Solutions

How to limit or specify what client ciphers can be used to access management console or reverse proxy services on the ProxySG

Solutions ID:    KB3819
Version:    1.0
Status:    Published
Published date:    06/08/2010
 

Problem Description

Restrict clients from accessing the ProxySG using low security or weak ciphers.

Specify which ciphers are allowed or denied for incoming connections to the ProxySG.

Resolution

There are a several different ways to limit what ciphers the ProxySG will accept. There are many different conceivable combinations, but the principles shown in the examples below should offer the necessary guidance in successfully limiting connections to the ProxySG based on cipher type or strength.


CLI:
Management Console Service:
Enable mode (enable <enter>)
Config t <enter>
management-services<enter>
edit https-console<enter>
attribute cipher-suite <insert the ciphers you want>

Reverse Proxy Service:
Enable mode (enable <enter>)
Config t <enter>
proxy-services<enter>
edit <service_name><enter>
attribute cipher-suite <insert the ciphers you want>

Example:
SGOS#(config HTTPS-Console) attribute cipher-suite rc4-md5 rc4-sha des-cbc3-sha aes128-sha aes256-sha



VPM:
Web Access Layer
Right click in "Source", then Set > New
Client Negotiate Cipher Strengh
Choose the desired strength (Export, High, Medium, Low)
Choose to DENY or ALLOW depending on your need.



CPL:
Example_1: Deny ciphers by security level:
<Proxy>
    DENY client.connection.negotiated_cipher.strength=low

Example_2: Allow based on a specified list of ciphers:
<Proxy>
    ALLOW client.connection.negotiated_cipher=(EXP-RC4-MD5 || EXP1024-RC4-MD5 || EXP1024-RC4-SHA || EXP1024-RC2-CBC-MD5 || EXP1024-DES-CBC-SHA)


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question