Failing PCI Scans - How do I disable TLS 1.0 and block DES & 3DES?

Allan,

what Charles is saying should be correct for the TLS. Are you using any IPSec connection? Red?

Thanks

Unknown said:

Looks like 16.05 fixes this but it's only on RC1

 

lferrara said:

what Charles is saying should be correct for the TLS. Are you using any IPSec connection? Red?

Not yet but we will be.  Both a IPSec site to site VPN and I planned on trying out a Red device for testing and possibly for a branch office of 15 people.  Based on testing the Red I'd either get a Red 50 or just another small XG and setup the site to site with that.

-Allan

I upgraded one of my two XG boxes (one thats not in production yet but is connected to the internet for testing) to 16.05 RC1.  Rescanned and it passed.  Still would be nice to have the options available as settings but this is a good start.

-Allan

So it seems in 16.05 MR2 that TLS 1.0 is enabled again as I just failed my PCI compliance scans.  It was blocked on 16.05 RC1.  Is this something I can disable through the console?

I'm back to failing my PCI scans and I really like to not be.  It definitely is on the XG as TLS 1.0 is already disabled on the backend servers using IISCrypt.

-Allan

I've opened a support ticket on this as it doesn't make sense that it was disabled in the RC and re-enabled in the actual release.  I'll report back once they either verify the issue or tell me how to fix it.

First what I got back from support:

"Unfortunately, it's not possible to change TLS version  from GUI as well as from CLI in XG v16.05(MR 1 & 2), cause it is hard coded and changed from proxy binary. I confirmed same with senior team."


So I have to have them make the change to disable TLS v1.0, currently waiting for that to happen so I can re-try my PCI compliance scan.


There is a suggestion on this for the UTM (ideas.sophos.com/.../8039499-remove-support-for-tls-1-0-allow-it-to-be-disabled) but there wasn't one for the XG.  I added it if anyone cares to upvote it:

ideas.sophos.com/.../18624847-remove-support-for-tls-v1-0-and-insecure-cyphers-o

-Allan

Support got back to me today and told me how to manually edit the httpd file on the XG to remove the insecure cyphers (3DES mainly) and protocols (TLS 1.0 and 1.1).  While I was in there I also disabled Trace/Track which was failing me also.  I wrote a blog post about it here:  http://allandynes.com/2017/04/sophos-xg-firewall-pci-compliance-woes/ .

Long story short the TLS enable/disable will be added to the UI in v17 but only for 1.0 it seems, not 1.1 or the cyphers.  Also the changes I manually made to the httpd file will need to be done each time there is a firmware update which is a PITA.

But long story short I now pass my PCI compliance scans fully.

-Allan

Hi,

Did this feature make it into v 17?  If so , where can I make this change in the v 17 UI?

Cam

Hi,

Did this feature make it into v 17?  If so , where can I make this change in the v 17 UI?

Cam

I haven't been able to find it.  And its been a year since I posted this now.  Apparently there isn't enough people complaining about it to get it added in properly to the UI.  My blog post is still accurate though as I had to do it on two v17 boxes.

So what you are advising is that XG cannot pass compliance scans because of an old protocol that in most other devices has been disabled for sometime or they have the ability to disable.

flosupport or AllenT is this really true?

Ian

As of the latest update, "HW-SFOS_17.0.6_MR-6.SF300-181", this is what is still in the config files:

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
SSLProtocol all -SSLv2 -SSLv3

Sooooooo...... you still have to manually remove the 3DES ciphers and also add in the -TLSv1 -TLSv1.1 to the SSLProtocols line to disable them.   Also every time you do a firmware update this file gets overwritten and turns those all back on so you have to go back and manually fix it each time.

I don't know why this hasn't been fixed or at least the option to turn it on and off added to the UI.

This is extremely disappointing coming from a company that purports to be a security company.

RSA encryption ciphers? See also "ROBOT."

3DES? See also "SWEET32."

TLS v1.0 and TLS v1.1?

No ability to manually configure these settings for local security policy?

Come on, Sophos. These should have been resolved ages ago, let alone when high/critical vulnerabilities about these exact things were announced. I will -never- recommend your products to anyone until you start treating security products with a security-first focus. All the features in the world mean nothing if you can't handle the basics.