Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2722
Views
10
Helpful
5
Replies

DNA - Topic about encryption

Go to solution
fongaratto
Level 1
Level 1

‎07-30-2021 12:25 PM - edited ‎07-31-2021 04:47 PM

Hello team,

 

After scanning vulnerabilities at the Cisco DNA Center, it was found that:

 

- Replace the 'Diffie-Hellman' with a safer group;

"The remote server is affected by a cryptographical weakness.
Disable weak cipher suites in the server's configuration.
It is recommended to use ECDH cipher suites instead and generate a strong, unique Diffie Hellman Group (2048-bit or stronger)".

 

- Increase the private key to 2048 bits or more.

"The remote server is affected by a cryptographical weakness.
Configure your SSH server so it uses moduli longer than 1024 bits and make sure that the diffie-hellman-group1-sha1 algorithm is disabled."

 

I couldn't find documentation with steps on how to perform these procedures.

 

Some direction?

 

All the best

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-30-2021 02:39 PM 

After scanning vulnerabilities at the Cisco DNA Center, it was found that:

We are not sure what scanning you did for what ports ? you need to provide complete output.

 

as per the suggestion if you looking HTTPS Look at the below guide : (this is based on assumption that you have vulnerable https)

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
fongaratto
Level 1
Level 1
In response to inderdeeps

‎07-30-2021 01:50 PM

Hello,

I saw this and many other links, unfortunately, I did not find the procedure I need in them.

Still, I appreciate your help.

Best regards.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-30-2021 02:39 PM 

After scanning vulnerabilities at the Cisco DNA Center, it was found that:

We are not sure what scanning you did for what ports ? you need to provide complete output.

 

as per the suggestion if you looking HTTPS Look at the below guide : (this is based on assumption that you have vulnerable https)

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
fongaratto
Level 1
Level 1
In response to balaji.bandi

‎07-31-2021 04:44 PM

Hello,

 

Below includes what I need help doing:

Findings 1:
"The remote server is affected by a cryptographical weakness.
Configure your SSH server so it uses moduli longer than 1024 bits and make sure that the diffie-hellman-group1-sha1 algorithm is disabled."

Findings 2:
"The remote server is affected by a cryptographical weakness.
Disable weak cipher suites in server's configuration.
It is recommended to use ECDH cipher suites instead and generate a strong, unique Diffie Hellman Group (2048-bit or stronger)".

 

I appreciate the help and attention.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to fongaratto

‎08-01-2021 01:48 AM

The above document should be able to help you to get new one.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents