• Diniz Martins

Disable weak cipher and TLS on CISCO FMC

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP).


As a best practice, you should configure your servers to support the latest protocol versions to ensure you are using only the strongest algorithms and ciphers, but equally as important is to disable the older versions. Continuing to support old versions of the protocols can leave you vulnerable to downgrade attacks, where hackers force connections to your server to use older versions of the protocols that have known exploits. This can leave your encrypted connections (whether between a site visitor and your web server, machine to machine, etc.) open to man-in-the-middle and other types of attacks.

You might have also seen the recent news that the browsers are officially removing support for TLS versions 1.0 and 1.1. Just another reason to make the switch to TLS 1.2 or 1.3, if you haven't already


Before you begin: You must make sure that you are running a fully licensed version of the Firepower Management Center. The SSL Settings will be disabled if you are running Firepower Management Center in evaluation mode. Additionally, the SSL Settings will be disabled when the licensed Firepower Management Center version does not meet the export-compliance criteria. If you are using Remote Access VPN with SSL, your Smart Account must have the strong-crypto features enabled.


Procedure:


Step 1

Select Devices > Platform Settings and create or edit a Firepower Threat Defense policy.


Step 2

Select SSL.


Step 3

Add entries to the Add SSL Configuration table.

  1. Click Add to create a new entry, or click Edit if the entry already exists.

  2. Select the required security configurations from the drop-down list .

  • Protocol Version—Specifies the TLS protocols to be used while establishing remote access VPN sessions.

  • Security Level—Indicates the kind of security positioning you would like to set up for the SSL.

Step 4

Select the Available Algorithms based on the protocol version that you select and click Add to include them for the selected protocol. For more information, seeAbout SSL Settings

The algorithms are listed based on the protocol version that you select. Each security protocol identifies unique algorithm for setting up the security level.


Step 5

Click OK to save the changes.



What to do next:

You can click Deploy to deploy the policy to the assigned devices and you can check the result of your change on the websites below:

https://ssltools.digicert.com/checker/views/checkInstallation.jsp

https://globalsign.ssllabs.com/


Or you can use Nmap:


25 views0 comments

Recent Posts

See All

Installing Cisco ISE

The Cisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that provides a single policy plane across the entire organization combining multiple services

Napalm | Network Automation

Napalm is a vendor neutral, cross-platform open source project that provides a unified API to network devices, is written in Python and already works with the most popular automation frameworks. You d

IOS-XR | CVE-2020-26070

A high-severity flaw in Cisco’s IOS XR software could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). The flaw stems from Cisco IOS XR, a train of Cisco Sy