Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1954
Views
10
Helpful
4
Replies

how to solve third part security concerns for 5520 asa???

Go to solution
baselzind
Level 6
Level 6

‎04-19-2017 02:52 AM - edited ‎03-12-2019 02:14 AM

i have a customer that have a third party security firm which sent him the following concerns: (X.X.X.X is the asa ip address)

1- X.X.X.X SSL server supports weak encryption vulnerability
2- X.X.X.X SSL/TLS Server supports TLSv1.1
3- X.X.X.X Birthday Attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

im a beginner in cisco  security , how can i tackle those issues? as far as im concerned im just handling the asa so does those issues are related to the firewall itself?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-19-2017 04:16 AM

#1 can be fixed via configuration. Try:

ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

#2 is unfortunately a limitation of this end-of-sale platform. (the stopped selling the ASA 5520 3-1/2 years ago.) You need a newer version of ASA software (at least 9.3) to get rid of TLS 1.1 in favor of TLS 1.2 and that ASA softweare release is only available on newer hardware. The 9.3 release notes below show the introduction of TLS 1.2 support:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

#3 can also be fixed via configuration. Try:

ssh cipher encryption high
ssh cipher integrity high

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-19-2017 04:16 AM

#1 can be fixed via configuration. Try:

ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

#2 is unfortunately a limitation of this end-of-sale platform. (the stopped selling the ASA 5520 3-1/2 years ago.) You need a newer version of ASA software (at least 9.3) to get rid of TLS 1.1 in favor of TLS 1.2 and that ASA softweare release is only available on newer hardware. The 9.3 release notes below show the introduction of TLS 1.2 support:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

#3 can also be fixed via configuration. Try:

ssh cipher encryption high
ssh cipher integrity high

Go to solution
baselzind
Level 6
Level 6
In response to Marvin Rhoads

‎04-19-2017 01:49 PM

thanks for the input , does step three configuration affect his traffic as in some servers would stop working ? do I need a downtime to apply those changes?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to baselzind

‎04-20-2017 05:40 AM

You're welcome.

The suggested settings only affect traffic terminating on the ASA itself - not traffic through the ASA.

That said, if your environment is usch that you have change control and maintenance windows, I always recommend doing any maintenance (other than immediate break-fix) in an approved change control window. That way the potential impact of any changes is well-communicated. I do this even when no impact is anticipated.

Go to solution
aimco.cco
Level 1
Level 1
In response to Marvin Rhoads

‎06-25-2018 05:13 AM

#3 - this is coming in cisco 3850 switch.

 

how to resolve this. please help. the above two commands doesnt help in switch.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card