I'd be interested to hear from anyone who has faced the following problem, particularly if you managed to solve it.
Imagine a large, complex, mixed network containing a lot of hosts running Windows and various Unix derivatives. As time wears on they get out of date so the company has a significant rolling upgrade programme. Some (many!) older hosts have deprecated security protocols and cipher suites so the natural thing to do is to modernise these, though we have also to re-enable the old protocols/ciphers because the hosts with which they communicate aren't yet upgraded and capable of modern encryption.Sooner or later we have a very much messier protocol/encryption estate. The details of which encryption method is enabled for which purpose is beyond the scope of the CMDB, so the task of going through the estate to disable unused, weak encryption methods becomes a challenge. Trial-and-error isn't a great idea because there are many services for which even a brief outage cannot be tolerated. It looks as though the way forward will be to determine by inspection which hosts are using which protocols, and for what purpose - this will then provide a baseline from which to work to disable the weak ones as the hosts/applications depending on them are upgraded.
Finding out which protocols are enabled on listeners is quite straightforward - any halfway-decent scanner can do that. The hard bit is finding out which ones are in use. One way would be to scan the estate to build a list of hosts that have weak encryption enabled and then, for each host, run a pcap and/or examine logs to determine whether it is using them and, if so, for what purpose. That will generate a list of the real pain points.
Is there a better way?