cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kts_user
New Contributor

Netvanta 1335 failing PCI compliance this year 2014

500udpISAKMP Allows Weak IPsec Encryption SettingsFailHigh
500udpA running service was discoveredPassLow

PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.

Any input would be much appreciated. Here is the config

!

!

! ADTRAN, Inc. OS version 18.02.05.00.E

! Boot ROM version

! Platform: NetVanta 1335 PoE, part number 1700525E2

! Serial number XXXXXXXXXXX

!

!

hostname "Switch"

enable password md5 encrypted 5f0851074d9924fcd2635b4e231bdc12

!

clock timezone -8

!

ip subnet-zero

ip classless

ip routing

!

!

ip domain-name "XXXXXXX"

no ip domain-lookup

ip name-server XXXXXXXXXXXX

!

!

no ip route-cache express

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

service password-encryption

!

ip policy-timeout tcp all-ports 3600

!

ip firewall

ip firewall nat-preserve-source-port record-source-address

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

aaa on

!

!

aaa authentication login LoginUseRadius group radius

aaa authentication login LoginUseLocalUsers local

aaa authentication login LoginUseLinePass line

!

aaa authentication enable default enable

!

aaa authentication port-auth default local

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

!

ip crypto

!

crypto ike client configuration pool xxxvpn

  ip-range            xxxxxxxxxxx      xxxxxxxxxxxxxxx  

  dns-server          xxxxxxxxxx     xxxxxxxxxxxxx   

  netbios-name-server xxxxxxxxxxxx  xxxxxxxxxxxxx    

!

crypto ike policy 100

  no initiate

  respond main

  local-id address xx.xx.xx.xx

  peer any

  client authentication server list LoginUseLocalUsers

  client configuration pool sdnavpn

  attribute 1

    encryption 3des

    authentication pre-share

    group 2

!

crypto ike remote-id any preshared-key xxxxxxxxxxx ike-policy 100 crypto map VPN 10 no-xauth

!

crypto ipsec transform-set esp-3des-esp-sha-hmac esp-3des esp-sha-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  match address vpnspokes

  set transform-set esp-3des-esp-sha-hmac

  ike-policy 100

  mobile

!

qos map VOIP 10

  match dscp 46

  priority 1020

!

qos cos-map 1 0 1

qos cos-map 2 2 3

qos cos-map 3 4

qos cos-map 4 5 6 7

qos queue-type wrr 20 20 20 expedite

!

qos dscp-cos 0 8 16 24 32 46 48 56 to 0 1 2 3 4 5 6 7

!

!

!

!

vlan 1

  name "Default"

!

vlan 10

  name "VLAN0010"

!

vlan 30

  name "Call Center"

!

vlan 100

  name "Outside "

!

!

interface switchport 0/1

  spanning-tree bpdufilter enable

  spanning-tree edgeport

  no shutdown

  switchport access vlan 100

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/2

  description xxxxxxx

  spanning-tree edgeport

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/3

  description xxxxxxxx

  spanning-tree edgeport

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/4

  description xxxxxxx

  spanning-tree edgeport

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/5

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/6

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/7

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/8

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/9

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/10

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/11

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/12

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/13

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/14

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/15

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/16

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/17

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/18

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/19

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/20

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/21

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/22

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/23

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface switchport 0/24

  description Outside Interface

  spanning-tree bpdufilter enable

  spanning-tree edgeport

  no shutdown

  switchport access vlan 100

  no lldp send-and-receive

!

!

interface gigabit-switchport 0/1

  description ShoreTel Soft Switch

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

interface gigabit-switchport 0/2

  description 1224 (1) Port 25

  no shutdown

  qos trust cos

  no lldp send-and-receive

!

!

!

interface vlan 1

  description INSIDE INTERFACE

  ip address  xx.xx.xx.xx  255.255.252.0

  ip access-policy Private

  no ip route-cache express

  no shutdown

!

interface vlan 100

  ip address  xx.xx.xx.xx  255.255.255.252

  ip address range  xx.xx.xx.xx  xx.xx.xx.xx  255.255.255.224  secondary

  ip access-policy Public

  crypto map VPN

  traffic-shape rate 10000000

  qos-policy out VOIP

  no ip route-cache express

  no shutdown

!

