Organizations plan to enforce the use of strict ciphers on SSH connections with SpanVA to secure against known and other potential vulnerabilities. Vulnerability scans may yield warnings based on industry recommendations.
Certain 3rd party scans may return a warning based on vulnerability check (examples below):
• Qualys scan - detects unsecure TLSv1.0 as enabled
• Name Vulnerability: SSH Server CBC Mode Ciphers Enabled
Description: The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Recommendation: Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption"
Recommend you evaluate the options referenced here and in the articles referenced to determine which best suit your organization's needs/requirements.
As illustrated in the 'Installing and Configuring SpanVA' Tech Note (and guide 'Configuring Cipher mode setting') , you can either apply the setting to allow only 'Strict Ciphers' or you can use the 'Custom' setting.
Additionally, you may also want to consider evaluating the protocols needed for your environment. For example, determine whether to allow FTP (non secure file transfer).
• For the TLSv1.0 warning, disabling FTP (see image above) cleared the scan's warning/error.
• For the example "SSH Server CBC Mode Ciphers Enabled" referenced, the following combination cleared the scan's error/warning: