«

»

Aug 21

PCI DSS vulnerability for SSL negotiation on Brocade ADX

Categories:

Brocade ADX, Load Balancer, Security

by admin

Hardware application accelerators also called load balancers are commonly used for SSL offload as provide hardware acceleration for SSL processing. Additionally in many implementations process Application Layer (ISO/OSI Layer 7) information which require access to clear test data.

In many cases device administrators configure SSL profiles to use “all-cipher-suites” command which allows ADX to negotiate any cipher available on the device. This may lead to issues with PCI DSS security reports as older ciphers are relatively easily breakable. To resolve this problem you will have to disable “all-cipher-suites” command under all SSL profiles (or one you want to secure) and add those with strong encryption only.


Below is list of all available cipher options on Brocade ADX load balancer:

(config)# ssl profile profile1
(config-ssl-profile-profile1)# cipher-suite ?
 all-cipher-suites 
 rsa-export-with-des40-cbc-sha
 rsa-export-with-rc2-cbc-md5 
 rsa-export-with-rc4-40-md5 
 rsa-with-3des-ede-cbc-md5 
 rsa-with-3des-ede-cbc-sha 
 rsa-with-aes-128-sha 
 rsa-with-aes-256-sha 
 rsa-with-des-cbc-md5 
 rsa-with-des-cbc-sha 
 rsa-with-rc2-cbc-md5 
 rsa-with-rc4-128-md5 
 rsa-with-rc4-128-sha


Configuration example

Step 1) Connect to ADX and go to configuration mode using “conf t” command.


Step 2) Edit SSL profile (in our example we use “profile1″ as a profile name) and add secure ciphers only

(config)# ssl profile profile1
(config-ssl-profile-profile1)# cipher-suite rsa-with-aes-128-sha
(config-ssl-profile-profile1)# cipher-suite rsa-with-aes-256-sha
(config-ssl-profile-profile1)# cipher-suite rsa-with-rc4-128-md5
(config-ssl-profile-profile1)# cipher-suite rsa-with-rc4-128-sha



Step 3) Remove all ciphers command (Note that if you remove all ciphers before adding secure once there will be no ciphers available under profile which will cause service disruption during applying the change. If you do it in order specified in this example there should be no disruption at all as there are suites available all the time).

(config-ssl-profile-profile1)# no cipher-suite all-cipher-suites



Step 4) save configuration

(config-ssl-profile-profile1)# exit
(config)# wr mem

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>