cancel
Showing results for 
Search instead for 
Did you mean: 

Recommended Server Cipher List?

Is there a McAfee recommended server side cipher list for SSL inspection?

18 Replies
McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 2 of 19

Re: Recommended Server Cipher List?

Hi matthew.stokes,

If you import the SSL Scanner rule set from library you have the client and server cipher lists already included that we recommend.

Example ("Default Certificate Verification"):

Regards,

Marcel

Re: Recommended Server Cipher List?

Is RC4 support really recommended though? The reason I ask is that our compliance group is complaining about the results from badssl.com which shows support for RC4 and DH1024.

McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 4 of 19

Re: Recommended Server Cipher List?

Hi matthew.stokes,

RC4 is placed at the end of the list and the cipher list is sorted by strength (order of encryption algorithm key length).

It is more a fallback (if the server rejects ALL other before).

Regards,

Marcel

kbolt
Level 10
Report Inappropriate Content
Message 5 of 19

Re: Recommended Server Cipher List?

Hello, I'm on 7.6.2.5.0 and when I import SSL Scanner my Default Certificate Verification settings look a bit different. Should I be concerned?

default_cert_ver.JPG

Re: Recommended Server Cipher List?

I got the same results from importing the stock ruleset under 7.5. Must be the "recommendation"...

Re: Recommended Server Cipher List?

I'm used to getting the same thing anytime I click add.  But, it's more compatible than safe.

Highlighted
McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 8 of 19

Re: Recommended Server Cipher List?

John,

please don't get the default setting wrong. When thousands of users use the same default setting you will need to find a setting somewhere  between security and usability. The default setting is most likely a good decision to start and can be adjusted to user needs. A save cipher list will cause a lot of errors because they are still enough sites using old and week ciphers. The result would be a high administrative  effort to maintain the list of website which the users still need to access and administrator have to white-list afterwards.

Feel free to adjust your cipher suite and share your experience to the community, so we all will benefit from.

Best Regards

-Sergej

Re: Recommended Server Cipher List?

It would be nice to have McAfee's recommendation, but I think it's important to know what is being done for the more secure browsers on the Internet, such as Chrome and Firefox.

I posted the following elsewhere (as a cipher-suite spec example), but it really belongs here:

I recently did a workup of a cipher-suite spec. for our configuration.  This it based on cipher-suite listing provided at: Qualys SSL Labs - Projects / User Agent Capabilities: Firefox 49  / Win 7

After tinkering with openssl cipher command, this is what I came up with:

HIGH:!aNULL:!eNULL:!3DES:!kEDH:!ADH:!CAMELLIA:!DH:!PSK:-ECDH:ECDHE:!AES128:!RC4: @STRENGTH

Note that minus-sign in the spec. is a little different than the exclamation point. To get the best match, I had to use a minus on ECDH and then add ECDHE back in.  You can't do that the the exclamation point.

So, I believe this excludes all CBC (Cipher block chaining) suites which now have a weakness, but it also seems to exclude all plain vanilla DH suites.

Note that there were a couple of cipher suites available in the latest Firefox and Chrome version that are not available in Web Gateway.  I don't remember what they were, but it's easy enough to figure it out if anyone's interested.

Re: Recommended Server Cipher List?

Hi John! Thanks for the information. I guess in it's most basic form you would want to strike a balance between security and still being able to access the sites that are required for business.

It looks like you took the approach of finding out what your users browsers support natively and then tailoring the MWG server side ciphers to match. Is that correct?

As for McAfee's recommendation it looks like is a member of the McAfee tech support team so I'm assuming his recommendation (the default for the SSL scanner ruleset) is what they would normally recommend. Doesn't seem like its good enough for our internal compliance folks though. They're not only complaining about MWG server side supporting RC4, DH1024 and 3DES, but also mixed-script and various HTTP-input methods. Might be easier to just unplug...

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.