Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
3
Replies

Cisco ISR Site to Site VPN PCI DSS Compliance

Davion Stewart
Level 1
Level 1

‎06-04-2018 01:28 PM - edited ‎03-12-2019 05:20 AM

Good day,

 

We currently have a customer that requires PCI DSS compliance for their network and as such are hardening their routers.

 

There are branch routers at different sites that provide VPN services back to the main site. The customer requires that the PSK for the site to site VPNs change every 3 months as part of them becoming PCI DSS compliant.

 

Two Questions:

 

1. Is there anyway to automate this process?

2. Can this be done without any downtime? 

 

Also, if there isnt a way to do this via PSK then what would be the better option between digital certificates and RSA encrypted nonces?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎06-04-2018 04:01 PM

Hi,

You could use your Network Management software (Prime or Solarwinds etc) to modify the PSK, or alternatively if you are any good at scripting you could use a python/ansible script to login to the devices and modify the config.

 

I've just run a quick test in my lab, on a FlexVPN Hub and spoke configuration. I changed the PSK on the 2 routers, no downtime was experienced when entering the new PSK. The PSK would only be used when the IKE SA is renegotiated, which would depend on the lifetime value configured. So therefore I'd conclude no downtime should be experienced as long as you've successfully pushed out the new PSK to both the Hub and Spoke.

 

Certificates are considered more secure, scalable but ultimately more complex to implement and support. Depending on how many spoke routers you are managing, unique PSKs could become painful. If you had a RADIUS server and were using FlexVPN you could implement AAA based PSK, therefore you'd manage the PSK change centrally.

 

HTH

0 Helpful

Davion Stewart
Level 1
Level 1
In response to Rob Ingram

‎06-04-2018 10:33 PM

Hmm thanks for the reply. Really great information. :)
So just to be sure about what you're saying. In your lab, when you changed the PSK on both devices, there wasn't any downtime experienced due to the lifetime not expiring and therefore no negotiation of the keys happened.
I will check out the idea of using FlexVPN and the RADIUS server to the the AAA based PSK change.

0 Helpful

Rob Ingram
VIP
VIP
In response to Davion Stewart

‎06-05-2018 02:10 AM

Yes, thanks correct.
0 Helpful
Customers Also Viewed These Support Documents