VPN Concentrator Vulnerability Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

Unanswered Question
Jun 9th, 2010


I conducted a vulnerability test against Cisco VPN Concentrator 3060 and it hsows the following vulnerability.

I have enabled only the remote access VPN and no site to site VPN.

How can I remove this vulnerability?

Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ernw.de/download/pskattack.pdf (http://www.ernw.de/download/pskattack.pdf).

SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion