Change cipher strength for management traffic

yoongseong · ‎09-27-2012

Hi All,

I’m performing a new deployment for my customer on a C370 Ironport and my customer has an internal team performing a band test on the Ironport box. The results show that the management traffic (HTTPS) is only using medium strength traffic (56bits – 112bits) in which does not meet the compliance of the organization. From the knowledge base, I checked that our management traffic is using either RC4-SHA or RC4-MD5. Any way to change this to AES or 3DES?

Besides that, in the band test, customer also notices that the box supports anonymous SSL ciphers. Any way to disable this?

Thanks.

Andreas Mueller · ‎10-02-2012

Hi there,

check out these articles:

Article #1399: How can I alter what ciphers are used with the Graphical User Interface (GUI)? Can I disable SSL v2 for the GUI? Link: http://tools.cisco.com/squish/80676

Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E

So to exclude low and anonymous ciphers, sompthing like this would apply:

HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH

Hope that helps,

Andreas

Dennis Goh · ‎10-02-2012

Hi Andreas,

Is there any possibility to apply these for the management interface (GUI) too? Thanks.

Regards,

Dennis Goh

Andreas Mueller · ‎10-08-2012

Hi Dennis,

the articles mentioned are valid for the GUI as well, simply use sslconfig as described, and when asked:

Enter the GUI HTTPS ssl cipher you want to use.

you copy/paste the ciphers.

Hope that helps,

Andreas