Configure SpanVA to facilitate strict/more secure protocols
search cancel

Configure SpanVA to facilitate strict/more secure protocols

book

Article ID: 232024

calendar_today

Updated On:

Products

CASB Security Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Organizations plan to enforce the use of strict ciphers on SSH connections with SpanVA to secure against known and other potential vulnerabilities. Vulnerability scans may yield warnings based on industry recommendations.

Cause

Certain 3rd party scans may return a warning based on vulnerability check (examples below):

• Qualys scan - detects unsecure TLSv1.0 as enabled

• Name Vulnerability: SSH Server CBC Mode Ciphers Enabled

Description: The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext. 

Recommendation: Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption", The resolution section of this article contains more details.

Resolution

Recommend you evaluate the options referenced here and in the articles referenced to determine which best suit your organization's needs/requirements. 

As illustrated in the 'Installing and Configuring SpanVA' Tech Note (and guide 'Configuring Cipher mode setting') , you can either apply the setting to allow only 'Strict Ciphers' or you can use the 'Custom' setting. 

 

Additionally, you may also want to consider evaluating the protocols needed for your environment. For example, determine whether to allow FTP (non secure file transfer). 

 

Additional Information

• For the TLSv1.0 warning, disabling FTP (see image above) cleared the scan's warning/error.

• For the example "SSH Server CBC Mode Ciphers Enabled" referenced, the following combination cleared the scan's error/warning: