Solved: Recommendation VPN SSL without encryption RC4

RICARDO SANCHEZ · ‎10-31-2013

Hi

Actually I´m using Annyconnect in ASA with SSL RC4 Cipher Suites Supported, by vulnerability it is recommended to use encryption without RC4.

The question is the next, there is a document that show the best practice or recommendations to do that?, I don´t know if there is an impact in this change or if this is supported in the code.

Regards

Ricardo

Marcin Latosiewicz · ‎10-31-2013

Ricardo,

The recommendations:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html#15

The impact is typically two fold:

- Will all the clients/browsers support new ciphers

- How much computational overhead will be introduced.

ASA side there's a crypto chip which is quite efficent at handling crypto in general.

If your clients support it look into enabling DHE based ciphers.

I do not think there is one big best practices doc avilable, one needs to know a bit more about the environment.

M.

View solution in original post

Marcin Latosiewicz · ‎10-31-2013

Ricardo,

The recommendations:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html#15

The impact is typically two fold:

- Will all the clients/browsers support new ciphers

- How much computational overhead will be introduced.

ASA side there's a crypto chip which is quite efficent at handling crypto in general.

If your clients support it look into enabling DHE based ciphers.

I do not think there is one big best practices doc avilable, one needs to know a bit more about the environment.

M.

RICARDO SANCHEZ · ‎11-29-2013

Marcin

We chance the encryption to aes128-sha1 and is operating correctly.

Thanks for your help

regards