Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
3
Replies

Advisory ID: cisco-sa-20160210-asa-ike

krjohnson
Level 1
Level 1

‎02-12-2016 12:13 PM - edited ‎03-10-2019 12:35 AM

The subject advisory would require memory upgrades to a few of our affected devices and that process will take too long. These devices run both remote access for users as well as lan-to-lan tunnels. Since remote access for users is not important, if we disable remote access are the devices still vulnerable to attack from the outside world? I realize the boxes are vulnerable because of the lan-to-lan vpn config but we're not that concerned about an attack originating from inside our network.

So the question is, does eliminating remote access lessen our vulnerability to only attacks from the inside?

thanks

kj

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-12-2016 07:18 PM

It is binding IPsec IKEv1 to the interface that presents the vulnerability.

So as long as you have site-site or the old IPsec IKEv1 clients being used on the outside interface, you will have a publicly identified vulnerability.

It's no less if you disable client access.

0 Helpful

krjohnson
Level 1
Level 1
In response to Marvin Rhoads

‎02-12-2016 07:41 PM

Thanks Marvin -- that's what we feared, but we were hoping.

What if we were to put a filter in place that only allows IKE between the peer addresses, blocks all other udp 500/4500, and apply the ACL to the control plane of the outside interface.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to krjohnson

‎02-13-2016 02:48 AM

That's a good question re your suggested workaround.

While the SA says "there are no workarounds", your approach would seem to make sense - if you take care as you noted to use a control plane type ACL.

Cisco may have a reason for stating it like they did; but I would think that your approach would be at the very least a good compensating control (as they say in PCI) while you wait for the memory upgrade to move to a fixed version.

Let us know how that works out for you.

0 Helpful
Customers Also Viewed These Support Documents