How to disable insecure protocols? Post: 302962438

Sponsored Content

Operating Systems AIX How to disable insecure protocols? Post 302962438 by agent.kgb on Monday 14th of December 2015 04:49:14 PM

12-14-2015

Registered User

Unfortunately nobody can understand what your security dept requires from you. As for me it seems that they even don't understand what they want. You have to speak with them and make clear:

1. There is no single point in a UNIX operating system, where you can enable or disable a cipher. Every application can implement its own cipher and you have no control over it.

2. There are at least 2 "cipher libraries" - IBM's GSKit and OpenSSL. OpenSSL can be IBM-compiled, Perzl-compiled, Michael Felt-compiled, Bull-compiled, and own-compiled. As far as I remember, Michael Felt also has LibreSSL for AIX, but he knows it better and he is sometimes here. This is the 3rd "cipher library", which can be used.

3. There are some places, even in AIX, which have nothing common with these libraries. E.g. password hashing is implemented using so called Loadable Password Algorithm (LPA) modules. AIX has modules for MD5, SHA1, SHA256, SHA512, Blowfish. If somebody requires some other module, they have to develop it on their own.

4. There is 3rd party software, which has their own cipher modules, and doesn't depend on libraries. The best example is OpenSSH. You can have IBM-compiled OpenSSH, or Michael's compiled OpenSSH. You can also have some other SSH-based servers and clients, e.g. Tectia SSH server. And you're right, when you speak about Java - it has its own SSL implementation.

Just to make it easy - you are not the only one, who receives such stupid requirements from people thinking they are "security professionals" and who've read yesterday for the first time in the lifes about POODLE or some other bug in OpenSSL. Your duty as a professional system administrator is to speak with them and make them clear that their requirements too inaccurate and cannot be implemented without additional information.

agent.kgb

View Public Profile for agent.kgb

Find all posts by agent.kgb

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

network protocols

Which network protocol is used by UNIX systems to make remote file systems appear as if they are local?

2. UNIX for Dummies Questions & Answers

Protocols

What protocol would be the best to use on a network with nt and unix servers and windows me clients? Can SMB protocol be used to implement large networks? What protocol can be used to make remote file systems appear as if they are local? Quite a few questions I know, any help would be...

3. UNIX for Advanced & Expert Users

More command insecure

The more command allows a user to invoke shell. If it is run using the sudo command this will give a user a possibility to run whatever he wants with root's privilegies. Does anybody know about a command with the same abilities that more but without escape to shell?

4. IP Networking

define IP protocols on network

what method would I use to determine which IP protocols network

5. Cybersecurity

Netfilter conntracking for P2P protocols (edonkey, bittorent...)

Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol. Thanks guys.

6. Shell Programming and Scripting

How to disable Enable/Disable Tab Key

Hi All, I have bash script, so what is sintax script in bash for Enable and Disable Tab Key. Thanks for your help.:( Thanks, Rico

7. IP Networking

what are L2,L3 protocols.

hello forum members, What are L2 and L3 Protocols and can u brief me a bit little ie to gain a basic knowledge. Thanks & Regards Rajkumar g

8. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and...

LEARN ABOUT CENTOS

xmremoveprotocols

XmRemoveProtocols(library call) 										   XmRemoveProtocols(library call)

NAME

       XmRemoveProtocols -- A VendorShell function that removes the protocols from the protocol manager and deallocates the internal tables

SYNOPSIS

       #include <Xm/Xm.h>
       #include <Xm/Protocols.h>
       void XmRemoveProtocols(
       Widget shell,
       Atom property,
       Atom * protocols,
       Cardinal num_protocols);

DESCRIPTION

       XmRemoveProtocols  removes the protocols from the protocol manager and deallocates the internal tables. If any of the protocols are active,
       it will update the handlers and update the property if shell is realized.

       XmRemoveWMProtocols is a convenience interface.	It calls XmRemoveProtocols with the property value set to the atom returned  by  interning
       WM_PROTOCOLS.

       shell	 Specifies the widget with which the protocol property is associated

       property  Specifies the protocol property

       protocols Specifies the protocol atoms

       num_protocols
		 Specifies the number of elements in protocols

       For a complete definition of VendorShell and its associated resources, see VendorShell(3).

RELATED

       VendorShell(3), XmAddProtocols(3), XmInternAtom(3), and XmRemoveWMProtocols(3).

														   XmRemoveProtocols(library call)