The Infoblox system must present only approved TLS and SSL cipher suites.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233888	IDNS-8X-400030	SV-233888r621666_rule		Medium

Description
Infoblox systems ship with a wide range of cipher suites to support management in a variety of customer environments. Infoblox may have customers that require these cipher suites for backward compatibility. Over time specific cipher suites may become unfavorable for a variety of reasons, including being replaced by stronger suites, or vulnerabilities are discovered and they are no longer considered secure. Configuration of cipher suites within NIOS directly affects the default HTTPS management system. Note that Infoblox systems do not enable Secure Shell (SSH) by default, but it can be enabled by system administrators and shares configuration of the cipher suites with HTTPS.

Description

Infoblox systems ship with a wide range of cipher suites to support management in a variety of customer environments. Infoblox may have customers that require these cipher suites for backward compatibility. Over time specific cipher suites may become unfavorable for a variety of reasons, including being replaced by stronger suites, or vulnerabilities are discovered and they are no longer considered secure. Configuration of cipher suites within NIOS directly affects the default HTTPS management system. Note that Infoblox systems do not enable Secure Shell (SSH) by default, but it can be enabled by system administrators and shares configuration of the cipher suites with HTTPS.

STIG	Date
Infoblox 8.x DNS Security Technical Implementation Guide	2021-01-11

Details

Check Text ( C-37073r611184_chk )
Configuration of the SSL/TLS cipher suite is performed on the Grid Master, or the stand-alone system using the CLI. 1. Use the following commands to display the status and configuration: show ssl_tls_settings show ssl_tls_protocols show ssl_tls_ciphers 2. Review the output from "show ssl_tls_ciphers" and note those marked as "enabled". 3. Compare this to the list of currently approved ciphers. DISA recommends: Ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 Protocols: TLSv1.2 If any unapproved cipher suites are enabled, this is a finding.

Check Text ( C-37073r611184_chk )

Configuration of the SSL/TLS cipher suite is performed on the Grid Master, or the stand-alone system using the CLI.

1. Use the following commands to display the status and configuration:
show ssl_tls_settings
show ssl_tls_protocols
show ssl_tls_ciphers
2. Review the output from "show ssl_tls_ciphers" and note those marked as "enabled".
3. Compare this to the list of currently approved ciphers. DISA recommends:

Ciphers:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256

Protocols:
TLSv1.2

If any unapproved cipher suites are enabled, this is a finding.

Fix Text (F-37038r611185_fix)
1. Close all existing HTTPS management sessions and log on to the Grid Master, or the stand-alone system using the CLI. 2. Use the following command to display the status: "show ssl_tls_settings". 3. If the output shows "default", the system administrator must first override the default settings to enable editing using the following command: "set ssl_tls_settings override". 4. For each cipher suite to be disabled, use the following procedure. Identify the numerical designation of the cipher suite using: "show ssl_tls_ciphers". 5. Use the following command to disable, replacing NNN with the appropriate number: "set ssl_tls_ciphers disable NNN". 6. Repeat this procedure to disable unapproved cipher suites. The numerical list will be reordered each time it is modified and requires careful validation. 7. In addition to specific cipher suites, a set of SSL/TLS protocols can also be enabled or disabled as desired. 8. Review the output from "show ssl_tls_protocols" from the Check procedure. 9. Use the CLI command: "set ssl_tls_protocols disable TLSv1.0", to disable TLS v1.0. 10. Use the CLI command: "set ssl_tls_protocols disable TLSv1.1", to disable TLS v1.1. 11. Use the "show ssl_tls_settings" and show "ssl_tls_protocols" commands to ensure compliance. 12. Using an approved web browser, verify functionality if protocol or TLS settings were modified. Refer to the Infoblox CLI Guide for additional information if necessary.

Fix Text (F-37038r611185_fix)

1. Close all existing HTTPS management sessions and log on to the Grid Master, or the stand-alone system using the CLI.
2. Use the following command to display the status: "show ssl_tls_settings".
3. If the output shows "default", the system administrator must first override the default settings to enable editing using the following command: "set ssl_tls_settings override".
4. For each cipher suite to be disabled, use the following procedure. Identify the numerical designation of the cipher suite using: "show ssl_tls_ciphers".
5. Use the following command to disable, replacing NNN with the appropriate number: "set ssl_tls_ciphers disable NNN".
6. Repeat this procedure to disable unapproved cipher suites. The numerical list will be reordered each time it is modified and requires careful validation.
7. In addition to specific cipher suites, a set of SSL/TLS protocols can also be enabled or disabled as desired.
8. Review the output from "show ssl_tls_protocols" from the Check procedure.
9. Use the CLI command: "set ssl_tls_protocols disable TLSv1.0", to disable TLS v1.0.
10. Use the CLI command: "set ssl_tls_protocols disable TLSv1.1", to disable TLS v1.1.
11. Use the "show ssl_tls_settings" and show "ssl_tls_protocols" commands to ensure compliance.
12. Using an approved web browser, verify functionality if protocol or TLS settings were modified.

Refer to the Infoblox CLI Guide for additional information if necessary.