What is the risk of changing the default cipher strength from:

RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT

TO:
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

I see no adverting risk.  You would be just setting the ciphers to use all medium and high strength ciphers, and then not allowing the ones as singled out.

(And of course not allowing null, and preferring strength before weaker)...

You can review the mail_logs to see in time period after change if there were any dropped/not allowed messages due to the ciphers set.  Hopefully senders will be smart enough to be sending properly.

Only risk again is someone sending at one of the disallowed singled out ciphers -- but, again, security on your own side before allowing weaker/threat from outside.

-Robert

The ciphers in question (generated by reporting to have weak SSL ciphers) were the following:
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_WITH_SEED_SHA
SSL3_EDH_RSA_DES_64_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
TLS1_RSA_RC4_128_MD5
TLS1_RSA_RC4_128_SHA
TLS1_EDH_RSA_DES_64_CBC_SHA
TLS1_RSA_DES_64_CBC_SHA

If I wanted to add all those to the "NOT ALLOWED" list of ciphers to be used I would just add them like this -RSA_DES_64_CBC_SHA:-EDH_RSA_DES_64_CBC_SHA:-RSA_RC4_128_SHA and so on by removing the first 5 characters from each?

Correct.

From the following, Alter the Methods and Ciphers Used with SSL/TLS on the ESA

Any of the SSL ciphers that you do not want configured and available should be removed with the "-" option that precedes the specific ciphers. Here is an example:

[]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:
    -EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

The information in this example would negate the NULL, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, and DES-CBC3-SHAciphers from advertisement and prevent their use in the SSL communication.

You can also accomplish similar with the inclusion of the "!" character in front of the cipher group or string that you desire to become unavailable:

[]> MEDIUM:HIGH:-SSLv2:-aNULL:!RC4:@STRENGTH

The information in this example would remove all of the RC4 ciphers from use. Thus, the RC4-SHA and RC4-MD5 ciphers would be negated and not advertised in the SSL communication.

If changes are made to the SSL configuration, ensure that you commit any and all changes.

And from earlier portion of the thread ---

Tip: Secure Sockets Laver (SSL) Version 3.0 (RFC-6101) is an obsolete and insecure protocol. There is a vulnerability in SSLv3 CVE-2014-3566 known as Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is tracked by Cisco bug ID CSCur27131 . Cisco recommends that you disable SSLv3 while you change the ciphers, use Transport Layer Security (TLS) only, and select option 3 (TLS v1). Refer to Cisco bug ID CSCur27131  for complete details.

The above note/tip is from, Prevent Negotiations for Null or Anonymous Ciphers on the ESA and SMA

Thank you for your help.  I'm going to play around with the GUI SSL section first and run our scans against that and then change the INBOUND and OUTBOUND when I get the scan to come through clean.

I tried to append the string on the GUI interface like this and it didn't like the underscores.  Do I just replace the underscores with dashes?

MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-RSA_RC4_128_MD5:-RSA_RC4_128_SHA:-RSA_WITH_SEED_SHA:-EDH_RSA_DES_64_CBC_SHA:-RSA_DES_64_CBC_SHA:-RSA_RC4_128_MD5:-RSA_RC4_128_SHA:-EDH_RSA_DES_64_CBC_SHA:-RSA_DES_64_CBC_SHA

I'm not familiar with ciphers.  The below list is what exactly shot out from the report.  Do I just cut off the SSL3_ and put the rest in along with substituting the underscores with dashes?
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_WITH_SEED_SHA
SSL3_EDH_RSA_DES_64_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
TLS1_RSA_RC4_128_MD5
TLS1_RSA_RC4_128_SHA
TLS1_EDH_RSA_DES_64_CBC_SHA
TLS1_RSA_DES_64_CBC_SHA

Do I need to find an open SSL equivalent like here and input that instead?

I've read the cisco docs but it doesn't help me since all I have to go off is a printout someone gave me with the info above.  I need to know if the above need to be converted or just cut off the first 5 characters and replace the underscores with dashes.

Yes, you should the OpenSSL equivalents... I think the "ssl3" and "tls1" are what's breaking it for you.

I'd probably start with unchecking the SSLv3 box, and then using something like this below, and then testing again:

!aNULL:!eNULL:!SSLv2:!SSLv3:!EXP:!RC4:MEDIUM:HIGH:@STRENGTH

No auth null ciphers

No encryption null cyphers

No ssl2, ssl3, export, or RC4...

The ! means, they can't be added back in, no matter what gets appended. (some upgrades to Ironports will append to the ssl list)

add medium and high, sort by strength...

That ought to be more sane and maintainable...

I only have TLS v1/TLS v1.2 checked  for GUI, Inbound, and Outbound.  With your statement above, will that filter out the TLS1_ ciphers I listed as a vulnerability or do I have to find OpenSSL equivalents for the following:

TLS1_RSA_RC4_128_MD5
TLS1_RSA_RC4_128_SHA
TLS1_EDH_RSA_DES_64_CBC_SHA
TLS1_RSA_DES_64_CBC_SHA

Are the first 2 above the same as this?

TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
TLS_RSA_WITH_RC4_128_SHA                RC4-SHA

So I would just put a :-RC4-MD5:-RC4-SHA at the end of your statement?

I really don't want to break mail flow.

do you know what that string for inbound and outbound means?

EDH TLS1.2 allowed
ECDH TLS1.2 allowed
EDH high allowed
EDH medium allowed
ECDH high allowed
ECDH medium allowed
HIGH and MEDIUM allowed
low disabled
export disabled
auth null disabled
all others listed disabled

Does that sum that up???

Yes, your summary looks to be accurate.

why not add :!SSLv2:!SSLv3 to the inbound and outbound that Doug posted as well just to make sure they are not used (even though I have them unchecked)

Doug - Thank you very much.  We made the same changes and our scan came back clean now.