ONTAP Discussions

DES and IDEA Cipher Suites


Vulnerability Description:
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA algorithms are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.


Vulnerability Solution:
Configure the server to disable support for DES and IDEA cipher suites.


Can anyone tell me how to resolve this vulnerability on a Netapp FAS2552 running 8.3P1 clustermode, with iscsi and CIFS protocols?


Thanks in advance.



This version of ONTAP only support TLS 1.0 (& SSLv3).  Enabling FIPS 140-2 mode for web services will disable some ciphers, including RC4.  


SSH is more configurable in this release - per the sysadmin guide:



Data ONTAP supports OpenSSH client version 5.4p1 and OpenSSH server version 5.4p1. Only the SSH v2 protocol is supported; SSH v1 is not supported. • Data ONTAP supports a maximum of 64 concurrent SSH sessions per node. If the cluster management LIF resides on the node, it shares this limit with the node management LIF. If the rate of incoming connections is higher than 10 per second, the service is temporarily disabled for 60 seconds. • Data ONTAP supports only the AES and 3DES encryption algorithms (also known as ciphers) for SSH. AES is supported with 128, 192, and 256 bits in key length. 3DES is 56 bits in key length as in the original DES, but it is repeated three times.


Data ONTAP supports the following SSH security configurations for the cluster and SVMs: • The following SSH key exchange algorithms are supported and enabled by default: ◦ The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2 ◦ The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1 SHA-2 algorithms are more secure than SHA-1 algorithms. Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. To further enhance SSH security, you can manually disable the SHA-1 algorithms and leave only the SHA-2 algorithm enabled. • For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions are supported and enabled by default: ◦ aes256-ctr Managing access to the cluster (cluster administrators only) | 135 ◦ aes192-ctr ◦ aes128-ctr ◦ aes256-cbc ◦ aes192-cbc ◦ aes128-cbc ◦ 3des-cbc The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. Of the ciphers supported by Data ONTAP, aes256-ctr is the most secure, and 3des-cbc is the least secure. You can manage the SSH key exchange algorithms and ciphers for the cluster and SVMs...



Many thanks for the reply!