Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
6
Replies

I need to filter out all SSL Downgrade requests

ryderse69
Level 1
Level 1

‎05-21-2015 07:51 PM - edited ‎03-11-2019 10:58 PM

I am looking for a way to filter out all SSL Downgrade attempts for traffic passing through my FWSMs and/or ASAs. 

This traffic (the request to downgrade to a weaker cipher) is sent in the clear so this should be filterable by a FW somehow. 

I found this Cisco IPS rule that alerts when such traffic is encountered:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5891&signatureSubId=1&softwareVersion=6.0&releaseVersion=S866

How can I filter out all SSL downgrade attempts for traffic flowing through an FWSM or ASA? This should be possible. 

Thank you in advance:

-SR

 

Labels:
0 Helpful
6 Replies 6

ryderse69
Level 1
Level 1

‎05-21-2015 08:06 PM

I found a similar discussion on Sonicwall that include some packet capture info but I can't tell yet what I can filter on. 

I'm told that in the client hello an export cipher (weaker cipher) is where the downgrade request is sent to the server. 

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=792

 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to ryderse69

‎05-21-2015 08:15 PM

Hi,

For the traffic flowing through, i need to see if that is possible. 

Above was for traffic destined to the FW.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

ryderse69
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-21-2015 09:37 PM

If you could check, that would be extremely helpful. 

Thank you. 

0 Helpful

ryderse69
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-22-2015 10:59 AM

Official word from TAC is that this must be done with an IPS. This can not be done on an ASA/FWSM without one. 

I had hoped to use some inspect rules or the like but I guess not :-/. 

 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎05-21-2015 08:07 PM

Hi,

You can only configure selected ciphers on ASA so that only those are negotiated during the SSL handshake. Any attempt to negotiate on weak ciphers or the one's not included in cipher list would fail.

ssl encryption xxxxx xxxxx

Regards,

Kanwal

Note:Please mark answers if they are helpful.

0 Helpful

ryderse69
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-21-2015 08:13 PM

Hi Kanwal

Is this applicable to traffic flowing through the FW or destined to it?

I'm not concerned about traffic destined to the FW, I need to filter out this traffic flowing between hosts connected to the FW. 

Thank you

SR

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card