cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Register for SecureX webinars to learn about our newest integrations and features.

25395
Views
25
Helpful
14
Replies
cbkirwan1
Beginner

Disable SSL 2.0 and 3.0

I recently had a LCON send me a vulnerability report for his location asking me for assistance in reconciling some concerns.  One of them was disabling SSL 2.0 and 3.0. On this same document we're server vulnerabilities as well.  Although the vulnerability was seen on the IP address for one of my switches.  Can this be disabled?  He's got 3750's and 2960's at his location.  This is my first attempt at fixing these concerns.

1 ACCEPTED SOLUTION

Accepted Solutions

no ip http secure-server

no ip http server

View solution in original post

14 REPLIES 14
petenixon
Participant

Hi,

I don't believe you can specifically disable SSLv3 or v2, or more specifically, there isn't a command to turn them off. Although, a 'no sslv3' would be a great command under the circumstances!

I would approach this one of two ways:

 

1. I would try and mitigate that risk by ensuring that only trusted hosts are allowed to connect to the switch.

or

2. Configure a certificate authority for signing certificates, and configuring of specific cipher suites:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01010.html#d72206e37a1635

 

That being said, the vulnerability report is probably more interested in your web servers!

Thanks, this was my suspicion as well.  The document is very vague.  I suppose the reason they tagged my nodes for that was because thats where it was traveling through.  

Karsten Iwen
VIP Mentor

You should ask yourself if you really need a web server on a switch. If not, just switch that service off and your vulnerability is gone.

Could you please elaborate?  I certainly do not need a web server on my switches.  What's the service called and what commands disable it?

no ip http secure-server

no ip http server

Thanks, from the looks of it those two commands are enabled.  We inherited this location when we merged with another company and it's sort of a mess.  They've got VTP servers all over the place, different VTP versions running different Spanning Tree modes running etc the list goes on.  That being said I've got to be careful whenever I mess around with that network.  Can someone just explain to me the use of the ip http server and ip http secure-server commands?  I've not used them previously so I'm trying to make sure if I disable them nothing will be impacted. 

These commands just turn the web server off. Typically the web server is used for device-administration via GUI or if you have a Cisco ISE with a guest-workflow for wired guests.

Very cool, we use straight command line here so there shouldn't be any impact.  Then disabling those will clear that security vulnerability?

It will.

I'd also make sure you exclude that address from future vulnerability scans.

I would not exclude these devices from the scan. All these devices are prone to misconfiguration. And the repeated vulnerability-scan is one way to get notice of this.

 

BTW: There is more to device hardening then just disabling the Web-Server. There are many services that are not secure by default that needs to be secured, and one of my favorite: A secure SSH-config.

You're right. I think what I should have wrote is remove from a scan that's targeting servers, and run a separate scan against network devices.

Tenable (as an example) has plugins (depending on the license) to scan specific device types.

Great feedback guys.  Unfortunately we dont come in contact with the company running these audits only my LCON does.  I'm going to implement these fixes and also let him know that the servers need some work as well.  Thanks everyone.

One more questions, what's the commands for NXOS?

no feature http-server

 

Check whether it's been enabled though by using:

show feature

Create
Recognize Your Peers
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards