A few of my clients get audited for compliance. The ASA’s seem to get reported for having faulty or insecure SSL Ciphers. My first thought was to keep the OS updated. Although that helps with the audits, they were still getting flagged for having lower ciphers open.
To protect against SSL vulnerabilities it is important to disable SSLv3 and weak ciphers on your cisco ASA device.
To change the supported protocols and ciphers, login to the Cisco ASA via SSH. You can list the current SSL configuration with
show ssl and then make the required changes.
You should disable SSLv3 due to the POODLE vulnerability. And you should verify that you are using strong ciphers. I prefer to use ciphers that support PFS, but the Cisco AnyConnect IOS app for the SSL VPN does not support the PFS ciphers so I had to include aes256-sha1 and aes128-sha1.
asa5505(config)# ssl client-version tlsv1-only asa5505(config)# ssl server-version tlsv1 asa5505(config)# ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1 asa5505# show ssl Accept connections using SSLv2 or greater and negotiate to TLSv1 Start connections using TLSv1 only and negotiate to TLSv1 only Enabled cipher order: dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1 Done.