Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
40447
Views
26
Helpful
14
Replies

Disable SSL 2.0 and 3.0

Go to solution
cbkirwan1
Level 1
Level 1

‎08-06-2018 07:02 AM - edited ‎02-20-2020 09:15 PM

I recently had a LCON send me a vulnerability report for his location asking me for assistance in reconciling some concerns.  One of them was disabling SSL 2.0 and 3.0. On this same document we're server vulnerabilities as well.  Although the vulnerability was seen on the IP address for one of my switches.  Can this be disabled?  He's got 3750's and 2960's at his location.  This is my first attempt at fixing these concerns.

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
petenixon
Level 3
Level 3
In response to cbkirwan1

‎08-07-2018 05:23 AM

no ip http secure-server

no ip http server

View solution in original post

0 Helpful
14 Replies 14

Go to solution
petenixon
Level 3
Level 3

‎08-06-2018 08:31 AM

Hi,

I don't believe you can specifically disable SSLv3 or v2, or more specifically, there isn't a command to turn them off. Although, a 'no sslv3' would be a great command under the circumstances!

I would approach this one of two ways:

 

1. I would try and mitigate that risk by ensuring that only trusted hosts are allowed to connect to the switch.

or

2. Configure a certificate authority for signing certificates, and configuring of specific cipher suites:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01010.html#d72206e37a1635

 

That being said, the vulnerability report is probably more interested in your web servers!

Go to solution
cbkirwan1
Level 1
Level 1
In response to petenixon

‎08-06-2018 11:36 AM

Thanks, this was my suspicion as well.  The document is very vague.  I suppose the reason they tagged my nodes for that was because thats where it was traveling through.  

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-07-2018 04:23 AM

You should ask yourself if you really need a web server on a switch. If not, just switch that service off and your vulnerability is gone.

0 Helpful

Go to solution
cbkirwan1
Level 1
Level 1
In response to Karsten Iwen

‎08-07-2018 05:16 AM

Could you please elaborate?  I certainly do not need a web server on my switches.  What's the service called and what commands disable it?

0 Helpful

Go to solution
petenixon
Level 3
Level 3
In response to cbkirwan1

‎08-07-2018 05:23 AM

no ip http secure-server

no ip http server

0 Helpful

Go to solution
cbkirwan1
Level 1
Level 1
In response to petenixon

‎08-07-2018 05:50 AM

Thanks, from the looks of it those two commands are enabled.  We inherited this location when we merged with another company and it's sort of a mess.  They've got VTP servers all over the place, different VTP versions running different Spanning Tree modes running etc the list goes on.  That being said I've got to be careful whenever I mess around with that network.  Can someone just explain to me the use of the ip http server and ip http secure-server commands?  I've not used them previously so I'm trying to make sure if I disable them nothing will be impacted. 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to cbkirwan1

‎08-07-2018 05:56 AM

These commands just turn the web server off. Typically the web server is used for device-administration via GUI or if you have a Cisco ISE with a guest-workflow for wired guests.

Go to solution
cbkirwan1
Level 1
Level 1
In response to Karsten Iwen

‎08-07-2018 05:57 AM

Very cool, we use straight command line here so there shouldn't be any impact.  Then disabling those will clear that security vulnerability?

0 Helpful

Go to solution
petenixon
Level 3
Level 3
In response to cbkirwan1

‎08-07-2018 05:59 AM

It will.

I'd also make sure you exclude that address from future vulnerability scans.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to petenixon

‎08-07-2018 06:13 AM

I would not exclude these devices from the scan. All these devices are prone to misconfiguration. And the repeated vulnerability-scan is one way to get notice of this.

 

BTW: There is more to device hardening then just disabling the Web-Server. There are many services that are not secure by default that needs to be secured, and one of my favorite: A secure SSH-config.

Go to solution
petenixon
Level 3
Level 3
In response to Karsten Iwen

‎08-07-2018 06:22 AM - edited ‎08-07-2018 06:23 AM

You're right. I think what I should have wrote is remove from a scan that's targeting servers, and run a separate scan against network devices.

Tenable (as an example) has plugins (depending on the license) to scan specific device types.

Go to solution
cbkirwan1
Level 1
Level 1
In response to petenixon

‎08-07-2018 10:11 AM

Great feedback guys.  Unfortunately we dont come in contact with the company running these audits only my LCON does.  I'm going to implement these fixes and also let him know that the servers need some work as well.  Thanks everyone.

0 Helpful

Go to solution
cbkirwan1
Level 1
Level 1
In response to cbkirwan1

‎08-07-2018 11:23 AM

One more questions, what's the commands for NXOS?

0 Helpful

Go to solution
petenixon
Level 3
Level 3
In response to cbkirwan1

‎08-07-2018 11:26 AM

no feature http-server

 

Check whether it's been enabled though by using:

show feature

Customers Also Viewed These Support Documents
Top