Configure SpanVA to facilitate strict/more secure protocols
search cancel

Configure SpanVA to facilitate strict/more secure protocols


Article ID: 232024


Updated On:


CASB Security Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS


Organizations plan to enforce the use of strict ciphers on SSH connections with SpanVA to secure against known and other potential vulnerabilities. Vulnerability scans may yield warnings based on industry recommendations.


Certain 3rd party scans may return a warning based on vulnerability check (examples below):

• Qualys scan - detects unsecure TLSv1.0 as enabled

• Name Vulnerability: SSH Server CBC Mode Ciphers Enabled

Description: The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext. 

Recommendation: Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption", The resolution section of this article contains more details.


Recommend you evaluate the options referenced here and in the articles referenced to determine which best suit your organization's needs/requirements. 

As illustrated in the 'Installing and Configuring SpanVA' Tech Note (and guide 'Configuring Cipher mode setting') , you can either apply the setting to allow only 'Strict Ciphers' or you can use the 'Custom' setting. 


Additionally, you may also want to consider evaluating the protocols needed for your environment. For example, determine whether to allow FTP (non secure file transfer). 


Additional Information

• For the TLSv1.0 warning, disabling FTP (see image above) cleared the scan's warning/error.

• For the example "SSH Server CBC Mode Ciphers Enabled" referenced, the following combination cleared the scan's error/warning: