- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Configuring SSHD cipher suites in NIOS 8.x
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-14-2017 11:59 AM
This post discusses the easily overlooked option of modifying SSHD cipher selection in NIOS 8.x.
One configuration option that is common amongst security conscious customers is the ability to modify cipher suite usage in NIOS. Infoblox makes every attempt to ship NIOS in a secure configuration, but as security vulnerabilities are discovered, or through administrator configuration, or customers who have upgraded their Infoblox Grids over a long period of time may find that an enabled option is no longer desirable. As NIOS is a hardened OS, administrators used to require software upgrades from Infoblox to modify advanced features such as cipher suites. This changed in NIOS 8.0 with the introduction of new CLI commands to work with TLS ciphers. Usage of that feature is documented in Frank Hecker’s excellent post:
It's a small note, but in the Administrators Guide, Chapter 1, “SSL and TLS Protocols” it says ... "enabling or disabling the TLS ciphers will enable or disable the equivalent SSHd cipher." ... And then presents a table which has the mappings:
The key to understanding how to toggle a specific SSHD cipher is using the table in the Administrators Guide to map the TLS Suite Name to the SSHD cipher. Although they serve different protocols (TLS vs SSH), the suite is tied back to both, and NIOS displays the TLS Suite Name. Knowing those pieces of information, we can then toggle the desired SSHD cipher on or off, when we turn the corresponding TLS Suite Name on or off.
Before starting, you should note the settings you currently use and have backups in place. Modifying cipher selection can affect HTTPS/SSH access, and you want to be able to validate each step as you work through the process.
- Validate if we are using default, or custom settings:
Infoblox > show ssl_tls_settings
SSL/TLS settings: default
Use 'ssl_tls_protocols' and 'ssl_tls_ciphers' to see current settings
- Note the current TLS configuration:
Infoblox > show ssl_tls_protocols
TLSv1.0 TLSv1.1 TLSv1.2
- Verify which cipher suites are used:
Infoblox > show ssl_tls_ciphers
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
- TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_RSA_WITH_RC4_128_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
For the purpose of discussion, let’s say that during a security audit you are asked to look at SSH for potential security issues. Reviewing the output of the network scan and validation with ‘show ssl_tls_ciphers’ you see that TLS_RSA_WITH_RC4_128_SHA is enabled, and likewise so is arcfour128 in SSH. You are asked by your security team to disable arcfour128 for SSH.
- Log on to the Infoblox Grid Master using the CLI, with an administrative account.
- Now we need to verify what ciphers are running, and pay attention to their ID #:
Infoblox > show ssl_tls_ciphers
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
- TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
- TLS_RSA_WITH_RC4_128_SHA enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
- We review the table in the Administrators Guide and find arcfour is assosciated with TLS_RSA_WITH_RC4_128_SHA, which is enabled using ID 14.
- Review the output of ‘show ssl_tls_settings’. If we are at ‘default’, we first need to override defaults. If the settings are already overridden, you can skip this step:
Infoblox > set ssl_tls_settings override
- As we noted above, TLS_RSA_WITH_RC4_128_SHA uses ID #14, so to turn it off, issue the following command:
Infoblox > set ssl_tls_ciphers disable 14
TLS_RSA_WITH_RC4_128_SHA was disabled
The following services need to be restarted manually: GUI
- Validate that it is no longer enabled:
Infoblox > show ssl_tls_ciphers
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
- TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
- TLS_RSA_WITH_AES_128_CBC_SHA enabled
- TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
- TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
- TLS_RSA_WITH_AES_256_CBC_SHA enabled
- TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
TLS_RSA_WITH_RC4_128_SHA disabled
Note that it may take NIOS a few moments to implement the change when it reconfigures the service. You will want to check that your management access through both SSH and HTTPS is working, as noted above since you are toggling both of them assosciated with the TLS Suite name.
Re: Configuring SSHD cipher suites in NIOS 8.x
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-03-2017 05:14 AM
If we change this setting on the Grid Manager is it replicated to all grid members or does this need managing individually on each member?
Re: Configuring SSHD cipher suites in NIOS 8.x
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-10-2017 06:34 AM
@SBarringer wrote:
If we change this setting on the Grid Manager is it replicated to all grid members or does this need managing individually on each member?
Hi,
You can only set this on the Grid Master, it does not need to be done on individual members. If you try to configure on another member, it will return an error.
Infoblox > show ssl_tls_ciphers ERROR: This setting may only be changed on the active MASTER.