02-10-2019 08:14 AM - edited 03-08-2019 05:18 PM
Hi team,
A recent Vulnerability scan has detected the below Vulnerabilities in our stealth watch device(Lancope)
"The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits"
And they have provided solution as "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater."
Am working with TAC since a week but no +ve suggestion received yet. Can some help me to get this VA closed . or Any suggestion would be much appreciated.
Stealthwatch Version is 6.10.3 SMC and FC .
02-13-2019 08:10 AM
Hi @Mohammed Saleem,
I found this in this link:
Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. It supports 768-bit (the default), 1024-bit, 1536-bit, 2048-bit, 3072-bit, and 4096-bit DH groups. It also supports a 2048-bit DH group with a 256-bit subgroup, and 256-bit and 384-bit elliptic curve DH (ECDH). Cisco recommends using 2048-bit or larger DH key exchange, or ECDH key exchange.
Step 7 | group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24} Example: Router(config-isakmp)# group 14 | Specifies the Diffie-Hellman (DH) group identifier.
The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Group 14 or higher (where possible) can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered. |
I hope this can help you.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide