On which specific feature was this pentest requirement? On which service did they detect non-compliant ciphers, and which non-compliant ciphers were detected?
You question cannot be enabled generically.
A good start may be the ArubaOS-Switch hardening guide.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 13, 2024 06:29 AM
From: dvdkevin
Subject: Forward Secrecy Ciphers
Hi,
To add context to the topic.
This is following on from a Pentest. The requirements are below
Disable all weak ciphers and support for SSLv3. Only TLS1.2 or later protocol versions should be used with AEAD (Authenticated Encryption with Additional Data). The following cipher suites are recommended:
• TLS_AES_128_GCM_SHA256
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_ECCPWD_WITH_AES_128_GCM_SHA256
• TLS_ECCPWD_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
IMPORTANT DISCLAIMER: The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. Please refer to our privacy policy on the website
Original Message:
Sent: 8/13/2024 3:05:00 AM
From: Herman Robers
Subject: RE: Forward Secrecy Ciphers
You would start by defining (or finding out) for which features encryption is used in your switch/your environment, what is the current setting, from there find out if/where you need to change configuration.
There is a good chance that Forward Secrecy is already used, you may need to disable some older ciphers if you need to protect against a crypto downgrade attack, but it fully depends on what you need/want to achieve. Forward Secrecy is not a feature that you enable.
As crypto may look complex if you are not familiar with it, it may be good to consult your Aruba partner to make sure that you do the correct things to meet your requirements.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 12, 2024 10:57 AM
From: dvdkevin
Subject: Forward Secrecy Ciphers
I have various Aruba switches, 3810M's, 2930f's which I need to enable forward secrecy ciphers on. Where do I start?