How to enable TLS 1.2 cipher suites on Network Security Platform
Articles techniques ID:
KB94638
Date de la dernière modification : 6/28/2021
Environnement
McAfee Network Security Manager
McAfee Network Security Sensor Appliance
Problème
Older NSM builds that use TLS 1.0/1.1 ciphers might become vulnerable to exploit attacks.
To address this issue, McAfee strongly recommends that you upgrade to the latest NSP 10.1 software versions to use a strong cipher suite in NSM to Sensor communications.
But, an upgrade might not be an option.
NSM as a management software supports heterogeneous sensor models running different sensor software versions.
You might have M-Series sensors, supporting TLSv1.0 deployed. Or, you might be running VM and NS-Series sensors, on older sensor software that only supports TLS 1.0/1.1.
You need to keep your existing infrastructure, but restrict NSP communication to TLS 1.2.
NSM 10.1 M4 allows you to restrict its operations to TLS 1.2 protocol, provided that the sensors attached to also support TLS 1.2.
If you are unable to immediately upgrade your setup to the latest NSP 10.1 software, use the following solution to enable TLS 1.2 on your NSM Server.
Solution
IMPORTANT:
- Read the entire solution and be aware you need to restart the NSM and upgrade your Sensor software
- You must perform all following steps
- After TLS 1.2 is enabled on NSM, you can’t add sensors with old software versions that do not support TLS 1.2 ciphers
- When you configure your NSM to exclusively use TLS1.2, Sensor-to-manager communication breaks for old Sensor software versions.
You must upgrade your Sensor to a software version that only supports TLS 1.2 ciphers
For a guide to the needed minimum versions, see the table in the section: Configure NSM-Sensor Communication to only use TLS 1.2 below
Enable Client Browser to NSM Communication using TLS 1.2
- Upgrade your manager 10.1.7.35 or later.
- Navigate to: <NSM Install Dir.>/App/apache-tomcat/conf/.
- Take a copy of the Server.xml file and place it in a safe place.
- Open Server.xml in an editor of your choice.
- Navigate to the <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" section.
- Scroll down to:
sslEnabledProtocols="TLSv1.2"
- Remove the following ciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
Your edited section looks like:
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
maxPostSize="10485760"
URIEncoding="UTF-8" />
- Save the changes.
Configure NSM-Sensor Communication to only use TLS 1.2:
- Navigate to <NSM Install Directory>/App/config/.
- Take a copy of ems.properties and place it in a safe directory.
- Open ems.properties in an editor of your choice.
- Scroll to the end of ems.properties.
- Insert the line:
iv.core.ism.ssl.allowOnlyTLSv1.2=true
- Save your changes and restart the NSM service.
- Upgrade your Sensor software to a version that only supports the configured TLS 1.2 Ciphers:
(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
IMPORTANT: Sensor to manager communication has now stopped unless you upgrade your Sensor to a software version that only supports TLS 1.2 ciphers.
Upgrade your Sensors to the following minimum version, or later if possible:
| Sensor version |
Model |
Non-FIPS |
FIPS |
FIPS + CC |
| 9.1 |
NS-Series |
9.1.5.102 - 9.1 M7 |
9.1.17.18 - 9.1M7 |
9.1.17.121 - 9.1M7 |
| M-Series |
9.1.3.18 - 9.1 M7 |
-- |
-- |
| VM |
9.1.7.27 - 9.1 M7 |
-- |
-- |
| 9.2 |
NS-Series |
9.2.5.190 – 9.2 M6 |
-- |
|
| M-Series |
-- |
-- |
-- |
| VM |
9.2.7.65 - 9.2 M6 |
-- |
-- |
| 10.1 |
NS-Series |
10.1.5.92 – 10.1 M5 |
-- |
-- |
| VM |
10.1.7.65 – 10.1 M5 |
10.1.17.26 – 10.1 M5 |
10.1.17.26 – 10.1 M5 |
Configure your NSM Server so vulnerability scans do not list it as using weaker and older Cipher suites:
- Navigate to <NSM Install Directory>/App/jre/lib/security/.
- Make a backup of the java.security file and place it in a safe place.
- Open java.security in a file editor.
- Scroll to the following line:
- NSM 9.1:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
- NSM 9.2:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
- NSM 10.1:
jdk.tls.disabledAlgorithms=anon, NULL, DHE, DESede, ECDH, ECDSA, SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224
- Edit the line to the following:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256
- Restart the NSM service.
Final changes:
T he sensor packet-log channel now shows as DOWN. To make it UP:
- Open the NSM GUI.
- Disable the packet log channel encryption.
- Navigate to <NSM Install Directory>/App/config/.
- Open ems.properties in an editor of your choice.
- Add the line:
iv.core.ism.ssl.allowNullEncryption=true
- Save your changes.
- Restart the NSM service.
|
