PCI Compliance

Solved
jaswild
Conversationalist

PCI Compliance

Good evening.  Looking for anyone that has experience, tips, info on PCI compliance and how it may pertain to the Meraki MX64.  I have a small body shop as a customer and they had PCI compliance test done and failed.

 

The vulnerability was:

Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key port 500 / udp / ikev1

 

THREAT:
The remote IKEv1 service supports Aggressive Mode with Pre-Shared key.

 

IMPACT:
The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Shared key (PSK) authentication. Such a configuration could
allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.

 

SOLUTION:
- Disable Aggressive Mode if supported.
- Do not use Pre-Shared key for authentication if it's possible.
- If using Pre-Shared key cannot be avoided, use very strong keys.
- If possible, do not allow VPN connections from any IP addresses.

 

Does this necessarily happen at the MX?  Comcast Business is the ISP ahead of the MX and the workstations each run Kapersky or WinDef for antivirus/firewall.

 

Thank you in advance for any tips or advice.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

If you have no VPNs configured then you don't have an issue.

 

If you are only using AutoVPN you don't have an issue.

 

If you are using either client to site VPN or a third party site to site IPSec VPN then you have an issue.  The only "fix" you have to use is to make sure you are using a long hard pre-shared key.  Personally - I use 24 character pre-shared keys.  This will mitigate the risk - but the PCI report will still say the same as it wont know you are using a PSK that is nor practically break-able.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

If you have no VPNs configured then you don't have an issue.

 

If you are only using AutoVPN you don't have an issue.

 

If you are using either client to site VPN or a third party site to site IPSec VPN then you have an issue.  The only "fix" you have to use is to make sure you are using a long hard pre-shared key.  Personally - I use 24 character pre-shared keys.  This will mitigate the risk - but the PCI report will still say the same as it wont know you are using a PSK that is nor practically break-able.

Philip,

 

Thanks, I'll work with customer to take this further.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels