Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Ironport Cipher Suites external address allows 56-bit DES

We recently got asked from co worker inside our organization that expressed concerns when he scanned external ip of the Ironport.  The Ironport showed that it allows 56-bit DES ciphers. Should these ciphers be disabled or removed because of security concerns?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Ironport Cipher Suites external address allows 56-bit DES

We normally see null/anonymous ciphers in use when we are contacted for PCI scan vulnerabilities.

Please see the following:

Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E

Article #1785: SSLv3 and TLSv1 Protocol Weak CBC Mode Vulnerability Link: http://tools.cisco.com/squish/24cC5

You'll need to try the @STRENGTH option – which will specify to use the stronger ciphers first.

I would also suggest to use the following:

The "-aNULL" states that it will not accept random ciphers.

> sslconfig

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> inbound

Enter the inbound SMTP ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[5]> 5

Enter the inbound SMTP ssl cipher you want to use.

[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> OUTBOUND

Enter the outbound SMTP ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[5]>

Enter the outbound SMTP ssl cipher you want to use.

[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]>

> commit

Once that is in place – have the security scan re-ran.

6 REPLIES
Cisco Employee

Ironport Cipher Suites external address allows 56-bit DES

We normally see null/anonymous ciphers in use when we are contacted for PCI scan vulnerabilities.

Please see the following:

Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E

Article #1785: SSLv3 and TLSv1 Protocol Weak CBC Mode Vulnerability Link: http://tools.cisco.com/squish/24cC5

You'll need to try the @STRENGTH option – which will specify to use the stronger ciphers first.

I would also suggest to use the following:

The "-aNULL" states that it will not accept random ciphers.

> sslconfig

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> inbound

Enter the inbound SMTP ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[5]> 5

Enter the inbound SMTP ssl cipher you want to use.

[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]> OUTBOUND

Enter the outbound SMTP ssl method you want to use.

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

[5]>

Enter the outbound SMTP ssl cipher you want to use.

[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

sslconfig settings:

  GUI HTTPS method:  sslv3tlsv1

  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL

  Inbound SMTP method:  sslv3tlsv1

  Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

  Outbound SMTP method:  sslv3tlsv1

  Outbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

Choose the operation you want to perform:

- GUI - Edit GUI HTTPS ssl settings.

- INBOUND - Edit Inbound SMTP ssl settings.

- OUTBOUND - Edit Outbound SMTP ssl settings.

- VERIFY - Verify and show ssl cipher list.

[]>

> commit

Once that is in place – have the security scan re-ran.

New Member

Re: Ironport Cipher Suites external address allows 56-bit DES

Are these changes recommended?

Could any of these KB cause any downtime to production environment or cause problems with compatability with any email clients?

Thanks,

Don

New Member

Ironport Cipher Suites external address allows 56-bit DES

Hi Don,

A good setting for all cipher settings would be as follows, it excludes all the low, export, null, and CBC ciphers:

  ALL:!EXP:!NULL:!LOW:!3DES

If you have access to a system which can run openssl from the command line then you can test your changes as follows:

  openssl ciphers -ssl3 -tls1 'ALL:!EXP:!NULL:!LOW:!3DES' -v

Mark

New Member

Re: Ironport Cipher Suites external address allows 56-bit DES

Not trying to hijack this forum.

I have enabled FIPS mode on my C670s and ran into some issues where SMTP servers trying to talk to my C670s don't have a FIPS certified cypher and they bomb out during TLS negotiation, they do not successfully switch to a plain text SMTP conversation.  The conversation ends in a TLS error and the mail is not accepted for delivery.

So far my only course of action short of disabling FIPS mode is to configure them in the HAT to not allow TLS completely, or to work with the SMTP server admin to get their server to be able to do a FIPS certified cipher for TLS (I have yet to accomplish this option).

My current understanding is the following ciphers are enabled during FIPS mode:

DHE-RSA-AES256-SHA                    SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA                    SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

AES256-SHA                                       SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-RSA-AES128-SHA                    SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

DHE-DSS-AES128-SHA                    SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

AES128-SHA                                       SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

EDH-RSA-DES-CBC3-SHA               SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA               SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA                                  SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

However, verifying this is difficult as the SSLCONFIG menu gets locked down when FIPS is enabled:

sslconfig settings:

  GUI HTTPS method:  tlsv1

  GUI HTTPS ciphers: FIPS

  Inbound SMTP method:  tlsv1

  Inbound SMTP ciphers: FIPS

  Outbound SMTP method:  tlsv1

  Outbound SMTP ciphers: FIPS:-aNULL

You cannot change server and client methods and cipher suites in the FIPS 140-2

compliance mode.

Just sharing the experience of enabling FIPS mode, anyone else try it?

Re: Ironport Cipher Suites external address allows 56-bit DES

Hi Jason,

You can confirm the ciphers by saving the configuration in FIPS mode.

Are both systems configured to require TLS? If so, no plain text or non-TLS will occur.

I hope this helps.

Regards,

Valter

New Member

Re: Ironport Cipher Suites external address allows 56-bit DES

Thanks Valter, I checked the configuration file and do find where it shows:

sslv2sslv3tlsv1

    RC4-SHA:RC4-MD5:ALL

    sslv2sslv3tlsv1

    RC4-SHA:RC4-MD5:ALL

    sslv3tlsv1

    RC4-SHA:RC4-MD5:ALL

Guess I was hoping to be able to see the exact ciphers that it is using so that I can tell SMTP server admins what they are dealing with.

Prior to going to FIPS I had the IronPort appliances set to (PREFER, NO VERIFY) TLS connections for all sending and receiving connections.  For 99% of the mail this did not cause a problem, but for roughly 1%, they would attempt a TLS connection and then die and no mail would go through.  Even though it was set to PREFER not REQUIRE.   I don't know if it is a bug in Cisco IronPort and how they are handling TLS or in the SMTP servers that I had this problem with, but setting it to not require or prefer a TLS connection has resolved it everytime making me think that the other party did not have a TLS requirement.

Thank you for your input, it does help.

3160
Views
0
Helpful
6
Replies
CreatePlease to create content