Weak security protocol used with SSL profiles-bluecoat-sgos

Weak security protocol used with SSL profiles-bluecoat-sgos
0

Weak security protocol used with SSL profiles-bluecoat-sgos

Vendor: bluecoat

OS: sgos

Description:
Certain security protocols are now considered weak. Indeni will alert if any SSL profiles are set to use them.

Remediation Steps:
User is advised to reconfigure the security protocol used in the affected profile.

|1. Login via SSH to the Bluecoat ProxySG and enter privileged mode.
|2. Run the following commands: config t

How does this work?
Indeni logs in over SSH in privilegd mode and executes the following commands: show ssl ssl-client default.

Why is this important?
Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.

Without Indeni how would you find this?
Login via SSH (Privileged mode) to the Bluecoat ProxySG and run the following commands: show ssl ssl-client default. locate the cipher suite and protocol lines and list the vulnerable ciphers and protocols.

bluecoat-view-ssl

name: bluecoat-view-ssl
description: Find usage of weak ciphers and vulnerable protocols
type: monitoring
monitoring_interval: 59 minutes
requires:
    vendor: bluecoat
    os.name: sgos
    privileged-mode: 'true'
comments:
    ssl-weak-cipher:
        why: |
            Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.
        how: |
            Indeni logs in over SSH in privilegd mode and executes the following command: show ssl ssl-client default.
        can-with-snmp: false
        can-with-syslog: false
    ssl-weak-protocol:
        why: |
            Weak protocols could enable for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors.
        how: |
            Indeni logs in over SSH in privilegd mode and executes the following commands: show ssl ssl-client default.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        file: view-ssl.remote.1.bash
    parse:
        type: AWK
        file: view-ssl.parser.1.awk

CrossVendorSslWeakProtocolRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package templatebased.crossvendor

import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.rules.RemediationStepCondition

/**
  *
  */
case class CrossVendorSslWeakProtocolRule() extends StateDownTemplateRule(
  ruleName = "CrossVendorSslWeakProtocolRule",
  ruleFriendlyName = "All Devices: Weak security protocol used with SSL profiles",
  ruleDescription = "Certain security protocols are now considered weak. Indeni will alert if any SSL profiles are set to use them.",
  metricName = "ssl-weak-protocol",
  applicableMetricTag = "name",
  descriptionMetricTag = "protocol",
  alertIfDown = false,
  alertItemsHeader = "Affected Profiles",
  alertDescription = "Certain SSL profiles have a weak security protocol and are potentially opening traffic to known vulnerabilities. \n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  baseRemediationText = "User is advised to reconfigure the security protocol used in the affected profile.",
  itemSpecificDescription = Seq(
    ".*SSLv3.*".r -> "SSLv3 is considered vulnerable.",
    ".*SSLv2.*".r -> "SSLv2 is considered vulnerable.",
    ".*".r -> "")
)(RemediationStepCondition.VENDOR_F5 ->
  """
    |1. Follow the knowledge articles listed below for the weak cipher used.
    |2. SSLv3 is considered vulnerable communication protocol. See https://support.f5.com/csp/#/article/K15702
    |3. SSLv2 is considered vulnerable communication protocol. See https://support.f5.com/csp/#/article/K23196136""".stripMargin,
  RemediationStepCondition.VENDOR_BLUECOAT ->
  """
    |1. Login via SSH to the Bluecoat ProxySG and enter privileged mode.
    |2. Run the following commands: config t -> ssl -> edit ssl-client default -> view
    |3. Command output will display a list of ciphers protocols that are currently acceptable.
    |4. Remove any protocols which are considered weak.""".stripMargin
)