cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1202
Views
10
Helpful
4
Replies

Insecurity message with ssh in switch 3850

Leftz
Level 4
Level 4

Hi We have switch c3850/ver 03.03.01.SE. Now some insecurity message (Please see the below) is sent to us from tenable. 

The device has the below two commands. Are these two commands is the reason for the insecurity? Thank you

 

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

 

 

-------

message is from tenable:

"The remote service accepts connections encrypted using SSL 2.0 and/or
SSL 3.0. These versions of SSL are affected by several cryptographic
flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle
attacks or to decrypt communications between the affected service and
clients.

Although SSL/TLS has a secure means for choosing the highest supported
version of the protocol (so that these versions will be used only if
the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade
a connection (such as in POODLE). Therefore, it is recommended that
these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure
communications. As of the date of enforcement found in PCI DSS v3.1,
any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'."

2 Accepted Solutions

Accepted Solutions

@Leftz that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.

If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".

View solution in original post

Leo Laohoo
Hall of Fame
Hall of Fame

@Leftz wrote:

We have switch c3850/ver 03.03.01.SE.


If the switch's firmware cannot/will-not be upgraded, anything else is an exercise of futility.

View solution in original post

4 Replies 4

@Leftz that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.

If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".

Leftz
Level 4
Level 4

Hi Rob, Thank you very much! I think you are right.

Leo Laohoo
Hall of Fame
Hall of Fame

@Leftz wrote:

We have switch c3850/ver 03.03.01.SE.


If the switch's firmware cannot/will-not be upgraded, anything else is an exercise of futility.

Leftz
Level 4
Level 4

Thank you Leo!

Review Cisco Networking for a $25 gift card