topic Re: Disable Weak Cipher in Network Security

Disable Weak Cipher

sahrizal123 — Fri, 21 Feb 2020 14:56:12 GMT

Hi,

Based on result penetratiion test i have to disable weak cipher on ASA cisco 5516.

SSL weak cipher
Recomend disable : TLS_RSA_WITH_3DES_EDE_CBC_SHA , TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA

May i know the command to disable and the impact disable the SSL above.

Re: Disable Weak Cipher

Francesco Molino — Mon, 11 Dec 2017 04:21:36 GMT

Hi

You can use ssl cipher command:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

Re: Disable Weak Cipher

Marvin Rhoads — Mon, 11 Dec 2017 06:23:50 GMT

I use the following commands (along the lines of what's explained in the link provided by Francesco):

ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"

Note that if you use ASDM your Java will need to have the JCE strong crypto libraries to be able to connect to the ASA following implementation of that hardening configuration.

That's about the only impact unless you have clients with VERY old browsers trying to use your SSL VPN portal on thee ASA. Any relatively modern browser (i.e. from the last 3-4 years onward) should connect with no issue.

Re: Disable Weak Cipher

Karsten Iwen — Tue, 12 Dec 2017 09:23:34 GMT

In addition to Francescos and Marvins input, I recently started for many customers to disable TLS1.0 and 1.1 completely. And for TLS1.2 I only allow the high security ciphers. That won't work in every environment, but with actual client-software there is no problem.