Solved

Qualys Vulnerablity Scanner - SSL/TLS Ciphers

Posted on 2016-09-26
5
15 Views
Last Modified: 2016-10-16
Hi,

Does anyone know if Qualys Vulnerability Scanner is able to detected the Ciphers that are active?

I am looking specifically for 192 3Des Ciphers in our environment.  I was told Qualys does not track this.

Thanks.
0
Comment
Question by:Member_2_7967562
  • 3
  • 2
5 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
Comment Utility
They have a equivalent online SSL cipher to detect the weak and existing active cipher checks @ https://www.ssllabs.com/ssltest/ so it should have the equivalent mechanism in their scanner services - Qualys Vulnerability mgmt. @ https://www.qualys.com/suite/vulnerability-management/features/

However, the scanner is not an asset inventory though it may list out the cipher due to vulnerability but it is not for tracking purpose. What you likely expect from its scanner service is they are discover the certificate which will reveal the cipher implemented in the devices that are reachable in your environment. You can possibly see those from the vulnerability report generated with the service port open etc but surely will not meet your idea of tracking and reveal all existing cipher if that is your requirement.
https://community.qualys.com/docs/DOC-1068

For e.g. SSL3 is reveal but they will not reveal directly what is the actual cipher associated with it - has to check the certificate supported ciphers
Asset Search Method

The first and perhaps simplest way is to perform an asset search. Simply go to Vulnerability Management > Assets > Asset Search. Consider searching all asset groups. Alternatively, you may want to limit to only assets scanned within 90 days or external hosts. The important thing is to include only assets that have QID 38116 containing the string “SSLv3_PROTOCOL_IS_ENABLED
https://community.qualys.com/thread/13873

Note that Qualys is a cloud-based solution that detects vulnerabilities on all networked assets, including servers, network devices (e.g. routers, switches, firewalls, etc.), peripherals (such as IP-based printers or fax machines) and workstations. They do have the Private Cloud Platform in case the client is not reachable via internet or will need it within its intranet scanning. The private cloud platform  combines the virtualized Qualys software with a self-contained, internally-redundant cloud appliance. The platform comes pre-configured for your environment, for fast deployment.
0
 

Author Comment

by:Member_2_7967562
Comment Utility
Thanks for your feedback.   I don't fully track.

So are you saying that Qualys does not have the ability to find 3DES 192bit Ciphers?  Can a rule be created to treat that cipher level as a Vulnerability?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
Comment Utility
Yes. It cannot find those cipher. They only surface certificates installed in the device discovered.

If the said cipher is tagged with CVE or is known vulnerability, Qualys scan services as a Vulnerability mgmt tool may probably surface it but it does not have a feature to surface 3DES (192 bit or 128 bits). The SSL lab test will surface the cipher instead of the Vul mgmt scan tool.

Qualys has SSL Labs APIs expose the complete SSL/TLS server testing functionality in a programmatic fashion, and they are maintaining ssllabs-scan, an open source command-line scanning tool that doubles as the reference API client. In short, this tool as the command-line client for the SSL Labs APIs, may be more suited for automated and/or bulk testing for your use case. I do not think Qualys Vul mgmt scanner has this - they are different.

 https://www.ssllabs.com/projects/ssllabs-apis/

Their support API via the tool can gather the cipher info e.g. /getEndpointData?host=www.ssllabs.com&s=173.203.82.166 is used to retrieve detailed endpoint information. It will return a single Endpoint object on success. The object will contain complete assessment information. One of the information in the "object" has
Suite

id - suite RFC ID (e.g., 5)
name - suite name (e.g., TLS_RSA_WITH_RC4_128_SHA)
cipherStrength - suite strength (e.g., 128)
dhStrength - strength of DH params (e.g., 1024)
dhP - DH params, p component
dhG - DH params, g component
dhYs - DH params, Ys component
ecdhBits - ECDH bits
ecdhStrength - ECDH RSA-equivalent strength
q - 0 if the suite is insecure, null otherwise
https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md#suites
0
 

Author Comment

by:Member_2_7967562
Comment Utility
Thanks!
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
As pet advised.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now