https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5294979#M1121199 <P>I'm looking to provide guidance on router config, this I can do, been in networking for over a decade now. However, the one area where I'm less confident on though is in Security. Specifically, in the details of ciphers, hashes, and key exchange algorithm selections.</P><P>I'm knowledgeable enough, that I can kickout the worst / least secure, like RC4, (3)DES, MD5, SHA1, and very low DH Groups 1, 2, 5, etc --&nbsp;Where I'm getting confused is in looking at Cisco command line SSH (TLS/SSL) options and among the higher end options. I'm seemingly finding conflicting information and not sure about what is or isn't vulnerable.<BR /><BR />That is, inside of securing SSH (server role) - encryption has three to four varieties of AES depending on key length. (e.g. aes256-cbc, aes256-ctr, aes256-gcm, aes256-gcm@openssh.com). I'm reading various discussion, either here on Cisco community, StackExchange, or from say security blogs seemingly either stating or suggesting that AES-CBC less desirable, crappy, or "weak". And while AES-GCM is mentioned as secure, one person was saying it can "catastrophically" fail if duplicate "IVs" happen to be used or generated or such. So maybe, AES-CTR is the choice?</P><P>But, when I look at "ip http secure-ciphersuite" for TLS security -- What I see is exclusively CBC and GCM offerings, except for an odd ball "tls13-chacha20-poly1305-sha256" encryption type. So I use google to try to learn about 'chacha20' and I find out that, "<SPAN>TLS 1.3 has only five possible cipher suites, because it removed all unsecure cipher suites from TLS 1.2" and chacha20 is one of those five. But, what are the other 4 cipher suites? Combinations of AES-GCM. No, AES-CTR. So does this mean that AES-CTR is vulnerable? And, what happened to GCM being able to catastrophically fail if duplicate "IVs" are used?</SPAN></P><P>I'd provide links to the sources I'm referencing, but (from prior posting) I've found the auto-moderation really doesn't like web links.</P><P>Can someone help me sort out this information? Or, is my basic knowledge of just getting rid of those weakest ciphers, hashing, and key exchange groups good enough?</P> Thu, 29 May 2025 17:37:31 GMT Aggron 2025-05-29T17:37:31Z https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5294979#M1121199 <P>I'm looking to provide guidance on router config, this I can do, been in networking for over a decade now. However, the one area where I'm less confident on though is in Security. Specifically, in the details of ciphers, hashes, and key exchange algorithm selections.</P><P>I'm knowledgeable enough, that I can kickout the worst / least secure, like RC4, (3)DES, MD5, SHA1, and very low DH Groups 1, 2, 5, etc --&nbsp;Where I'm getting confused is in looking at Cisco command line SSH (TLS/SSL) options and among the higher end options. I'm seemingly finding conflicting information and not sure about what is or isn't vulnerable.<BR /><BR />That is, inside of securing SSH (server role) - encryption has three to four varieties of AES depending on key length. (e.g. aes256-cbc, aes256-ctr, aes256-gcm, aes256-gcm@openssh.com). I'm reading various discussion, either here on Cisco community, StackExchange, or from say security blogs seemingly either stating or suggesting that AES-CBC less desirable, crappy, or "weak". And while AES-GCM is mentioned as secure, one person was saying it can "catastrophically" fail if duplicate "IVs" happen to be used or generated or such. So maybe, AES-CTR is the choice?</P><P>But, when I look at "ip http secure-ciphersuite" for TLS security -- What I see is exclusively CBC and GCM offerings, except for an odd ball "tls13-chacha20-poly1305-sha256" encryption type. So I use google to try to learn about 'chacha20' and I find out that, "<SPAN>TLS 1.3 has only five possible cipher suites, because it removed all unsecure cipher suites from TLS 1.2" and chacha20 is one of those five. But, what are the other 4 cipher suites? Combinations of AES-GCM. No, AES-CTR. So does this mean that AES-CTR is vulnerable? And, what happened to GCM being able to catastrophically fail if duplicate "IVs" are used?</SPAN></P><P>I'd provide links to the sources I'm referencing, but (from prior posting) I've found the auto-moderation really doesn't like web links.</P><P>Can someone help me sort out this information? Or, is my basic knowledge of just getting rid of those weakest ciphers, hashing, and key exchange groups good enough?</P> Thu, 29 May 2025 17:37:31 GMT https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5294979#M1121199 Aggron 2025-05-29T17:37:31Z https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5295427#M1121209 <P>There is cisco secuirty advisor' you can check ssh cipher recommendations.</P> <P>For ISR ios xe harden check below&nbsp;</P> <P><A href="https://sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening" target="_blank">https://sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening</A></P> <P>MHM</P> Sat, 31 May 2025 07:37:30 GMT https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5295427#M1121209 MHM Cisco World 2025-05-31T07:37:30Z https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5296175#M1121225 <P>The basics you mentioned are sufficient for 95% of use cases.</P> <P>I would add that it is almost never necessary to run the "ip http server", so the TLS parameters are a moot point when that is disabled.</P> Tue, 03 Jun 2025 12:43:47 GMT https://community.cisco.com/t5/network-security/securing-ssh-tls-vpns-on-cisco-ios-isr/m-p/5296175#M1121225 Marvin Rhoads 2025-06-03T12:43:47Z