ProxySG - How to disable export grade ciphers to prevent FREAK attack.

book

Article ID: 168481

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

For SGOS releases prior to 7.2, they are vulnerable in all SSL/TLS interfaces.  Export grade ciphers are enabled by default but can be disabled.

The possible reference to Disable to Disallow other ciphers are well

Resolution

For SGOS 7.2 and later, please refer to the SSL Proxy Best Practices Guide.

For SGOS releases prior to 7.2, change configuration settings to disallow export-grade ciphers for HTTPS Console ( and/or HTTPS Reverse Proxies), SSL Device Profiles, and SSL Client Configuration by CLI.  For SSL Forward Proxy, disallow export ciphers through policy.


Sample CLI commands and policy

For HTTPS Console ( and/or HTTPS Reverse Proxies )

If using HTTPS Reverse Proxies, do same operation to HTTPS Reverse Proxies service as well.
.....
10.106.17.217 - Blue Coat SG300 Series#(config)management-services
10.106.17.217 - Blue Coat SG300 Series#(config management-services)edit HTTPS-Console
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)view
Service Name:   HTTPS-Console
Service:        HTTPS-Console
Attributes:     <None>
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Destination IP    Port Range
<All>             8082              Enabled
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)attribute cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)view
Service Name:   HTTPS-Console
Service:        HTTPS-Console
Attributes:     <None>
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
Destination IP    Port Range
<All>             8082              Enabled
10.106.17.217 - Blue Coat SG300 Series#(config HTTPS-Console)
.....

(For HTTPS Reverse Proxy)

.....
Blue Coat SG300 Series#(config)proxy-services
Blue Coat SG300 Series#(config proxy-services)edit "reverse-proxy-service-name"
Blue Coat SG300 Series#(config "reverse-proxy-service-name")view
Service Name:   "reverse-proxy-service-name"
Service Group:  Reverse Proxy
Proxy:          HTTPS Reverse Proxy
Attributes:     use-adn, adn-byte-cache, adn-compress, byte-cache-priority normal, early-intercept
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha ecdhe-rsa-aes256-sha ecdhe-rsa-rc4-sha aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Source IP         Destination IP    Port Range        Action
<All>             10.107.17.220     443               Intercept

.....
Below is the steps to remove low, middle and export strength cipher suite for your reference
.....

Blue Coat SG300 Series#(config "reverse-proxy-service-name")attribute cipher-suite 
<< press enter to view all available cipher strength as per below >>

Cipher#  Use        Description            Strength
-------  ---  ---------------------------  --------
      1  yes      ECDHE-RSA-AES128-SHA256      High
      2  yes  ECDHE-RSA-AES128-GCM-SHA256      High
      3  yes         ECDHE-RSA-AES128-SHA      High
      4  yes         ECDHE-RSA-AES256-SHA      High
      5  yes            ECDHE-RSA-RC4-SHA    Medium
      6  yes                AES128-SHA256      High
      7  yes                AES256-SHA256      High
      8  yes                   AES128-SHA    Medium
      9  yes                   AES256-SHA      High
     10  yes           DHE-RSA-AES128-SHA      High
     11  yes           DHE-RSA-AES256-SHA      High
     12  yes                 DES-CBC3-SHA      High
     13  yes                      RC4-SHA    Medium
     14  yes                      RC4-MD5    Medium
     15  yes                  DES-CBC-SHA       Low
     16  yes              EXP-DES-CBC-SHA    Export
     17  yes                  EXP-RC4-MD5    Export
     18  yes              EXP-RC2-CBC-MD5    Export

Select cipher numbers to use, separated by commas: 1, 2, 3, 4, 6, 7, 9, 10, 11, 12, 13
  ok
.....
View and you will see only the high
strengh cipher suite.
.....
Blue Coat SG300 Series#(config "reverse-proxy-service-name")view
Service Name:   "reverse-proxy-service-n
Service Group:  Reverse Proxy
Proxy:          HTTPS Reverse Proxy
Attributes:     use-adn, adn-byte-cache, adn-compress, byte-cache-priority normal, early-intercept
Keyring: default
SSL Protocol version: tlsv1 tlsv1.1 tlsv1.2
CA Certificate List: <All CA Certificates>
Cipher Suite: ecdhe-rsa-aes128-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-rsa-aes128-sha ecdhe-rsa-aes256-sha aes128-sha256 aes256-sha256 aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha
Source IP         Destination IP    Port Range        Action
<All>             10.107.17.220     443               Intercept
.....

