Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 11209 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Medium Strength SSL Ciphers and accreditation

don

Hi,

 

We've recently had a PEN test. We're looking to achieve necessary accreditation for Cyber Security.

One of the things that the PEN Test found was a vulnerability on the UTM's public WAN address and other systems that Sophos UTM is providing Web Protection for based on Cipher strength. The report recommends the following : Reconfigure the affected application if possible to avoid use of medium strength ciphers. Attached is a list of the ciphers in question.

The system we use is an ASG425 (about to be replaced by an SG430) running firmware version 9.506-2. Looking at google I can see there is some commentary around using shell to adjust the ciphers but there is also some discussion about system warranty being affected. We would want to comply with the recommendations in the report and I was wondering what would be the best way about achieving that.



This thread was automatically locked due to age.
  • 0

    Hey Don.

    I think you should get support involved in this. As I recall, some shell modifications are necessary and unless vouched by the support you could void your warranty, so get them in the loop and do things the right way to avoid future issues.

    Regards,

    Giovani

  • 0

    Hi Don,

    Most pen test reports are automated so I always take the first report of issues as questions.  What port was being looked at when these ciphers were seen?  I don't see any of those from your picture in the configuration files for the User Portal or the reverse proxy (Webserver Protection).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to giomoda

    Thanks Giovani, I was thinking of contacting support but thought I'd start here. I will do that shortly.

  • 0 in reply to BAlfson

    Thanks Bob,  the pentesters were provide with a list of our public IPs. Port would be 443 in this case. UTM is providing Webservices (reverse proxy) so that there is a possibility that the ciphers aren't on UTM but are on the servers at the back end. However one of the public IP addresses that they noted a problem with was the UTM WAN interface. Those ciphers in the post above are the ones noted. I'm slightly perplexed as UTM does not respond to https requests on its WAN port or at least I didn't think it did. We're also using Redbox accessed through that port.

  • 0 in reply to don

    Web protection I mean't not web services.

  • 0 in reply to don

    "Port would be" sounds like you're assuming it's 443, Don, but they might have been talking to the SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob, yes it's odd. The report in question identifies the port as 443 but there's nothing there if I use nmap or other utilities I don't see any ciphers because there is no https service running directly on the wan IP address. I'll raise a call with Sophos just to confirm and then get back to the pentesters. Thanks for all the help on this thread.

Unfiltered HTML