In keeping up with secure data transmission practices, these two security aspects need to be addressed on the Storage Platform (SP):
1. Vulnerable Storage Platform connections
- Since Attix5 Pro version V8 (R4), AccountServers and StorageServers will no longer accept SSL connections, only TLS.
- The insecure RC4 cipher should be blocked for connections to the SP. To disable all weak ciphers, including RC4, follow the steps as explained for SChannel vulnerabilities in FAQ article 556.
Warning: If RC4 is disabled on your SP's operating system, Backup Client versions older than 7.14 will not be able to connect to the SP. Upgrade your Backup Clients to a later version.
2. Vulnerable operating system configurations
Since Attix5 Pro version V8 (R4), the SP will identify vulnerable cipher suites allowed by the operating system and log warnings on a daily basis in the AccountServer log in the SP Console.
Note: Typical insecure ciphers shown in the logs will be: DHE-related, TripleDES, RC4, and MD5 ciphers. Here's an example:
12:45:59 Warn: The operating system is configured to allow the following known weak cipher suites:
12:45:59 Warn: TLS_RSA_WITH_RC4_128_SHA
12:45:59 Warn: TLS_RSA_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
12:45:59 Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
12:45:59 Warn: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
12:45:59 Warn: TLS_RSA_WITH_RC4_128_MD5
12:45:59 Warn: SSL_CK_RC4_128_WITH_MD5
12:45:59 Warn: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA256
12:45:59 Warn: TLS_RSA_WITH_NULL_SHA
Tip: Use the LogAnalyzer to view these entries in the log.
To test for connection vulnerabilities:
- Go to: https://www.ssllabs.com/ssltest/
- Enter your SP's address in the Domain name box and click Submit.
The site will report any weaknesses.
Some vulnerabilities can be addressed by following the relevant steps below:
- To disable all weak ciphers (including RC4) and only use TLS:
See "SChannel vulnerabilities" in FAQ article 556.
- To block insecure renegotiations:
See "Insecure renegotiation" in FAQ article 556.
Old Article ID: 324
Previous Views: 166
Posted: 03 Aug, 2015 by Du Plessis S.