Sophos Firewall

Discussions XG115 - need to disable SSLv3 and TLSv1 from outside connections. External vulnerability scans show port 443 can be attached with outdated protocols.

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 4 replies
Subscribers 27 subscribers
Views 9849 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG115 - need to disable SSLv3 and TLSv1 from outside connections. External vulnerability scans show port 443 can be attached with outdated protocols.

Charles Ghent over 7 years ago

XG115 - need to disable SSLv3 and TLSv1 from outside connections. External vulnerability scans show port 443 can be attached with outdated protocols.

We can disable unrecognized SSL protocols on the web protection, but that is not securing the firewall from external threats.

This thread was automatically locked due to age.

0 Charles Ghent over 7 years ago

As a note, we are running on FW 16 atm. We wanted to go to 17, but we have a number of clients with IPSEC connections that would be affected by the new bugs introduced re: continually dropping/reporting up/CPU usage.

We need some kind of resolution for this - it is exposing all of our clients to external vulnerabilities and if we upgrade, to be unable to function for their normal day-to-day activities.

Rock <--> hard place
Cancel
Vote Up 0 Vote Down

Cancel
0 Charles Ghent over 7 years ago in reply to Charles Ghent

As a note, even in the V17 firmware, TLSv1 is NOT disabled. Also some of the weaker DES ciphers are still enabled.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ronak Sheth over 7 years ago in reply to Charles Ghent

Hi Charles Ghent

Refer the below link.

https://community.sophos.com/kb/en-us/127419

Regards, Ronak.
Cancel
Vote Up 0 Vote Down

Cancel
0 Charles Ghent over 7 years ago in reply to Ronak Sheth

After multiple sessions with support the information in that link is not valid. It appears that you must generate a valid 3rd party SSL certificate and replace the default appliance certificate for the vulnerability to be resolved. We have tested on V16 and V17 firmware and they are still failing PCI scans WITHOUT a valid 3rd party SSL certificate.
Cancel
Vote Up 0 Vote Down

Cancel