Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya G450 weak ciphers 1

Status
Not open for further replies.
nguzmanm

nguzmanm

IS-IT--Management
Aug 16, 2013
6
MX
Hello All,

We have a proteus finding in all our Avaya G450 media gateways and they are requesting to us to remove some weak ciphers. Does anyone can help me with information how can we do this change? We want to remove these two ciphers:

Ciphers List: aes128-ctr, [highlight #FCE94F]aes128-cbc, 3des-cbc[/highlight]

Thanks in advance.
 
Sort by date Sort by votes
Agree with Kyle

Your security team may want to review NIST SP800-131Ar1, SP800-67r1, FIPS 140-2, and FIPS 197. As far as I can tell, AES-128 is an approved standard. One of the only ones at less than 256. Of course I may have missed an update somewhere along the line. I'm not a security expert.

You may need to enable FIPS mode on the gateway in order to get what you want. Keep in mind however when you enable FIPS mode it will wipe the configuration and you will need to reprogram from scratch. Suggest you capture the running/startup configuration first. Also you probably need to be on CM7.1 (Assuming TLS1.2 is also a requirement).
 
Upvote 0 Downvote
Below is the version:

g450_1guevs01-001(super)# show image ver
Bank Version
----------- -------
A 30.15.0
B (current) 36.8.0

Thank you for your help on this.

@jimbo -- Are you saying that the only way to disable the cipher is reprograming the gateway?

Thanks in advance.
 
Upvote 0 Downvote
not really reprogramming. the default cipher list is dictated by the firmware version. So, if you booted off 30. whatever in bank a, it would support even less secure stuff.

I found a support article that says in 7.1 gw firmware you'll be able to configure it yourself. So, I believe for where you're at that upgrading your gateway is the only way to get new ciphers enabled and old ones disabled, with the added benefit at 7.1 that you should have the ability to change them
 
Upvote 0 Downvote
Its the CBC Chain block cipher part that is the weakness -

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
Avaya G450 with ACCM
Replies
2
Views
432
nutrinoman
nutrinoman
R
  • Locked
  • Question
G450 Analog-test command
Replies
0
Views
401
Red19
R
BIS
  • Locked
  • Question
Avaya Infinity
Replies
1
Views
327
gnesvik
gnesvik
Saltylad
  • Locked
  • Question
Avaya Workplace
Replies
2
Views
323
SouthernKnight
SouthernKnight
ZakiHome
  • Locked
  • Question
G450
Replies
2
Views
469
ZakiHome
ZakiHome

Part and Inventory Search

Sponsor

Back
Top