Hi, we have a potential vulnerability on our Cisco Concentrator, can I disable DES?
Weak IPsec Encryption Settings port 500/udp
This host contains an ISAKMP/IKE key exchange server to negotiate encryption keys for IPsec Virtual Private Networks (VPNs). The configuration of the server allows clients to establish VPN connections with insecure encryption settings or key lengths. Once established, these connections may allow remote malicious users with access to the VPN data stream to recover the session key used in the connection by performing brute-force key space searches.
This QID will be reported as a Potential Vulnerability (not as a Vulnerability) on some versions of IOS because an ISAKMP SA with weak settings can be established first, and then rejected later by a policy check. Without having VPN authentication credentials, it is impossible to differentiate between this type of setup and a setup that truly allows ISAKMP SA with weak settings.
A malicious user with access to the VPN data stream may be able to recover the session key of a VPN connection. This would then provide access to all data sent across the VPN connection, which may include passwords and sensitive files.
Disable the encryption algorithm "DES" (key length of 56 bits) and the key exchange algorithm DH768 (MODP768). Secure replacements are 3DES and DH1024.
You can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals
and deactivate any and all IKE Proposals that reference DES.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...