How to allow or block TLS and SSH ciphers using the Cipher Control feature

Description


Cipher control feature was introduced in the feature release firmware version 6.5.4.1 and available on all firmware versions post that. It can be used to allow or block any or all TLS and SSH ciphers.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


TLS Ciphers:

We have around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.

It can be configured from the Network | Firewall| Cipher Control | TLS Ciphers tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.

  • Strength: Recommended, Secure, Weak, Insecure
  • Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
  • TLS version: We have toggle switches for TLS version 1.0 through 1.3
  • Action: 

    You can also view all allowed/blocked ciphers using this drop-down

Image

The red  Image indicates that the cipher is blocked and the green checkmark  Image  indicates if the property of the column is true for that cipher. You can use the Action drop-down to filter all the blocked/allowed ciphers.

For Eg: The cipher TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 is a CBC cipher and TLS_ECDH_ECDSA_WITH_RC4_128_SHA is blocked as per the screenshot below.

Image

The expected behavior, when a cipher is blocked, is as below. For example, if cipher X is blocked, the expected behavior is:

  • DPI-SSL – