[Ach] Comments for VPN-section
Karsten Iwen
ki at iwen.de
Mon Dec 16 22:44:37 CET 2013
Hi all,
I'm Karsten, freelance trainer and consultant with focus on Cisco Security solutions.
Some comments on the Cisco ASA-section in the VPN chapter:
1) IKEv2-proposals: There should be a note that most of the algorithms are only available on the actual X-models. If one of the still very often used legacy models (5505,5510,5520,5540,5550) is used, then there is no sha-256/384/512 and no aes-gcm. sha-256/384/512 *is* available on the policies.
2) IKEv2-proposals: Why is md5 included in the list of suggested algorithms? Even for compatibility with older systems SHA-1 should be enough.
3) SSL-settings: There should be a note that 3DES is still needed if AnyConnect is used under Windows XP.
4) A link to the Cisco "Next Generation Encryption" could be added: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
5) Under Authentication you mention that the PSK should not be shorter then the output of the hash. Is there a reference for that?
regards, Karsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131216/a125f8ff/attachment.sig>
More information about the Ach
mailing list