For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dw_888_212625's avatar
dw_888_212625
Icon for Nimbostratus rankNimbostratus
Oct 27, 2015

Mitigate BEAST vulnerable

For LTM version 11.5.3, using cipher DEFAULT:!RC4. if we would like to include the disabling of cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA, how can this be done? Can we not remove DEFAULT:!RC4 ? do we need...
application delivery
availability
LTM
management
security
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Oct 27, 2015

DEFAULT:!RC4:!RSA+3DES
should do the trick for you.

Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Oct 27, 2015
Recommended vs required support can be two different things. If you are required to maintain support for TLSv1, allowing BEAST vulneraqble CBC ciphers is the better option vs RC4(SSL Labs grade will be higher). If you are not required to support TLSv1(PCI-DSS no longer allows TLSv1 for new implementations), then disabling TLSv1 and RC4 are the best course of action. Disabling 3DES, is something all on its own. If you can afford to disable TLSv1 then you can probably afford to disable 3DES as well as IE on windows XP will be left in the cold by disabling either one. 'DEFAULT:!RC4:!3DES:!TLSv1' will leave you in a good security posture, but users still wanting to use IE on windows XP will not be able to connect(they can still use chrome or firefox).