Security

Reply
Highlighted

Configuring SSHD cipher suites in NIOS 8.x

JKattner
Techie
Posts: 4
3211     1

This post discusses the easily overlooked option of modifying SSHD cipher selection in NIOS 8.x.

 

One configuration option that is common amongst security conscious customers is the ability to modify cipher suite usage in NIOS. Infoblox makes every attempt to ship NIOS in a secure configuration, but as security vulnerabilities are discovered, or through administrator configuration, or customers who have upgraded their Infoblox Grids over a long period of time may find that an enabled option is no longer desirable. As NIOS is a hardened OS, administrators used to require software upgrades from Infoblox to modify advanced features such as cipher suites. This changed in NIOS 8.0 with the introduction of new CLI commands to work with TLS ciphers. Usage of that feature is documented in Frank Hecker’s excellent post:

 

https://community.infoblox.com/t5/Security/Configuring-TLS-1-2-and-ciphersuites-in-NIOS-8-0/m-p/8122...

 

It's a small note, but in the Administrators Guide, Chapter 1, “SSL and TLS Protocols” it says ... "enabling or disabling the TLS ciphers will enable or disable the equivalent SSHd cipher." ... And then presents a table which has the mappings:

 

Picture1.png

 

 

 

 The key to understanding how to toggle a specific SSHD cipher is using the table in the Administrators Guide to map the TLS Suite Name to the SSHD cipher. Although they serve different protocols (TLS vs SSH), the suite is tied back to both, and NIOS displays the TLS Suite Name. Knowing those pieces of information, we can then toggle the desired SSHD cipher on or off, when we turn the corresponding TLS Suite Name on or off.

 

Before starting, you should note the settings you currently use and have backups in place. Modifying cipher selection can affect HTTPS/SSH access, and you want to be able to validate each step as you work through the process.

 

  1. Validate if we are using default, or custom settings:

 

Infoblox > show ssl_tls_settings

SSL/TLS settings: default

Use 'ssl_tls_protocols' and 'ssl_tls_ciphers' to see current settings

 

  1. Note the current TLS configuration:

 

Infoblox > show ssl_tls_protocols

TLSv1.0 TLSv1.1 TLSv1.2

 

  1. Verify which cipher suites are used:

 

Infoblox > show ssl_tls_ciphers

  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
  10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
  11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
  12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
  13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled

     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled

     TLS_RSA_WITH_RC4_128_SHA            disabled

     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

 

 

For the purpose of discussion, let’s say that during a security audit you are asked to look at SSH for potential security issues. Reviewing the output of the network scan and validation with ‘show ssl_tls_ciphers you see that TLS_RSA_WITH_RC4_128_SHA is enabled, and likewise so is arcfour128 in SSH. You are asked by your security team to disable arcfour128 for SSH.

 

 

  1. Log on to the Infoblox Grid Master using the CLI, with an administrative account.

 

  1. Now we need to verify what ciphers are running, and pay attention to their ID #:

 

Infoblox > show ssl_tls_ciphers

  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
  10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
  11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
  12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
  13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 
  14. TLS_RSA_WITH_RC4_128_SHA            enabled 

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled

     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled

     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

 

 

  1. We review the table in the Administrators Guide and find arcfour is assosciated with TLS_RSA_WITH_RC4_128_SHA, which is enabled using ID 14.

 

  1. Review the output of ‘show ssl_tls_settings’. If we are at ‘default’, we first need to override defaults. If the settings are already overridden, you can skip this step:

 

Infoblox > set ssl_tls_settings override

 

  1. As we noted above, TLS_RSA_WITH_RC4_128_SHA uses ID #14, so to turn it off, issue the following command:

 

Infoblox > set ssl_tls_ciphers disable 14

TLS_RSA_WITH_RC4_128_SHA was disabled

The following services need to be restarted manually: GUI

 

  1. Validate that it is no longer enabled:

 

Infoblox > show ssl_tls_ciphers

  1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled 
  2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled 
  3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA    enabled 
  4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA    enabled 
  5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled 
  6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled 
  7. TLS_RSA_WITH_AES_128_GCM_SHA256     enabled 
  8. TLS_RSA_WITH_AES_128_CBC_SHA        enabled 
  9. TLS_RSA_WITH_AES_128_CBC_SHA256     enabled 
  10. TLS_RSA_WITH_3DES_EDE_CBC_SHA       enabled 
  11. TLS_RSA_WITH_AES_256_GCM_SHA384     enabled 
  12. TLS_RSA_WITH_AES_256_CBC_SHA        enabled 
  13. TLS_RSA_WITH_AES_256_CBC_SHA256     enabled 

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA    disabled

     TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA    disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA    disabled

     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled

     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled

     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled

     TLS_RSA_WITH_RC4_128_SHA            disabled

 

Note that it may take NIOS a few moments to implement the change when it reconfigures the service. You will want to check that your management access through both SSH and HTTPS is working, as noted above since you are toggling both of them assosciated with the TLS Suite name.

Re: Configuring SSHD cipher suites in NIOS 8.x

SBarringer
Techie
Posts: 1
3212     1

If we change this setting on the Grid Manager is it replicated to all grid members or does this need managing individually on each member?

Re: Configuring SSHD cipher suites in NIOS 8.x

JKattner
Techie
Posts: 4
3212     1

@SBarringer wrote:

If we change this setting on the Grid Manager is it replicated to all grid members or does this need managing individually on each member?


Hi,

 

You can only set this on the Grid Master, it does not need to be done on individual members. If you try to configure on another member, it will return an error.

 

Infoblox > show ssl_tls_ciphers
 
ERROR: This setting may only be changed on the active MASTER.

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You