Which One is Stronger Security?

rdianat · ‎01-20-2012

Hello Experts,

I have two scenarios which I would like to hear your comments about:

This is in regards to configuration of IKEV1 and IKEV2 in two different profiles and comparing their security level.

When configuring IKEV1, I use shared secret keys. A client must know this secret key to be able to VPN to a server.

When configuring IKEV2, I use identity certificates in the ASA for the users to authenticate the server identity, but I do not configure SCEP for server to authenticate the clients. In this scenario there is no secret key configured (IKEV2 does not allow for secret keys but ONLY certificates) so any client can VPN to the server if accepts the server certificate.

Please note:

Both of the above configs are only for IPSEC. I am not talking about any SSL VPN.

I know that implementing SCEP would be ideal and better security, but my question is only to compare the above two scenarios.

Thank you,

Razi

Marcin Latosiewicz · ‎01-21-2012

Razi,

A few clarifications:

- RFC mandated certificate authentication for IKEv2 remote access users. You can still use pre-shared keys for other types. Certificate auth mandates that both sides present a certificate to authenticate eachother.

- SCEP is not a security mechanism per se, it's a way to enroll certificates (plus a few added functions).

- Certificates are more secure than PSK in many ways (as long as private keys remain private ;])

- You should still perform normal EAP authentication for remote access users.

HTH,

Marcin

rdianat · ‎01-21-2012

Hi Marcin,

Thank you very much for the useful clarification.

I have configured an ASA with IPSEC IKEV2 remote access VPN where only server authentication through "Identity certificate" is required. The steps I have done.

- created a CSR on the ASA

- sent it to public CA and received the cert and installed it on the ASA

- Installed the CA's cert chain on the client computer.

So if I understand correctly, this allows only for server authentication which works perfectly. You mention that mutual authentication of server and client is an "RFC mandate". (If I understand it correctly) so is it that Cisco's implementation is not compliant with RFC mandate?

And although the above configuration is using certificates, it is still weaker security compared to PSK because it is only one way authentication (only server authentication). Is this right? do you understand this the same way I understand?

Now if I plan to implement two-way or mutual authentication of both server and client, I have either to use the ASA as Certificat Authority to authenticate clients or use another PKI infrastructure (like windows servers) to do the client authentication. This way I believe would be the most secure and of course costs more in terms of setting a PKI infrastructure. Any comment or any other way of doing it?

Thank you,

Razi

Marcin Latosiewicz · ‎01-24-2012

Razi,

The RFC mandates. In section 2.16

 For
   this reason, these protocols are typically used to authenticate the
   initiator to the responder and MUST be used in conjunction with a
   public key signature based authentication of the responder to the
   initiator.

http://www.ietf.org/rfc/rfc4306.txt

Please also note that in many ways Anyconnect connection to ASA over IKEv2 is not standard based one.

But Anyconnect or native IKEv2 in Windows 7 connection to IOS are in fact RFC complicant.

Properly implemented, distributed and protected PKI is way more secure than PSK.

In a standard based implmentation to exchange username and password you need to do EAP, where you are required to perform also RSA sig exchange.

The is absolutely no reason for ASA to be the CA. The headend and client can be (in of the possible scenarios) to one CA.

M.