Our recent PCI Compliance scan came back failed because the RED service uses RC4-SHA. This is also one of the issues that the scanning company (Trustwave, who is used by our credit card processor, FirstData) will not allow to be overridden. If this is the opinion of a major credit card processor such as FirstData, you can assume that this is the opinion that much of the industry is going to have soon.
The ciphers used by RED aren't configurable, and the RED service is conspicuously absent from Sophos' SSLv3 mitigation document (https://community.sophos.com/kb/en-US/121509). I've already contacted premium support, and their response was basically, "we're aware of the issue." (Of course they're still selling RED devices as a secure means of extending your network.) They offered no advice on mitigation, other than the implied advice to wait for the patch...which any long time customer know could mean anything.
Since my remote locations that use RED have static IPs, I attempted to just add firewall rules to fix this (only allowing my IPs, drop all others). Except that RED communication must be handled prior to firewall rules, so they're completely ignored.
So the only thing left I can think of, is to go out and purchase another firewall to put in front of the UTM. Certainly not the conversation I'd like to have with those that approve large purchases such as that.
This thread was automatically locked due to age.
