Skip to main content

lacework-global-214

Load balancer allows weak cipher suites (Automated)

Description

Alert when a load balancer has a backend set or listener with the cipher suite 'oci-wider-compatible-ssl-cipher-suite-v1' configured. This cipher suite includes algorithms like Data Encryption Standard (DES) and RC4, considered to be weak and prone to attacks. This policy is only applicable for predefined cipher suites provided by OCI and not the custom cipher suite values. Use default, modern cipher suites that support stronger encryption.

Remediation

From Console:

  1. Login to OCI console.
  2. Select Networking from Services menu.
  3. Select Load Balancer from Networking menu.
  4. Click the name of a load balancer with a weak cipher suite.
  5. Under the Resources section, click Backend sets or Listeners.
  6. For both backend sets and listeners, Click the kebab menu for each item in the table and click Edit.
  7. Click Show advanced options.
  8. Under the Select cipher suite heading, choose an option other than oci-wider-compatible-ssl-cipher-suite-v1.
  9. Click Save changes.
  10. Repeat steps 4-9 for all load balancers, with backend sets or listeners with weak cipher suites attached.

From CLI:

  1. Execute the following command to get a list of load balancers:

    oci lb load-balancer list --compartment-id <compartment_ocid>

  2. For each load balancer, execute the following command to get the attached backend-sets:

    oci lb backend-set list --load-balancer-id <load_balancer_ocid>
    note

    OCI CLI does not provide a command to allow to direct listing of listeners. You can extract them from the command in step 1, within the listeners element.

  3. For each backend set/listener, update the referenced cipher suite with the following commands:

    oci lb backend-set update --backend-set-name <backend_set_name> --backends <json_containing_backends> --healh-checker-protocol <http_or_tcp> --load-balancer-id <load_balancer_ocid> --policy <backend_set_policy> --cipher-suite-name <name_of_cipher_suite>

    OR

    oci lb listener update --default-backend-set-name <backend_set_name> --listener-name <name_of_listener> --load-balancer-id <load_balancer_ocid> --port <port_for_communication> --protocol <protocol> --cipher-suite-name <name_of_cipher_suite>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__LB_WEAK_CIPHER_SUITE
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingciphersuites.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingciphersuites_topic-Predefined_Cipher_Suites.htm#predefinedciphersuites

Last updated on