List Info

Thread: RE: Cisco VPN client and SSL vpn?




RE: Cisco VPN client and SSL vpn?
country flaguser name
United States		 2007-06-28 06:44:26 
It seems to me that yes, Easy VPN clients only use
aggressive mode. 
However, hackers
  can crack the pre-share key but so what?  If you implement
extended
authentication,
  the pre-share key will not do you any good because users
are still
required to have
  accounts, either local, tacacs or radius to be able to
access the
network.  Better yet,
  if  you implement RSA SecurID, then you will truly have
"two-factor"
authentication.
   
  The problem is that if you have a Cisco VPN router that
supports both
site-2-site VPN and
  remote access vpn (Easy VPN client), you can NOT disable
aggressive mode
on the router
  because it will break remote access vpn.  At the same
time, by allowing
aggressive mode,
  you also allow aggressive mode on the site-2-site VPN as
well.  That's to
me, is a security
  risk. 

Graham Bartlett  wrote:
  Hi Jun

It seems that Easy VPN clients only use aggressive mode...

"This command will prevent Easy Virtual Private Network
(Easy VPN)
clients from connecting if they are using preshared keys
because Easy
VPN clients (hardware and software) use aggressive
mode"

If you are concerned about security with remote-access VPNs
then SSL
would be a better choice - I found the following which I
will try to
simulate when I get some spare time!

http://www.
ernw.de/download/pskattack.pdf

-----Original Message-----
From: nobodygroupstudy.com [mailto:nobodygroupstudy.com] On Behalf
Of
Jun Kim
Sent: 28 June 2007 04:33
To: ciscogroupstudy.com
Subject: Cisco VPN client and SSL vpn? [7:122924]

I notice that cisco vpn client software running on windows
machine
use IKE Aggressive Mode which is considered to be not
secure
because some of the information is sent in the clear. That's
why
agreesive mode is faster than Main mode but not as secure,
3 packets for aggressive mode versus 6 packet for Main
mode.
Is there a way to force vpn client software to use Main
mode
instead of aggressive mode? If so, how? By the way, I tried

"crypto isakmp aggressive-mode disable" on the
router but it
breaks remote access vpn.

If this is the behavior of cisco vpn client and it can not
be changed
to main mode, am I better with SSL vpn instead in term of
security?
At least with SSL vpn, to my knowledge, everything will be 
encrypted via Transport Layer Security (aka TLS) and nothing
will
be sent in the clear. The downside is that SSL vpn does not

support every apps. but in term of security, it is more
secure than 
IKE aggressive mode.

Anyone care to comment on this?




---------------------------------
Moody friends. Drama queens. Your life? Nope! - their life,
your story.
Play Sims Stories at Yahoo! Games.
Ready for the edge of your seat? Check out tonight's top
picks on Yahoo! TV.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7
&i=122938&t=122924
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.
groupstudy.com/list/cisco.html
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )