Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

Cisco 837 - Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

whiteford
Level 1
Level 1

‎07-30-2007 12:25 AM - edited ‎03-03-2019 06:05 PM

This threat seems to want me to turn off aggressive mode, does anyone know what this means:

THREAT:

IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:

Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.

SOLUTION:

IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎07-30-2007 05:40 AM

Andy

IKE is part of IPSec and provides the service of negotiating working keys and Security Associations for IPSec as was referenced in the explanation of the vulnerability. IKE operates in 2 phases and in phase 1 there is an option for Aggressive Mode, which accomplishes the negotiation with fewer exchanges of messages. By default Cisco routers prefer to not use aggressive mode, but will respond to aggressive mode if that is presented by the peer. It is my understanding that the VPN client frequently uses aggressive mode. And I am not aware of any way on the router to turn off support for aggressive mode. My suggestion to you is to review the preshared keys that are used and then to say: "The risk was considered as acceptable"

HTH

Rick

HTH

Rick
0 Helpful

whiteford
Level 1
Level 1
In response to Richard Burts

‎07-31-2007 02:12 AM

Hi Rick, I don't know why but only 2 837 (out of about 10) have this vulnerability, the only difference is they are on SDSL line and not ADSL lines like the others.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card