Attix5 Pro FAQ
Search:     Advanced search

Strengthening weak Storage Platform connections

Article ID: 324
Last updated: 21 Oct, 2015

In keeping up with secure data transmission practices, these two security aspects need to be addressed on the Storage Platform (SP):

  1. Vulnerable connections
  2. Vulnerable operating system configurations

1. Vulnerable Storage Platform connections

  • Since Attix5 Pro version V8 (R4), AccountServers and StorageServers will no longer accept SSL connections, only TLS.
  • The insecure RC4 cipher should be blocked for connections to the SP. To disable all weak ciphers, including RC4, follow the steps as explained for SChannel vulnerabilities in FAQ article 279.

    Warning: If RC4 is disabled on your SP's operating system, Backup Client versions older than 7.14 will not be able to connect to the SP. Upgrade your Backup Clients to a later version.

2. Vulnerable operating system configurations

Since Attix5 Pro version V8 (R4), the SP will identify vulnerable cipher suites allowed by the operating system and log warnings on a daily basis in the AccountServer log in the SP Console.

Note: Typical insecure ciphers shown in the logs will be: DHE-related, TripleDES, RC4, and MD5 ciphers. Here's an example:

12:45:59  Warn: The operating system is configured to allow the following known weak cipher suites:
12:45:59  Warn: TLS_RSA_WITH_RC4_128_SHA
12:45:59  Warn: TLS_RSA_WITH_3DES_EDE_CBC_SHA
12:45:59  Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
12:45:59  Warn: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
12:45:59  Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
12:45:59  Warn: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
12:45:59  Warn: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
12:45:59  Warn: TLS_RSA_WITH_RC4_128_MD5
12:45:59  Warn: SSL_CK_RC4_128_WITH_MD5
12:45:59  Warn: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
12:45:59  Warn: TLS_RSA_WITH_NULL_SHA256
12:45:59  Warn: TLS_RSA_WITH_NULL_SHA

Tip: Use the LogAnalyzer to view these entries in the log.

To test for connection vulnerabilities:

  1. Go to: https://www.ssllabs.com/ssltest/
  2. Enter your SP's address in the Domain name box and click Submit.

The site will report any weaknesses.

Some vulnerabilities can be addressed by following the relevant steps below:

  1. To disable all weak ciphers (including RC4) and only use TLS:
    See "SChannel vulnerabilities" in FAQ article 279.
  2. To block insecure renegotiations:
    See "Insecure renegotiation" in FAQ article 279.
Article ID: 324
Last updated: 21 Oct, 2015
Revision: 18
Views: 748
Comments: 0
Posted: 03 Aug, 2015 by Du Plessis S.
Updated: 21 Oct, 2015 by Du Plessis S.
This article was:  
Prev   Next
Article 331 - Attix5 Pro Client Moving Accounts Between Client Machines and...     Article 336 - How to optimise parallel network volume & disk processing in ESE