[isapros] ISA Penetration Test - SSL Weak Cipher False Positive
- From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 22 Mar 2007 00:29:58 -0000
Hi All,
After seeing a few ISA security or penetration tests a few times
recently, a common theme relating to weak SSL ciphers is appearing. The
first time this was reported by a customer, I contacted PSS who
explained that the issue was due to the fact that the operating system
would negotiate SSL at a low cipher strength irrespective of ISA and
that ISA would drop all weak cipher traffic if the "use 128 bit
encryption" option was enabled on the web listener. E.g. you *can*
negotiate a low cipher, but ISA will drop traffic that does not meet 128
bit. The 'SSL digger' tool is an example of how to generate the false
positive.
PSS provide a KB of how to configure the OS to only allow specific
ciphers, but this is pretty full on and includes some hardcore registry
changes. Not all customers have been keen to make these changes to pass
the tests.
Does anyone know if MS plans to create a KB to explain this false
positive when using ISA? If not, can someone suggest it is created to
provide customers with an explanation.
I am managing to convince most customers, but a few have asked for a
written response from Microsoft to confirm the issue is indeed a false
positive and not a legitimate issue.
Any help appreciated...
JJ
Other related posts:
