Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
11
Helpful
5
Replies

ESA internet.nl cipher string

Maartje
Level 1
Level 1

‎01-27-2022 03:38 AM - edited ‎01-27-2022 06:37 AM

Hi Team, 
This post is for all of you in the Netherlands who have customers (or your own company) that want to comply to internet.nl and get to that hall of fame with Cisco ESA's but have no clue how to get there or dont want to be too strict.

 

What is Internet.nl? https://internet.nl/

Internet.nl helps you to check whether your internet is up to date. Do your websiteemail and internet connection use modern and reliable Internet Standards? And if they don't, what can you do about it? Who is behind Internet.nl? The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The platform is a collaboration between parties from the Internet community and the Dutch government.

 

And here is a link to the most recent publications about the guidelines for TLS in the netherlands: 
https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1

 

I want to share 2 cipher strings with you that are not super strict. There are stricter options, so if you want to provide more security dont use these 2. If you want to comply with internet.nl but not be the strictest on the internet you can use one of these two:


ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-EXPORT:@STRENGTH


ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!aNULL:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-aNULL:-EXPORT:@STRENGTH

 

If you have even better ideas, please post in the comments so we can all help each other. And lets get to that hall of fame!

Labels:
5 Replies 5

hagroot_cisco
Level 1
Level 1

‎01-27-2022 04:13 AM

Thanks Maartje! Great Post!

0 Helpful

Ken Stieers
VIP
VIP

‎01-27-2022 05:20 AM

You can simplify these a little bit as you have some redundancies.

Your first one has export and idea listed twice.
And I would sort it by strength.

ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:@STRENGTH.

There may be some more that could be done considering you added MEDIUM and then pulled most of it out by removing TLS1.1, 10 and SSL3.

Maartje
Level 1
Level 1
In response to Ken Stieers

‎01-27-2022 05:38 AM

Thanks Ken! i will change that! 


On the other part, medium does allow some ciphers that are still being used and are also considered good by the NCSC. 
So like i said there are more secure options but if you want to comply with internet.nl but not be the strictest on the internet you can use one of these two. 


If you would like to share the strongest suggestion, please feel free to do so! 

0 Helpful

natanovic89
Level 1
Level 1

‎02-04-2022 12:58 AM

@Maartje wrote:

Hi Team, 
This post is for all of you in the Netherlands who have customers (or your own company) that want to comply to internet.nl and get to that hall of fame with Cisco ESA's but have no clue how to get there or dont want to be too strict.

 

What is Internet.nl? https://internet.nl/

Internet.nl helps you to check whether your internet is up to date. Do your websiteemail and internet connection use modern and reliable Internet Standards? And if they don't, what can you do about it? Who is behind Internet.nl? The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The platform is a collaboration between parties from the Internet community and the Dutch government.

 

And here is a link to the most recent publications about the guidelines for TLS in the netherlands: 
https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1-deshevshe 

 

I want to share 2 cipher strings with you that are not super strict. There are stricter options, so if you want to provide more security dont use these 2. If you want to comply with internet.nl but not be the strictest on the internet you can use one of these two:


ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-EXPORT:@STRENGTH


ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!aNULL:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-aNULL:-EXPORT:@STRENGTH

 

If you have even better ideas, please post in the comments so we can all help each other. And lets get to that hall of fame!

Thanks for the info, I don't know what we would do without the Internet

0 Helpful

Auteri
Level 1
Level 1

‎08-15-2023 08:05 AM

If you want 100% compliance you can use: ECDHE:!3DES:!NULL:-SSLv3

Or use the next one which is considered sufficient: ECDHE:RSA:!3DES:!MD5:!IDEA:!CAMELLIA:!SEED:!NULL:-SSLv3

Also check Method TLS 1.2 only.

To enter the Internet.nl Hall of Fame something more needs to be done, this is the easy part.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents