Disable DES on Cisco Concentrator?

Unanswered Question
Aug 16th, 2007
User Badges:

Hi, we have a potential vulnerability on our Cisco Concentrator, can I disable DES?


Weak IPsec Encryption Settings port 500/udp


THREAT:

This host contains an ISAKMP/IKE key exchange server to negotiate encryption keys for IPsec Virtual Private Networks (VPNs). The configuration of the server allows clients to establish VPN connections with insecure encryption settings or key lengths. Once established, these connections may allow remote malicious users with access to the VPN data stream to recover the session key used in the connection by performing brute-force key space searches.


Note:

This QID will be reported as a Potential Vulnerability (not as a Vulnerability) on some versions of IOS because an ISAKMP SA with weak settings can be established first, and then rejected later by a policy check. Without having VPN authentication credentials, it is impossible to differentiate between this type of setup and a setup that truly allows ISAKMP SA with weak settings.

IMPACT:

A malicious user with access to the VPN data stream may be able to recover the session key of a VPN connection. This would then provide access to all data sent across the VPN connection, which may include passwords and sensitive files.

SOLUTION:

Disable the encryption algorithm "DES" (key length of 56 bits) and the key exchange algorithm DH768 (MODP768). Secure replacements are 3DES and DH1024.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Wed, 08/22/2007 - 10:52
User Badges:
  • Silver, 250 points or more

You can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals


and deactivate any and all IKE Proposals that reference DES.


Actions

This Discussion