Just an update. We had to add back in :DES on our Outbound SMTP. Had a mail server that we could not sent to and they wouldn't check their ciphers. What security cipher impact will I have by allowing DES again.
I'll give that a shot. Not sure of what the other system is running. The person I'm dealing with is "hell bent" on it's a Cisco problem not be able to "train down" from TLS1.2 to TLSv1. Tried to explain many times that it was a cipher problem, but got the typical "My system, my rule" game.
Normally what I've been doing is grepping the ip address and then doing a grep on the icid and it will show a "no shared cipher" error. I take a sceenshot and email it to them. Most of the time that works.
The error that I was seeing in my logs was "Network Error". As soon as I put in 3DES in my ciphers, I was able to send TLS to them. I don't want to have 3DES in the cipher as the one that I was using was very secure. Just trying to find out the impact of have 3DES on.
I did see those errors as well but also saw the "no shared cipher" error. I'm a cipher newb and don't know much about all this stuff. Still learning.
SSLLabs has a document and it states:
3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients.
Thanks for the info. No expert on ciphers either. I know that I was able to pass our PCI testing with the ciphers that I posted here. Not sure now what's going to happen on the next scan. Probably have to create an exception, which sucks.
I have it at the end of my allowed ciphers, but until this other site upgrades the mail product so that it supports TLS1.2 or better ciphers, I guess I'm stuck having 3DES for now.
Show Name: Thoughts on Security at Cisco Live US 2018 in Orlando
Contributors: Kevin Klous, David White Jr., Aaron Woland, Jeff Fanelli
Posting Date: June 2018
Description: The team goes on-site in the Cisco Live Speaker room in...
RADIUS and Symantec VIP.
I will use screenshots of ASDM, and at the end I will add the required CLI commands. the diagram below show a diagram of the steps the FW goes through when using 2FA authentication:
As you can see in Fig. 1&nbs...