!

!

!

!

!

ip access-list extended vpnspokes

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

  permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

!

!

ip policy-class Private

  allow list vpnspokes stateless

  allow list self self

  nat source list allowtcp25 interface vlan 100 overload

  discard list blocktcp25

  nat source list wizard-ics interface vlan 100 overload

!

ip policy-class Public

  allow reverse list vpnspokes stateless

!

!

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx

!

no tftp server

no tftp server overwrite

no ip http server

ip http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

ip sntp server

!

!

!

!

!

!

!

!

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

!

!

!

!

!

!

!

ip sip proxy grammar contact outbound-server-reference host domain

!

!

!

!

!

!

!

!

!

!

line con 0

  line-timeout 5

!

line telnet 0 4

  password encrypted xxxxxxx

  shutdown

line ssh 0 4

  login authentication LoginUseLocalUsers

  line-timeout 2

  no shutdown

!

sntp server 0.us.pool.ntp.org

!

!

!

!

!

!

end

Labels (2)
0 Kudos
9 Replies
cj_
Valued Contributor
Valued Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

Interesting, because AES-256 IPSec seems to be the go-to standard when you need to meet PCI (or HIPAA or other strict privacy compliance).  Are you certain the test was run during the time you had AES 256 in place?  Could the report have merely indicated potential risk (given a less-secure configuration), though your AES-256 implementation is not a cause for concern?

CJ

mick
Contributor
Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

Did you also try changing from preshared-key to 'authentication rsa-sig' for ike and specifying remote-ide to asn1-dn?  You will need to set up SSL certificates for this.

PS. If you use OpenSSL to generate them, make sure that it is version 1.0.1g, or that it has been patched for the Heartbleed bug, or that otherwise it is compiled with the heartbeat flag disabled.

kts_user
New Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

We ran the tests while the encryption was set to AES 256 and it didn't make a difference in results. I am not sure what else can I look for?

cj_
Valued Contributor
Valued Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

I don't suppose the firm performing the security audit could tell you what they'd like to see changed or what they consider to be an acceptable configuration?

mick
Contributor
Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

Hi kts_user,

I'm no PCI expert, but I understand that one of its controls involves unique IDs for each user.  In your set up any remote end point could be allowed to connect.  Unlike SSL Certificates the preshared key is not a unique authentication method as it is shared by all client machines and potentially users.  So, I'm thinking, the PCI Access Control Measure may be flagging this up.

--

Regards,

Mick

kts_user
New Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

There are quite a few remote users connecting to this unit. So I cannot make any changes during the day but I can try changing the "remote-id any" afterhours. Weird  thing is that the unit passed the PCI test past 4 years.

jayh
Honored Contributor
Honored Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014


kts_user wrote:




















500udpISAKMP Allows Weak IPsec Encryption SettingsFailHigh
500udpA running service was discoveredPassLow


PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.


Any input would be much appreciated.


I would ask the auditing firm for a more specific reason.  Weak IPsec Encryption Settings is a bit vague.  AES/SHA or 3DES/SHA should be acceptable.  Unless your PSK is something like "password" or they now require certificates I'm not sure what the issue is here. 

jtr_pfx
New Contributor

Re: Netvanta 1335 failing PCI compliance this year 2014

Hi,

We also have a 1335 and we also have to be PCI compliant.

First of all in our experience PCI Compliance auditing firms are very unprofessional. We had the opposite problem; on one occasion we were being requested to downgrade to a less secure configuration because the auditors would not understand that our configuration was both compliant and superior. In many occasions we have been through a lot of effort to convince them they are wrong. (Not that I recommend that, it might be a bad idea, only sharing my experience).

Now, back to the point, I can confirm we use the same configuration as you, and also have a similar setup to communicate with an external (and PCI compliant) card processor and also a bank. It occurs to me that they might be (mis?)interpreting Requirement 4 (see Testing procedure 4.1.d) to mean you need certificates (it does not specify if they are only for SSL/TLS), and they now have a test for it.

Please share your experience after you solve the issue.

Anonymous
Not applicable

Re: Netvanta 1335 failing PCI compliance this year 2014

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor