PCI Compliance with Unifi USG 3 Port

CCWTech

I have a Unifi USG 3 port and can't seem to pass PCI compliance. I have reached out to the PCI compliance techs as well as to Ubiquiti. Both have said there isn't anything they can do to help. Looks like it's related to our Remote User VPN.

First Problem is: Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device. These weak ciphers could make it easier for a context dependent attack to compromise the integrity of IKE sessions established with this device.

Second problem is: Diffie-Hellman Groups 1 to 4 are no longer considered safe for strong encryption. It is estimated that these groups have a security level of 80-90 bits which is no longer adequate to protect the encryption keys used during IKE phase 2. Furthermore, Group 5 (Modp-1536) has a security level of 120 bits which is slightly under to protect AES-128 encryption keys. Stronger groups have been designed for the Diffie-Hellman key exchange in RFC 3526.

Ubiquiti support says the doesn't support the encryption that is being asked for here. I just purchased the Ubiquiti gear so hopefully something can be done to resolve this.

Help is appreciated.

1337

@CCWTech Can't you setup which ciphers to use? So the one that are not recommended can't be used?

Also would using AES-256 help with the DH group settings?

We use pfsense and there you have a lot of different algorithms, key lengths, hash and DH groups to choose from. Only the one(s) you select are enabled. But pfsense UI says:
Note: Blowfish, 3DES, CAST128, MD5, SHA1, and DH groups 1, 2, 22, 23, and 24 provide weak security and should be avoided.

JaredBusch

This is why I never use the USG. It is not designed to be configured in this kind of detail.

That said, get around it by blocking the PCI scanner for everything except a ping response.

Let me see if I can find an example of what I did for a client.

1337

@JaredBusch said in PCI Compliance with Unifi USG 3 Port:

This is why I never use the USG. It is not designed to be configured in this kind of detail.

Ahh. It's the wrong tool for the job then.

That said, get around it by blocking the PCI scanner for everything except a ping response.

Honestly? Why not just buy something better? Can't the Edgerouter get the job done? Isn't that like $50 or something?

Let me see if I can find an example of what I did for a client.

JaredBusch

This was in an ERL, but you can make firewall groups in the UniFI controller also.

I created a firewall group with the listed Addresses of the PCI scanner

set firewall group address-group Trustwave_Scanner address 64.37.231.0/24
set firewall group address-group Trustwave_Scanner address 111.108.90.138-111.108.90.139
set firewall group address-group Trustwave_Scanner address 124.211.46.74-124.211.46.75
set firewall group address-group Trustwave_Scanner address 204.225.91.58-204.225.91.59
set firewall group address-group Trustwave_Scanner address 209.90.139.122-209.90.139.123
set firewall group address-group Trustwave_Scanner address 220.101.105.8-220.101.105.9
set firewall group address-group Trustwave_Scanner address 220.101.107.8-220.101.107.9
set firewall group address-group Trustwave_Scanner description 'Trustwave PCI Scanner Addresses'

I then made a drop all rule for it on the WAN_LOCAL after adding a ICMP allow ahead of it, so that I would respond to ping. Otherwise I got a fail because the unit was "not scannable". My VPN allow rules are after that drop.

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'Internet to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Accept Established / Related'
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Allow ICMP'
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol icmp
set firewall name WAN_LOCAL rule 30 action drop
set firewall name WAN_LOCAL rule 30 description 'Block Trustwave'
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol all
set firewall name WAN_LOCAL rule 30 source group address-group Trustwave_Scanner
set firewall name WAN_LOCAL rule 40 action drop
set firewall name WAN_LOCAL rule 40 description 'Drop Invalid'
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 state invalid enable
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description 'Allow IKE'
set firewall name WAN_LOCAL rule 50 destination port 500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description 'Allow ESP'
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol esp
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description 'Allow NAT-T'
set firewall name WAN_LOCAL rule 70 destination port 4500
set firewall name WAN_LOCAL rule 70 log disable
set firewall name WAN_LOCAL rule 70 protocol udp
set firewall name WAN_LOCAL rule 80 action accept
set firewall name WAN_LOCAL rule 80 description 'Allow new IPSEC connections'
set firewall name WAN_LOCAL rule 80 ipsec match-ipsec
set firewall name WAN_LOCAL rule 80 log disable
set firewall name WAN_LOCAL rule 80 protocol all
set firewall name WAN_LOCAL rule 80 state established disable
set firewall name WAN_LOCAL rule 80 state invalid disable
set firewall name WAN_LOCAL rule 80 state new enable
set firewall name WAN_LOCAL rule 80 state related disable

JaredBusch

@Pete-S said in PCI Compliance with Unifi USG 3 Port:

@JaredBusch said in PCI Compliance with Unifi USG 3 Port:

This is why I never use the USG. It is not designed to be configured in this kind of detail.

Ahh. It's the wrong tool for the job then.

IMO, the USG is 100% the wrong tool for all scenarios. But people keep buying it.

@Pete-S said in PCI Compliance with Unifi USG 3 Port:

@JaredBusch said in PCI Compliance with Unifi USG 3 Port:

That said, get around it by blocking the PCI scanner for everything except a ping response.

Honestly? Why not just buy something better? Can't the Edgerouter get the job done? Isn't that like $50 or something?

In EdgeOS, it depends. The L2TP settings are not configurable. But IPSEC is 100% configurable.
These settings only apply to IPSEC and not L2TP

set vpn ipsec esp-group fslesp compression disable
set vpn ipsec esp-group fslesp lifetime 3600
set vpn ipsec esp-group fslesp mode tunnel
set vpn ipsec esp-group fslesp pfs enable
set vpn ipsec esp-group fslesp proposal 1 encryption aes256
set vpn ipsec esp-group fslesp proposal 1 hash sha1
set vpn ipsec ike-group fslike ikev2-reauth no
set vpn ipsec ike-group fslike key-exchange ikev1
set vpn ipsec ike-group fslike lifetime 28800
set vpn ipsec ike-group fslike proposal 1 dh-group 19
set vpn ipsec ike-group fslike proposal 1 encryption aes256
set vpn ipsec ike-group fslike proposal 1 hash sha1

CCWTech

@JaredBusch
So does this issue exist in the edge router as well (why you had to do firewall rules for it)?

JaredBusch

@CCWTech said in PCI Compliance with Unifi USG 3 Port:

@JaredBusch
So does this issue exist in the edge router as well (why you had to do firewall rules for it)?

Obviously, IPSEC is fully configurable as noted.

The client was getting dinged simply for having a VPN.

scottalanmiller

The scanning software can't tell you where it is getting the issue?