07-15-2013 12:34 AM
HI
There is penertation test done on ESA and below is detail
SOLUTION
Disable any 96-bit HMAC Algorithms.-------------- how we can disable this in ironport email
Disable any MD5-based HMAC Algorithms
-------------- how we can disable this in ironport email
|
SOLUTION
Disable the arcfour (RC4) cipher.
-------------- how we can disable this in ironport email
|
SOLUTION
Disable CBC Mode Ciphers and use CTR Mode Ciphers
-------------- how we can disable this in ironport email
|
Please advise
07-16-2013 08:21 PM
Hello Asim,
SSL protocols and ciphers advertised for incoming Graphical User Interface (GUI) connections can be configured with the sslconfig command the same for inbound and outbound connections
ironport.example.com> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3
GUI HTTPS ciphers: RC4-SHA
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> gui
Enter the GUI HTTPS ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[2]> 2
Enter the GUI HTTPS ssl cipher you want to use.
[RC4-SHA]>
You can then change the Ciphers to the one you would prefer(require)
For HIGH cipher list ->
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> verify
Enter the ssl cipher you want to verify.
[]> RC4-SHA:RC4-MD5:HIGH
08-12-2013 11:40 PM
Hello All,
Are there any fixes for above mentioned vulnerabilities on cisco IOS for routers and Switches ?
I dont see any configurable options on cisco routers and switches so far but do let me know if there is anything that could be done to fix them.
08-13-2013 08:16 AM
Gulam,
This forum is dedicated to Cisco ESA (Email Security Appliance). I would kindly sugges you to post this question in the appropriate forum.
I did some research and I believe the forum is located here
https://supportforums.cisco.com/community/netpro/network-infrastructure/routing
I hope this helps.
-Valter
10-26-2016 12:20 PM
I realize this post is three years old but is one of few regarding SSH ciphers. Why is it that it is mentioned to change SSL GUI settings to fix SSH ciphers? Can SSH Ciphers be disabled through SSHD config via ESA CLI?
10-26-2016 03:35 PM
Hello,
You may choose which ciphers the ESA will use for SSH (CLI) access; whichever is defined will be the ciphers used from my knowledge- all others are disabled(inactive).
Regards,
Mathew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide