How to disable SSL and TLSv1&1.1 on F5 LTM for VMware iApp

Due to the cybersecurity compliance requirements, we had to disable insecure SSL and TLS protocol versions. Our infrastructure consists of VMware multi-tenants and F5 LTM as the ADC (Application Delivery Controller). Since the UAGs (Unified Access Gateway) sit behind the F5 LTM, the configuration changes need to be done at the F5 ADC. 

There was no proper article written specifically for this purpose. So, I thought of sharing this with the community. Let’s look at the steps involved in the configuration change. 

  • From the configuration utility, navigate to Local Traffic > Profiles > SSL > Client
  • Select the Client SSL profile used in the virtual server, and then change to Advanced

  • We need to change 2 fields (Cipers and Enabled Options)
  • Under the Ciphers, select Cipher Suites
  • In Cipher Suites, you need to change the value to DEFAULT:!RC4:!MEDIUM:@STRENGTH
  • Then, under the Enabled Options select only No TLSv1.3, No TLSv1.1, and No TLSv1 (refer to the below image)

  • Once you confirm the values, you may save the changes and test the access. 
  • If you need to confirm the security settings and collect evidence, you can simply test the URL with ssllabs

What is CSA Cloud Controls Matrix (CCM)

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM.

You can now download the CCM and CAIQ together.

These 2 files consist of all required documentation.

  • CCM v4
  • Mappings
  • CAIQ v4
  • STAR Level 1: Security Questionnaire (CAIQ v4)
  • Implementation Guidelines
  • Auditing Guidelines

Mappings enable you to connect the dots if you are already Compliant with other major Compliance standards.

  • ISO/IEC 27001/27002/27017/27018
  • CCM V3.0.1
  • CIS Controls V8
  • NIST 800-53r5
  • PCI DSSv3.2.1