How would you guys handle this with Meraki?
Here's the email from control scan:
The External scan detected ISAKMP with aggressive mode pre-shared
secret authentication.
The vulnerability is that the hash (pre shared key) is not encrypted!
Suggestions for remediation are as follows.
Solutions:
- Isolate the credit card subnet from the vpn subnet failing the scan.
(Please send a network diagram.)
- Disable Aggressive Mode and use Main Mode.
- Do not use Pre-Shared key for authentication if it's possible, use
strong certificates.
- If possible, do not allow VPN connections from all IP addresses,
restrict to an ACL(Access Control List).
- If using Pre-Shared key cannot be avoided, use very strong keys
along with multifactor authentication in accordance with PCI DSS 8.3.2
Please send a screenshot of your login or your configuration page to
your multifactor authentication tool/application to access the VPN,
i.e. (DUO, Symantec, Azure Authentication mgr, etc....).
PCI DSS 8.3.2
Please note that all Remote Access to the credit card subnet requires
Multifactor Authentication per PCI DSS 8.3.2
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
8.3.2