Security

 View Only
last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Forward Secrecy Ciphers

This thread has been viewed 8 times
  • 1.  Forward Secrecy Ciphers

    Posted Aug 13, 2024 02:57 AM

    I have various Aruba switches, 3810M's, 2930f's which I need to enable forward secrecy ciphers on. Where do I start?



  • 2.  RE: Forward Secrecy Ciphers

    Posted Aug 13, 2024 03:05 AM

    You would start by defining (or finding out) for which features encryption is used in your switch/your environment, what is the current setting, from there find out if/where you need to change configuration.

    There is a good chance that Forward Secrecy is already used, you may need to disable some older ciphers if you need to protect against a crypto downgrade attack, but it fully depends on what you need/want to achieve. Forward Secrecy is not a feature that you enable.

    As crypto may look complex if you are not familiar with it, it may be good to consult your Aruba partner to make sure that you do the correct things to meet your requirements.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Forward Secrecy Ciphers

    Posted Aug 13, 2024 06:30 AM

    Hi,

     

    To add context to the topic.

     

    This is following on from a Pentest. The requirements are below

     

    Disable all weak ciphers and support for SSLv3. Only TLS1.2 or later protocol versions should be used with AEAD (Authenticated Encryption with Additional Data). The following cipher suites are recommended:

    • TLS_AES_128_GCM_SHA256

    • TLS_AES_256_GCM_SHA384

    • TLS_CHACHA20_POLY1305_SHA256

    • TLS_ECCPWD_WITH_AES_128_GCM_SHA256

    • TLS_ECCPWD_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

    • TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256

     

     

    Regards

    Kevin

     

    IMPORTANT DISCLAIMER: The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. Please refer to our privacy policy on the website





  • 4.  RE: Forward Secrecy Ciphers

    Posted Aug 13, 2024 09:36 AM

    On which specific feature was this pentest requirement? On which service did they detect non-compliant ciphers, and which non-compliant ciphers were detected?

    You question cannot be enabled generically.

    A good start may be the ArubaOS-Switch hardening guide.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Forward Secrecy Ciphers

    Posted Sep 05, 2024 05:17 AM

    Hi Herman,

    Apologies for the delay in coming back to you. 

    This particular pentest was referring to access to port 443 and 22.

    I have gone through the hardening document and have taken on board some suggestions.