I recently had a LCON send me a vulnerability report for his location asking me for assistance in reconciling some concerns. One of them was disabling SSL 2.0 and 3.0. On this same document we're server vulnerabilities as well. Although the vulnerability was seen on the IP address for one of my switches. Can this be disabled? He's got 3750's and 2960's at his location. This is my first attempt at fixing these concerns.
Solved! Go to Solution.
I don't believe you can specifically disable SSLv3 or v2, or more specifically, there isn't a command to turn them off. Although, a 'no sslv3' would be a great command under the circumstances!
I would approach this one of two ways:
1. I would try and mitigate that risk by ensuring that only trusted hosts are allowed to connect to the switch.
2. Configure a certificate authority for signing certificates, and configuring of specific cipher suites:
That being said, the vulnerability report is probably more interested in your web servers!
Thanks, this was my suspicion as well. The document is very vague. I suppose the reason they tagged my nodes for that was because thats where it was traveling through.
You should ask yourself if you really need a web server on a switch. If not, just switch that service off and your vulnerability is gone.
Thanks, from the looks of it those two commands are enabled. We inherited this location when we merged with another company and it's sort of a mess. They've got VTP servers all over the place, different VTP versions running different Spanning Tree modes running etc the list goes on. That being said I've got to be careful whenever I mess around with that network. Can someone just explain to me the use of the ip http server and ip http secure-server commands? I've not used them previously so I'm trying to make sure if I disable them nothing will be impacted.
These commands just turn the web server off. Typically the web server is used for device-administration via GUI or if you have a Cisco ISE with a guest-workflow for wired guests.
Very cool, we use straight command line here so there shouldn't be any impact. Then disabling those will clear that security vulnerability?
I would not exclude these devices from the scan. All these devices are prone to misconfiguration. And the repeated vulnerability-scan is one way to get notice of this.
BTW: There is more to device hardening then just disabling the Web-Server. There are many services that are not secure by default that needs to be secured, and one of my favorite: A secure SSH-config.
You're right. I think what I should have wrote is remove from a scan that's targeting servers, and run a separate scan against network devices.
Tenable (as an example) has plugins (depending on the license) to scan specific device types.
Great feedback guys. Unfortunately we dont come in contact with the company running these audits only my LCON does. I'm going to implement these fixes and also let him know that the servers need some work as well. Thanks everyone.