09-27-2017 09:28 AM
Hi all,
Customer has security audit requirements and their audit team is asking my customer to prove that all these services with vulnerabilities to be shut down.
Understand that we can turn off TLS 1.0 and 1.1 on ISE 2.2P2 but we're still unsure how do we turn off SSH v1.
Would like to know what is ISE PM and TME stand point on the above matters as well as future security vulnerabilities that might require customers to turn off additional services on ISE engine.hslai
Best Regards,
JN
Solved! Go to Solution.
09-28-2017 08:37 AM
Please review Security Vulnerability Policy - Cisco
ISE CLI SSH service accepts protocol 2 only with no configurable option to allowed protocol 1.
Like Charles said, SSH is not required for ISE services and, if required, can be turned off.
09-27-2017 09:56 AM
Have you seen this document?
09-28-2017 08:11 AM
Hi Charles,
Actually that is the exact documentation that the customer is referring to as a hardening guide. They are upset that it's the advise of that specific documentation to follow the Prime Infra Admin guide, which in turn advise for turning off SSHv1. When they attempt to do so with TAC as they require the ISE Root admin password, TAC refused saying it's not recommended.
As such, we're in quite a bind with regards to this.
09-27-2017 11:26 AM
ISE 2.2 admin CLI accepts connections from SSH v2 clients only. There are additional security enhancements coming but do contact our PM team for details.
09-28-2017 08:13 AM
Thanks a lot Hslai, would there be any documentation that we could show to user's compliance audit team to convince them that ISE is not impacted by SSHv2 vulnerabilities sine we only accept connections from SSH v2 clients. Would be good if there's a way to show them that ISE itself is configured that way.
09-28-2017 08:37 AM
Please review Security Vulnerability Policy - Cisco
ISE CLI SSH service accepts protocol 2 only with no configurable option to allowed protocol 1.
Like Charles said, SSH is not required for ISE services and, if required, can be turned off.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide