cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1358
Views
5
Helpful
4
Replies
dm2020
Beginner

Recommend Cipher Suites

Hi All,

 

I'm looking at hardening the https server for a number of Cisco devices including IOS-XE for Cat9k switches and WLC.

 

Looking at the devices I can see that the following Cipher Suites can be supported but I'm not sure what the current recommendations are. Are there any from the list that are recommended and ones that should be avoided?

 

3des-ede-cbc-sha Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
dhe-aes-cbc-sha2 Encryption type tls_dhe_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
dhe-aes-gcm-sha2 Encryption type tls_dhe_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite
ecdhe-ecdsa-aes-gcm-sha2 Encryption type tls_ecdhe_ecdsa_aes_gcm_sha2 (TLS1.2 & above) SuiteB ciphersuite
ecdhe-rsa-3des-ede-cbc-sha Encryption type tls_ecdhe_rsa_3des_ede_cbc_sha ciphersuite
ecdhe-rsa-aes-128-cbc-sha Encryption type tls_ecdhe_rsa_with_aes_128_cbc_sha ciphersuite
ecdhe-rsa-aes-cbc-sha2 Encryption type tls_ecdhe_rsa_aes_cbc_sha2(TLS1.2 & above) ciphersuite
ecdhe-rsa-aes-gcm-sha2 Encryption type tls_ecdhe_rsa_aes_gcm_sha2(TLS1.2 & above) ciphersuite
rsa-aes-cbc-sha2 Encryption type tls_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
rsa-aes-gcm-sha2 Encryption type tls_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite

 

Thank you

4 REPLIES 4
omz
VIP Collaborator VIP Collaborator
VIP Collaborator

Hi 

This doc explains and shows the acceptable cipher suites to give you some idea. Use tls 1.2, highest sha and aes where supported.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

Screenshot 2020-04-06 at 12.01.40.png

Hi,


Thanks for the response. From what I can see the following ciphers are for tls v1.2 and above and meet Cisco's recommendation of using AES GSM as the the encryption algorithms. Does this look right to you?

 

rsa-aes-gcm-sha2

dhe-aes-gcm-sha2

ecdhe-rsa-aes-gcm-sha2

ecdhe-ecdsa-aes-gcm-sha2

omz
VIP Collaborator VIP Collaborator
VIP Collaborator

Hi 

let's ask an expert - @Marvin Rhoads 

hope Marvin can comment

 

Marvin Rhoads
Hall of Fame Guru

Which ciphers you disable depends on more than just which are the most secure. Often there are larger issues at play such as client compatibility. You need to analyze your environment for such issues. Sometimes in our zeal to make the devices as secure as possible we can inadvertently deny service to legitimate infrastructure users or services thus making the "cure" worse than the "disease".

First ask yourself what are you using the https server for. If it's not in use then simply disable it. If it is in use, what are the clients - e.g. a few other infrastructure devices and applications or a larger end user base? In either case, consider carefully and test compatibility before committing to supporting only the strongest ciphers.

If all your analysis checks out then narrow things down to the strongest mutually compatible ciphersuite - e.g., the Suite B one.

Content for Community-Ad