For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Sep 04, 2014

How to disable CIPHER for and Disable TCP time stamp on F5 ?

Hi, We have just being chased by PCI Compliance about having vulnerabily that detected WEAK CIPHER support and TCP Timestamp being turned ON. --Report say our application: Negotiated with the fol...
application delivery
devops
iRules
mimlo_61970's avatar
mimlo_61970
Icon for Cumulonimbus rankCumulonimbus
Sep 04, 2014

Security through obscurity...

 

Anyway it looks like they added the option to disable this. In version 11.4.0 and up they seperated window scaling from timestamp for the high performance options in the TCP Profile.

 

See http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html

 

Still not recomended to disable, but if you cannot accept the risk with PCI at least you have the option. Is this coming up in a formal audit, or just a security scan? I don't think PCI strictly states this option must be off, and thus it is open to each auditor/penetration test to decide. I'd push back on them, and use sol8072 above as suporting evidence.

 

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Sep 04, 2014
    Also, find out what ciphers they are considering weak. RC4 with TLS1.1 and above seems to be highly out of favor, but the last time I asked support about it they could not disable RC4 for just TLS1.1 and above, you had to disable it completely. You can go to ssllabs.com and put in your website and get their assessment of it with some recomendations.