10-18-2013 09:50 AM
We recently got asked from co worker inside our organization that expressed concerns when he scanned external ip of the Ironport. The Ironport showed that it allows 56-bit DES ciphers. Should these ciphers be disabled or removed because of security concerns?
Thanks in advance
Solved! Go to Solution.
10-18-2013 11:06 AM
We normally see null/anonymous ciphers in use when we are contacted for PCI scan vulnerabilities.
Please see the following:
Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
Article #1785: SSLv3 and TLSv1 Protocol Weak CBC Mode Vulnerability Link: http://tools.cisco.com/squish/24cC5
You'll need to try the @STRENGTH option – which will specify to use the stronger ciphers first.
I would also suggest to use the following:
The "-aNULL" states that it will not accept random ciphers.
> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 5
Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> OUTBOUND
Enter the outbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>
Enter the outbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>
> commit
Once that is in place – have the security scan re-ran.
10-18-2013 11:06 AM
We normally see null/anonymous ciphers in use when we are contacted for PCI scan vulnerabilities.
Please see the following:
Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
Article #1785: SSLv3 and TLSv1 Protocol Weak CBC Mode Vulnerability Link: http://tools.cisco.com/squish/24cC5
You'll need to try the @STRENGTH option – which will specify to use the stronger ciphers first.
I would also suggest to use the following:
The "-aNULL" states that it will not accept random ciphers.
> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 5
Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> OUTBOUND
Enter the outbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>
Enter the outbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>
> commit
Once that is in place – have the security scan re-ran.
10-21-2013 02:44 PM
Are these changes recommended?
Could any of these KB cause any downtime to production environment or cause problems with compatability with any email clients?
Thanks,
Don
10-18-2013 10:33 PM
Hi Don,
A good setting for all cipher settings would be as follows, it excludes all the low, export, null, and CBC ciphers:
ALL:!EXP:!NULL:!LOW:!3DES
If you have access to a system which can run openssl from the command line then you can test your changes as follows:
openssl ciphers -ssl3 -tls1 'ALL:!EXP:!NULL:!LOW:!3DES' -v
Mark
10-22-2013 07:57 AM
Not trying to hijack this forum.
I have enabled FIPS mode on my C670s and ran into some issues where SMTP servers trying to talk to my C670s don't have a FIPS certified cypher and they bomb out during TLS negotiation, they do not successfully switch to a plain text SMTP conversation. The conversation ends in a TLS error and the mail is not accepted for delivery.
So far my only course of action short of disabling FIPS mode is to configure them in the HAT to not allow TLS completely, or to work with the SMTP server admin to get their server to be able to do a FIPS certified cipher for TLS (I have yet to accomplish this option).
My current understanding is the following ciphers are enabled during FIPS mode:
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
However, verifying this is difficult as the SSLCONFIG menu gets locked down when FIPS is enabled:
sslconfig settings:
GUI HTTPS method: tlsv1
GUI HTTPS ciphers: FIPS
Inbound SMTP method: tlsv1
Inbound SMTP ciphers: FIPS
Outbound SMTP method: tlsv1
Outbound SMTP ciphers: FIPS:-aNULL
You cannot change server and client methods and cipher suites in the FIPS 140-2
compliance mode.
Just sharing the experience of enabling FIPS mode, anyone else try it?
10-22-2013 09:06 AM
Hi Jason,
You can confirm the ciphers by saving the configuration in FIPS mode.
Are both systems configured to require TLS? If so, no plain text or non-TLS will occur.
I hope this helps.
Regards,
Valter
10-22-2013 02:33 PM
Thanks Valter, I checked the configuration file and do find where it shows:
Guess I was hoping to be able to see the exact ciphers that it is using so that I can tell SMTP server admins what they are dealing with.
Prior to going to FIPS I had the IronPort appliances set to (PREFER, NO VERIFY) TLS connections for all sending and receiving connections. For 99% of the mail this did not cause a problem, but for roughly 1%, they would attempt a TLS connection and then die and no mail would go through. Even though it was set to PREFER not REQUIRE. I don't know if it is a bug in Cisco IronPort and how they are handling TLS or in the SMTP servers that I had this problem with, but setting it to not require or prefer a TLS connection has resolved it everytime making me think that the other party did not have a TLS requirement.
Thank you for your input, it does help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide