cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2322
Views
1
Helpful
5
Replies
Jimi
Beginner

ISE hardening recommendations - Turning off services such as TLS1.0, 1.1 and SSH v1

Hi all,

Customer has security audit requirements and their audit team is asking my customer to prove that all these services with vulnerabilities to be shut down.

Understand that we can turn off TLS 1.0 and 1.1 on ISE 2.2P2 but we're still unsure how do we turn off SSH v1.

Would like to know what is ISE PM and TME stand point on the above matters as well as future security vulnerabilities that might require customers to turn off additional services on ISE engine.hslai

Best Regards,

JN

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

Please review Security Vulnerability Policy - Cisco

ISE CLI SSH service accepts protocol 2 only with no configurable option to allowed protocol 1.

Like Charles said, SSH is not required for ISE services and, if required, can be turned off.

View solution in original post

5 REPLIES 5
Charlie Moreton
Cisco Employee

Have you seen this document?

ISE Security Best Practices (Hardening)

Hi Charles,

Actually that is the exact documentation that the customer is referring to as a hardening guide. They are upset that it's the advise of that specific documentation to follow the Prime Infra Admin guide, which in turn advise for turning off SSHv1. When they attempt to do so with TAC as they require the ISE Root admin password, TAC refused saying it's not recommended.

As such, we're in quite a bind with regards to this.

hslai
Cisco Employee

ISE 2.2 admin CLI accepts connections from SSH v2 clients only. There are additional security enhancements coming but do contact our PM team for details.

Thanks a lot Hslai, would there be any documentation that we could show to user's compliance audit team to convince them that ISE is not impacted by SSHv2 vulnerabilities sine we only accept connections from SSH v2 clients. Would be good if there's a way to show them that ISE itself is configured that way.

hslai
Cisco Employee

Please review Security Vulnerability Policy - Cisco

ISE CLI SSH service accepts protocol 2 only with no configurable option to allowed protocol 1.

Like Charles said, SSH is not required for ISE services and, if required, can be turned off.

View solution in original post

Content for Community-Ad