05-21-2015 07:51 PM - edited 03-11-2019 10:58 PM
I am looking for a way to filter out all SSL Downgrade attempts for traffic passing through my FWSMs and/or ASAs.
This traffic (the request to downgrade to a weaker cipher) is sent in the clear so this should be filterable by a FW somehow.
I found this Cisco IPS rule that alerts when such traffic is encountered:
How can I filter out all SSL downgrade attempts for traffic flowing through an FWSM or ASA? This should be possible.
Thank you in advance:
05-21-2015 08:06 PM
I found a similar discussion on Sonicwall that include some packet capture info but I can't tell yet what I can filter on.
I'm told that in the client hello an export cipher (weaker cipher) is where the downgrade request is sent to the server.
05-21-2015 08:15 PM
For the traffic flowing through, i need to see if that is possible.
Above was for traffic destined to the FW.
Note: Please mark answers if they are helpful.
05-21-2015 09:37 PM
If you could check, that would be extremely helpful.
05-22-2015 10:59 AM
Official word from TAC is that this must be done with an IPS. This can not be done on an ASA/FWSM without one.
I had hoped to use some inspect rules or the like but I guess not :-/.
05-21-2015 08:07 PM
You can only configure selected ciphers on ASA so that only those are negotiated during the SSL handshake. Any attempt to negotiate on weak ciphers or the one's not included in cipher list would fail.
ssl encryption xxxxx xxxxx
Note:Please mark answers if they are helpful.
05-21-2015 08:13 PM
Is this applicable to traffic flowing through the FW or destined to it?
I'm not concerned about traffic destined to the FW, I need to filter out this traffic flowing between hosts connected to the FW.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: