Question about Aggressive Mode with Pre-Shared Key
A friend of mine is applying for a small business loan and they had to agree to a cybersecurity audit. It's really nothing more than an external pentest from an online provider. One of the dings that came back was that they use a VPN that supports IKE, aggressive mode with a Pre-Shared key. I took a look at his setup and the results are accurate. It was a lower risk (2 out of 5) on the pentest scale, and I don't think they will make much of it, but I would like to know more about the actual risk here. The firewall is also setup to require a username and password after the pre-shared key and each user has a unique username/password. Does having this additional auth reduce the risk significantly? Is it meaningful to respond and acknowledge that while it's true, the VPN requires the username/password or is this a case where the result of the exploitation would circumvent that additional auth?
4 Replies
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord
🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Forum Profile" role in <id:customize>
✅ You can mark a message as the answer for your post with
Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)Hey hey! This is a great question and something that's always a pain to deal with. They'll use a scanner like Qualys or Nessus, shit out a report, and be like "OH OH OH YOU GOTTA FIX THIS!" when it isn't inherently an issue.
So, specifically with IKE, I'd recommend swapping to IKEv2 with a PSK. You could setup a CA and do all the certificate stuff, but the value that you'd get would be incredibly minimal compared to the hassle. An upgrade to IKEv2 should be pretty easy and simple. Just use a unique 32 character or more PSK.
As far as the realistic risk goes, it's pretty minimal. Referencing a site-to-site VPN setup within, say, a Fortinet environment with FortiGates, you'd have the initial phase 1 tunnel created using that IKE negotiation. Make sure you use something like DH (Diffie-Hellman) 14, AES256 and SHA512 or at least SHA256 for the hashing and encryption. This connection generally only works because you're telling the firewalls who to talk to and who to expect traffic from. Attacking that portion of the VPN would be pretty difficult and a successful attack would mean you've got much bigger fish to fry.
Once the phase 1 tunnel is up, they'll do the phase 2 tunnel, which is what routes the traffic. An attacker would also have to know the LAN subnets on either end, which wouldn't be impossible, but still difficult.
Having the authentication is great, but it is mainly a security control to prevent unauthorized access after the tunnels have been established. If a threat actor did manage to be in the middle of that VPN connection, then it would disrupt them for sure. But in order for them to get there, they'd have to move mountains and there are much, much easier ways to get inside of a network, like phishing, spear phishing, or whaling that would be significantly more effective and cheaper.
tl;dr the risk is practically nothing. I'd still upgrade to IKEv2 with a strong PSK just to say that you have that specific protocol in place, but not doing so won't destroy his security posture. I think that's an acceptable risk for the organization to take on.
Also, I know nothing about this business, of course, so if he's in a regulated industry, it might change things a bit, but the reality doesn't change.
Before I forget, is this for individual users to connect into the network or for a site-to-site setup? Distributing and securing the PSK would be pretty difficult, hence the common usage of something like an SSL VPN.
absolutely amazing response, thank you so much for not only sharing your knowledge but for taking the time to write such a comprehensive response.
For sure, any time! If you ever have any questions, feel free to ask. We're always happy to help