For SSL Client Configuration

.....
10.106.17.217 - Blue Coat SG300 Series#(config)ssl
10.106.17.217 - Blue Coat SG300 Series#(config ssl)edit ssl-client default
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)view
SSL-Client: default
Keyring: <None>
CCL: browser-trusted
Protocol: tlsv1 tlsv1.1 tlsv1.2
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)view
SSL-Client: default
Keyring: <None>
CCL: browser-trusted
Protocol: tlsv1 tlsv1.1 tlsv1.2
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
10.106.17.217 - Blue Coat SG300 Series#(config ssl ssl-client default)
.....

For SSL Device Profiles

.....
10.106.17.217 - Blue Coat SG300 Series#(config)ssl
10.106.17.217 - Blue Coat SG300 Series#(config ssl)edit ssl-device-profile default
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)view
Name: default
Usable for: client
Keyring:
CCL: browser-trusted
Device-id: $(subject.CN)
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha exp-des-cbc-sha exp-rc4-md5 exp-rc2-cbc-md5
Protocol: tlsv1 tlsv1.1 tlsv1.2
Verify-peer: enabled
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)cipher-suite aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
  ok
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)view
Name: default
Usable for: client
Keyring:
CCL: browser-trusted
Device-id: $(subject.CN)
Cipher suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha des-cbc3-sha rc4-sha rc4-md5 des-cbc-sha
Protocol: tlsv1 tlsv1.1 tlsv1.2
Verify-peer: enabled
10.106.17.217 - Blue Coat SG300 Series#(config device-profile default)
.....

 

For SSL Forward Proxy

add policy to disallow export level cipher through CPL or VPM

CPL

....
<SSL>
client.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
client.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5,exp-rc2-cbc-md5)exception(silent_denied)

server.connection.negotiated_cipher.strength=(Export) exception(silent_denied)
server.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5,exp-rc2-cbc-md5) exception(silent_denied)
.....

When traffic matches policy such as the example above, the proxy denies the connection to the OCS without providing any user feedback.
The silent_denied exception causes a reset, terminating all further communication on the connection or stream.
Denying all low and medium strength ciphers might prevent communication with older clients and servers.
If this issue occurs, review the allowed ciphers and adjust the previous policy to enable appropriate ciphers for a successful legacy traffic flow; however, you should weigh the time and effort required to resolve the issue against the potential risk of using weak ciphers between the appliance and the user.

Alternatively, you can write policy that provides a reason for the denial to the user via an HTML exception page. Replace exception(silent_denied) with force_deny, such as:

client.connection.negotiated_cipher=(exp-des-cbc-sha,exp-rc4-md5,exp-rc2-cbc-md5)force_deny

In order for the user to receive the exception page, however, the proxy must encode the HTML with the weak cipher (the cipher the policy condition denied). Using weak ciphers is a vulnerability risk. In addition, security scanners may report the exception page as a weak cipher reply from the OCS, although the exception page was actually generated by the proxy. Security scanning results will indicate a failure to guard against weak ciphers.

 

 

VPM (add 4 deny rules in SSL Access Layer)



 
Rule 1
Source: Client Negotiated Cipher -> Check 
EXP-DEC-CBC-SHA, EXP-RC2-CBC-MD5 and EXP-RC4-MD5
 
Create an action called SilentDeny which will be used for all of the other rules:
 
Rule 2
Source: Client Negotiated Cipher Strength -> Check Export
Action: SilentDeny


Rule 3

Destination: Server Negotiated Cipher -> Check EXP-DEC-CBC-SHA, EXP-RC2-CBC-MD5 and EXP-RC4-MD5
Action: SilentDeny



Rule 4

Source: Server Negotiated Cipher Strength -> Check Export
Action: SilentDeny


 

Attachments