IBM FlashSystem

In the storage cluster’s SSH security configuration, both weak and strong Ciphers, Key Exchange Algorithms, and MAC Algorithms are active.

• Why should we remove weak Ciphers, Key Exchange Algorithms, and MAC Algorithms from the storage clusters and associated end devices?

Summary:

Remove weak ciphers, key exchange algorithms, and MAC algorithms from storage clusters and associated end devices.

In-depth:

In storage clusters, both weak and strong Ciphers, Key Exchange Algorithms, and MAC Algorithms are active. It is best advised and recommended to allow/ keep strong ciphers, key exchange algorithms, and MAC algorithms only for SSH connections. And remove weak ones from cluster SSH security configurations due to SSH high-security connections and be followed across all the other the infrastructure devices like OS, network, servers (physical and virtual), and storage.

• If weak ones are active in cluster SSH configuration, it is also red alerted while having a security scan of the storage system configurations.
• If the end devices using weak ones, then engineers need to upgrade the application/ system configuration and involve the respective vendor for their 2^nd opinion to understand any dependency.
• If none of the end devices in the infrastructure using weak ones like “3des-cbc”, “aes128-cbc”, “aes192- cbc”, “hmac-sha1-96”, “hmac-sha1” “SHA-1”, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", “hmac-md5” … Then remove them from SSH security configurations.
• It will maintain SSH connection compliance and security.