Solved

Qualys Vulnerablity Scanner - SSL/TLS Ciphers

Posted on 2016-09-26
5
57 Views
Last Modified: 2016-10-16
Hi,

Does anyone know if Qualys Vulnerability Scanner is able to detected the Ciphers that are active?

I am looking specifically for 192 3Des Ciphers in our environment.  I was told Qualys does not track this.

Thanks.
0
Comment
Question by:Member_2_7967562
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41817718
They have a equivalent online SSL cipher to detect the weak and existing active cipher checks @ https://www.ssllabs.com/ssltest/ so it should have the equivalent mechanism in their scanner services - Qualys Vulnerability mgmt. @ https://www.qualys.com/suite/vulnerability-management/features/

However, the scanner is not an asset inventory though it may list out the cipher due to vulnerability but it is not for tracking purpose. What you likely expect from its scanner service is they are discover the certificate which will reveal the cipher implemented in the devices that are reachable in your environment. You can possibly see those from the vulnerability report generated with the service port open etc but surely will not meet your idea of tracking and reveal all existing cipher if that is your requirement.
https://community.qualys.com/docs/DOC-1068

For e.g. SSL3 is reveal but they will not reveal directly what is the actual cipher associated with it - has to check the certificate supported ciphers
Asset Search Method

The first and perhaps simplest way is to perform an asset search. Simply go to Vulnerability Management > Assets > Asset Search. Consider searching all asset groups. Alternatively, you may want to limit to only assets scanned within 90 days or external hosts. The important thing is to include only assets that have QID 38116 containing the string “SSLv3_PROTOCOL_IS_ENABLED
https://community.qualys.com/thread/13873

Note that Qualys is a cloud-based solution that detects vulnerabilities on all networked assets, including servers, network devices (e.g. routers, switches, firewalls, etc.), peripherals (such as IP-based printers or fax machines) and workstations. They do have the Private Cloud Platform in case the client is not reachable via internet or will need it within its intranet scanning. The private cloud platform  combines the virtualized Qualys software with a self-contained, internally-redundant cloud appliance. The platform comes pre-configured for your environment, for fast deployment.
0
 

Author Comment

by:Member_2_7967562
ID: 41817829
Thanks for your feedback.   I don't fully track.

So are you saying that Qualys does not have the ability to find 3DES 192bit Ciphers?  Can a rule be created to treat that cipher level as a Vulnerability?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41818083
Yes. It cannot find those cipher. They only surface certificates installed in the device discovered.

If the said cipher is tagged with CVE or is known vulnerability, Qualys scan services as a Vulnerability mgmt tool may probably surface it but it does not have a feature to surface 3DES (192 bit or 128 bits). The SSL lab test will surface the cipher instead of the Vul mgmt scan tool.

Qualys has SSL Labs APIs expose the complete SSL/TLS server testing functionality in a programmatic fashion, and they are maintaining ssllabs-scan, an open source command-line scanning tool that doubles as the reference API client. In short, this tool as the command-line client for the SSL Labs APIs, may be more suited for automated and/or bulk testing for your use case. I do not think Qualys Vul mgmt scanner has this - they are different.

 https://www.ssllabs.com/projects/ssllabs-apis/

Their support API via the tool can gather the cipher info e.g. /getEndpointData?host=www.ssllabs.com&s=173.203.82.166 is used to retrieve detailed endpoint information. It will return a single Endpoint object on success. The object will contain complete assessment information. One of the information in the "object" has
Suite

id - suite RFC ID (e.g., 5)
name - suite name (e.g., TLS_RSA_WITH_RC4_128_SHA)
cipherStrength - suite strength (e.g., 128)
dhStrength - strength of DH params (e.g., 1024)
dhP - DH params, p component
dhG - DH params, g component
dhYs - DH params, Ys component
ecdhBits - ECDH bits
ecdhStrength - ECDH RSA-equivalent strength
q - 0 if the suite is insecure, null otherwise
https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md#suites
0
 

Author Comment

by:Member_2_7967562
ID: 41818120
Thanks!
0
 
LVL 63

Expert Comment

by:btan
ID: 41845510
As pet advised.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question