9 Replies Latest reply on Jul 8, 2014 12:02 PM by noor

    Netvanta 1335 failing PCI compliance this year 2014

    kts_user New Member
      500udpISAKMP Allows Weak IPsec Encryption SettingsFailHigh
      500udpA running service was discoveredPassLow

       

      PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.

      Any input would be much appreciated. Here is the config

       

      !

      !

      ! ADTRAN, Inc. OS version 18.02.05.00.E

      ! Boot ROM version

      ! Platform: NetVanta 1335 PoE, part number 1700525E2

      ! Serial number XXXXXXXXXXX

      !

      !

      hostname "Switch"

      enable password md5 encrypted 5f0851074d9924fcd2635b4e231bdc12

      !

      clock timezone -8

      !

      ip subnet-zero

      ip classless

      ip routing

      !

      !

      ip domain-name "XXXXXXX"

      no ip domain-lookup

      ip name-server XXXXXXXXXXXX

      !

      !

      no ip route-cache express

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      !

      service password-encryption

      !

      ip policy-timeout tcp all-ports 3600

      !

      ip firewall

      ip firewall nat-preserve-source-port record-source-address

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      aaa on

      !

      !

      aaa authentication login LoginUseRadius group radius

      aaa authentication login LoginUseLocalUsers local

      aaa authentication login LoginUseLinePass line

      !

      aaa authentication enable default enable

      !

      aaa authentication port-auth default local

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      !

      !

      !

      ip crypto

      !

      crypto ike client configuration pool xxxvpn

        ip-range            xxxxxxxxxxx      xxxxxxxxxxxxxxx  

        dns-server          xxxxxxxxxx     xxxxxxxxxxxxx   

        netbios-name-server xxxxxxxxxxxx  xxxxxxxxxxxxx    

      !

      crypto ike policy 100

        no initiate

        respond main

        local-id address xx.xx.xx.xx

        peer any

        client authentication server list LoginUseLocalUsers

        client configuration pool sdnavpn

        attribute 1

          encryption 3des

          authentication pre-share

          group 2

      !

      crypto ike remote-id any preshared-key xxxxxxxxxxx ike-policy 100 crypto map VPN 10 no-xauth

      !

      crypto ipsec transform-set esp-3des-esp-sha-hmac esp-3des esp-sha-hmac

        mode tunnel

      !

      crypto map VPN 10 ipsec-ike

        match address vpnspokes

        set transform-set esp-3des-esp-sha-hmac

        ike-policy 100

        mobile

      !

      qos map VOIP 10

        match dscp 46

        priority 1020

      !

      qos cos-map 1 0 1

      qos cos-map 2 2 3

      qos cos-map 3 4

      qos cos-map 4 5 6 7

      qos queue-type wrr 20 20 20 expedite

      !

      qos dscp-cos 0 8 16 24 32 46 48 56 to 0 1 2 3 4 5 6 7

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 10

        name "VLAN0010"

      !

      vlan 30

        name "Call Center"

      !

      vlan 100

        name "Outside "

      !

      !

      interface switchport 0/1

        spanning-tree bpdufilter enable

        spanning-tree edgeport

        no shutdown

        switchport access vlan 100

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/2

        description xxxxxxx

        spanning-tree edgeport

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/3

        description xxxxxxxx

        spanning-tree edgeport

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/4

        description xxxxxxx

        spanning-tree edgeport

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/5

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/6

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/7

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/8

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/9

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/10

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/11

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/12

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/13

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/14

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/15

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/16

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/17

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/18

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/19

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/20

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/21

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/22

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/23

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface switchport 0/24

        description Outside Interface

        spanning-tree bpdufilter enable

        spanning-tree edgeport

        no shutdown

        switchport access vlan 100

        no lldp send-and-receive

      !

      !

      interface gigabit-switchport 0/1

        description ShoreTel Soft Switch

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      interface gigabit-switchport 0/2

        description 1224 (1) Port 25

        no shutdown

        qos trust cos

        no lldp send-and-receive

      !

      !

      !

      interface vlan 1

        description INSIDE INTERFACE

        ip address  xx.xx.xx.xx  255.255.252.0

        ip access-policy Private

        no ip route-cache express

        no shutdown

      !

      interface vlan 100

        ip address  xx.xx.xx.xx  255.255.255.252

        ip address range  xx.xx.xx.xx  xx.xx.xx.xx  255.255.255.224  secondary

        ip access-policy Public

        crypto map VPN

        traffic-shape rate 10000000

        qos-policy out VOIP

        no ip route-cache express

        no shutdown

      !

      !

      !

      !

      !

      !

      ip access-list extended vpnspokes

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

        permit ip 192.168.xx.0 0.0.15.255  192.168.xx.0 0.0.0.255   

      !

      !

      ip policy-class Private

        allow list vpnspokes stateless

        allow list self self

        nat source list allowtcp25 interface vlan 100 overload

        discard list blocktcp25

        nat source list wizard-ics interface vlan 100 overload

      !

      ip policy-class Public

        allow reverse list vpnspokes stateless

      !

      !

      ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx

      !

      no tftp server

      no tftp server overwrite

      no ip http server

      ip http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip sip udp 5060

      ip sip tcp 5060

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip sip proxy grammar contact outbound-server-reference host domain

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

        line-timeout 5

      !

      line telnet 0 4

        password encrypted xxxxxxx

        shutdown

      line ssh 0 4

        login authentication LoginUseLocalUsers

        line-timeout 2

        no shutdown

      !

      sntp server 0.us.pool.ntp.org

      !

      !

      !

      !

      !

      !

      end

        • Re: Netvanta 1335 failing PCI compliance this year 2014
          cj! Beta_User

          Interesting, because AES-256 IPSec seems to be the go-to standard when you need to meet PCI (or HIPAA or other strict privacy compliance).  Are you certain the test was run during the time you had AES 256 in place?  Could the report have merely indicated potential risk (given a less-secure configuration), though your AES-256 implementation is not a cause for concern?

           

          CJ

          • Re: Netvanta 1335 failing PCI compliance this year 2014
            jayh Hall_of_Fame

            kts_user wrote:

             

            500 udp ISAKMP Allows Weak IPsec Encryption Settings Fail High
            500 udp A running service was discovered Pass Low

             

            PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.

            Any input would be much appreciated.

             

            I would ask the auditing firm for a more specific reason.  Weak IPsec Encryption Settings is a bit vague.  AES/SHA or 3DES/SHA should be acceptable.  Unless your PSK is something like "password" or they now require certificates I'm not sure what the issue is here. 

            • Re: Netvanta 1335 failing PCI compliance this year 2014
              jtr_pfx New Member

              Hi,

               

              We also have a 1335 and we also have to be PCI compliant.

               

              First of all in our experience PCI Compliance auditing firms are very unprofessional. We had the opposite problem; on one occasion we were being requested to downgrade to a less secure configuration because the auditors would not understand that our configuration was both compliant and superior. In many occasions we have been through a lot of effort to convince them they are wrong. (Not that I recommend that, it might be a bad idea, only sharing my experience).

               

              Now, back to the point, I can confirm we use the same configuration as you, and also have a similar setup to communicate with an external (and PCI compliant) card processor and also a bank. It occurs to me that they might be (mis?)interpreting Requirement 4 (see Testing procedure 4.1.d) to mean you need certificates (it does not specify if they are only for SSL/TLS), and they now have a test for it.

               

              Please share your experience after you solve the issue.

                • Re: Netvanta 1335 failing PCI compliance this year 2014
                  Employee

                  kts_user -

                  I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                   

                  Thanks,

                  Noor