F5 Hardened Cipher suite profile (pentest recommendation)

Question

We have a pentest report that wants to DISABLE the following ciphers from our f5 profile; (we currently use 'f5-secure' & they want us to remove some ciphers from that to comply to the recommendation) ;

The following are NOT safe according to the pentesters; & according to the dutch government due to weaker encryption algorithms;

AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256

AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA

CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA

CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

I get that i can create a NEW f5-secure_V1; but how do i remove these specifc ciphers from f5-secure (or is there a cipher group that i can use that complies to this?)

Cheers!

NTBeheer

daniel_wolf · Answer

Hi ,try this string for Cipher Suites: ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256Maybe someone can do it more elegant... but it should suit your requirements.[root@awaf16:Active:Standalone] config # tmm --clientciphers 'ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256' | awk '{ print $3 }'
BITS
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
TLS13-AES128-GCM-SHA256
TLS13-AES256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256&nbsp;I found this link useful for building cipher strings:https://wiki.mozilla.org/Security/Cipher_SuitesKRDanielEDIT: maybe it is easier to build a string when you tell us what you want to be available, rather than telling us what should be removed.

nicotinusbeheer · Answer

Hi Daniel; THANKS for your time; we will test this later today.

I'll get back on you for the exact string we want to be available; but for now this looks fine as well; i'll test this out first.

Thanks also for the link.

Cheers!

NTBeheer / Martijn

Forum Discussion

F5 Hardened Cipher suite profile (pentest recommendation)

2 Replies

Recent Discussions

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

CGNAT with DS-lite and LSN

Related Content

F5 SLEDFest 2022 Sacramento Edition - Securing and Hardening your BIG-IP presentation

Recommended Persistence for F5 working as ISP-LB ( ISP Load Balancing )

Security Hardening F5's BIG-IP with SELinux

SSLv3 POODLE mitigation recommendations

Hardening F5