cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


239
Views
0
Helpful
7
Replies
Highlighted

how to enable CTR or GCM cipher mode encryption in cisco Prime

Hi,

 

As per the report generated by infosec . My cisco prime is having CBC mode ciphers which may allow an attacker to recover the plaintext message from the ciphertext. 

 

Can some one hlep me to how can i disble CBC and enable CTR or GCM ciphers in my Cisco Prime V3.2

 

 

 

7 REPLIES
Rising star

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

 

 - Not possible, 

 M.

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

Why not possible? These would be a solution for this. Just i want to know the reason marce.

 

Rising star

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

>Why not possible? These would be a solution for this. Just i want to know the reason marce.

 - Summarizing : Cisco Prime is considered to be an appliance albeit a VIrtual Machine or a physical appliance. An appliance offers  services it was designed for but can not be altered. That doesn't mean that it is not aware of security issues and it can evolve or become better , more security aware in newer versions. The task is then to analyze the problem versus the latest version of Prime and or file a product enhancement request, if so desired..                 If the problem is urgent a ticket can be opened at CISCO (TAC).

M.

Contributor

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

look at this document

Cisco Prime Infrastructure 3.2  Common Criteria Configuration Guide

 

4.3 Restrict Web GUI Ciphers The TOE evaluated configuration allows only ECDHE and DHE ciphers to be available from the Web GUI.  To enable only ECDHE and DHE ciphers, the administrator must run this command:
admin# ncs run tls-server-ciphers tls-ecdhe tls-dhe
The ciphers will be restricted to this list below:

o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 
o TLS_DHE_RSA_WITH_AES_256_CBC_SHA

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

 

so you need the top cyphers setting?

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

Yes. I want to configure strong ciphers. Please find the below VA highlighted by My Infosec team.

"The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions:

 

And Suggest.

Contributor

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

e document i referenced mentions:

Note:  By default the TOE supports the following ciphersuites for the TLS client and is not configurable:

(same list as erlier post)

-> in 3.2 you cannot disable the CBC cyphers, they stay enabled!

So you can only pay attention that the client uses the GCM cypher to prevent attackers to intercept and "recover the plaintext"

the CBC options remain available, but you must not use them

just like having both telnet and ssh enabled, but only use ssh!

Rising star

Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

 

 - And for your further information you can also list the available ciphers albeit weak or not in this or subsequent Prime versions with : 

              %   nmap --script ssl-enum-ciphers -p 443 cisco-prime

M.

CreatePlease to create content
Content for Community-Ad