the very least a good compensating control (as they say in PCI) while you wait for the memory upgrade to move to a fixed version.

Let us know how that works out for you.