All,
I had my hosts (ESX3) scanned for PCI vulnerabilities. The results came back that the web interface allows the use of low strength ciphers. Where do I go to disable this? I couldn't find an httpd.conf or ssl.conf file anywhere.
adam
Ciphers are a direct result of passwords. If you make sure your passwords are not easily guessed, you should be fine.
Apparently the program you used scan the web interface and determined it could easily break in using known passwords, a la low strenght ciphers..
I can't speak to ciphers in VMware, but in the world of Windows your answer would be incorrect. Given a 12 character password: I can use 56bit, 128bit, AES/DES, etc..Depending on which cipher I used, I would get different results in the encryption. Password lenght/complexity does not determine which cipher is used.
adam
In that case, download the ESX VI Server Config Guide, and refer to page 251. It will tell you ALL you need to know.
___________________
*
Cipher Strength
*
Transmitting data over insecure connections presents a security risk because malicious
users might be able to scan data as it travels through the network. As a safeguard,
network components commonly encrypt the data so that it can't be easily read. To
encrypt data, the sending component, such as a gateway or redirector, applies
algorithms, or ciphers, to alter the data before transmitting it. The receiving component
uses a key to decrypt the data, returning it to its original form.
Several different ciphers are currently in use, and the level of security provided by each
is different. One measure of a cipher's ability to protect data is its cipher strength-the
number of bits in the encryption key. The larger the number, the more secure the cipher
To ensure the protection of the data transmitted to and from external network
connections, ESX Server uses one of the strongest block ciphers available-256-bit AES
block encryption. ESX Server also uses 1024-bit RSA for key exchange.
_____________
Also this little note is rather interesting:
Because VI Web Access cipher usage is determined by the Web browser you are
using, this management tool might use other ciphers
___________________
So maybe the passwords used are not that important for cipher, but the Web Browser you are using IS.
Thanks for finding the info in the guide. There are so many pdf files that I occassionally miss two or three when searching for info. I understand your last sentence regarding the browser. It's really a cop-out on VM's part. I can disable all sorts of ciphers in Windows. In fact, PCI requires that you do so. The fact that VM allows lower cipher browsers to connect is actually a problem. Might not pass PCI standards. In a normal apache install, I can disable the low-end ciphers.
I cant' say for sure exactly what the PCI scan consists of, but our security team hasn't been wrong yet (in terms of PCI results). ESX may uses high strength ciphers, but it also supports lower ones as indicated by the footnote.
adam
After doing some reading, and looking up info on Cipher, I believe you are correct. I have a security team, and I will get them to look at our servers, maybe between the two of us, we can figure this out.
I will ask about how to increase the cipher stregth, or at least figure out how to disable it. This should be a good learning experience.
There is a Foundstone free tool that can be used to test the cipher strength and show you which ones it sees you using. It is called SSLDigger. I have used it to check if I need to disable any cipher suites for a audit. You should install it and point it at the web site (such as ) and let to run its tests... Basically you need to modify the web server somehow to eliminate all 40-bit cipher suites, really all of them that support anything less than 128-bit encryption.
This link might help as well...