[Ach] Comments for VPN-section
L. Aaron Kaplan
kaplan at cert.at
Mon Dec 16 22:51:10 CET 2013
we are working on the paper right now and just saw your mail.
Very nice of you to add this info.
We'll have to integrate that.
Azet, do you want to take a look at this? That was your chapter AFAIK.
On Dec 16, 2013, at 10:44 PM, Karsten Iwen <ki at iwen.de> wrote:
> Hi all,
> I'm Karsten, freelance trainer and consultant with focus on Cisco Security solutions.
> Some comments on the Cisco ASA-section in the VPN chapter:
> 1) IKEv2-proposals: There should be a note that most of the algorithms are only available on the actual X-models. If one of the still very often used legacy models (5505,5510,5520,5540,5550) is used, then there is no sha-256/384/512 and no aes-gcm. sha-256/384/512 *is* available on the policies.
> 2) IKEv2-proposals: Why is md5 included in the list of suggested algorithms? Even for compatibility with older systems SHA-1 should be enough.
> 3) SSL-settings: There should be a note that 3DES is still needed if AnyConnect is used under Windows XP.
> 4) A link to the Cisco "Next Generation Encryption" could be added: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
> 5) Under Authentication you mention that the PSK should not be shorter then the output of the hash. Is there a reference for that?
> regards, Karsten
> Ach mailing list
> Ach at lists.cert.at
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach