By now you've heard about POODLE (CVE-2014-3566).
If not, here's the "tl;dr": SSLv3 is vulnerable. Really vulnerable.
There are remediation steps. And no, "disable SSLv3" isn't a good idea unless you know exactly how all the bits are bouncing around. Better course is to use TLS_FALLBACK_SCSV, the Transport Layer Security Signaling Cipher Suite Value. But that's beyond the scope here.
First however, you need to know which servers are using SSLv3.
ExtraHop does that. By default. No configuration required.
Here is a dashboard using the awesome dashboarding functionality added in 4.0 firmware. The dashboard shows you:
- who the top servers using SSLv3 are
- how often SSLv3 sessions are getting setup (the rate)
- how many SSLv3 sessions are getting setup (the count)
- how SSLv3 use compares with other cipher suites in use in your environment.
What You Get
A dashboard that looks like this:
Make sure you are running ExtraHop firmware 4.0 or newer. This bundle makes use of the dashboarding functionality that wasn't present in earlier firmware versions (i.e. 3.*).
- Download this bundle.
- Navigate to Settings, then Bundles.
- Upload the bundle.
- Click Apply.
- A new dashboard named "SSLv3 Summary" will be on your Summary Screen.
- From upper left, going clockwise, the widgets show:
- how often SSLv3 sessions are being setup
- how many SSLv3 sessions were setup in the selected time interval
- how SSLv3 use stacks up with other cipher suites in your environment
- the top 8 servers setting up SSLv3 sessions
It's the servers in that last group that may require attention.