Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 10647 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Medium Strength SSL Ciphers and accreditation

don

Hi,

 

We've recently had a PEN test. We're looking to achieve necessary accreditation for Cyber Security.

One of the things that the PEN Test found was a vulnerability on the UTM's public WAN address and other systems that Sophos UTM is providing Web Protection for based on Cipher strength. The report recommends the following : Reconfigure the affected application if possible to avoid use of medium strength ciphers. Attached is a list of the ciphers in question.

The system we use is an ASG425 (about to be replaced by an SG430) running firmware version 9.506-2. Looking at google I can see there is some commentary around using shell to adjust the ciphers but there is also some discussion about system warranty being affected. We would want to comply with the recommendations in the report and I was wondering what would be the best way about achieving that.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Don,

    Most pen test reports are automated so I always take the first report of issues as questions.  What port was being looked at when these ciphers were seen?  I don't see any of those from your picture in the configuration files for the User Portal or the reverse proxy (Webserver Protection).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob,  the pentesters were provide with a list of our public IPs. Port would be 443 in this case. UTM is providing Webservices (reverse proxy) so that there is a possibility that the ciphers aren't on UTM but are on the servers at the back end. However one of the public IP addresses that they noted a problem with was the UTM WAN interface. Those ciphers in the post above are the ones noted. I'm slightly perplexed as UTM does not respond to https requests on its WAN port or at least I didn't think it did. We're also using Redbox accessed through that port.

  • 0 in reply to don

    Web protection I mean't not web services.

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML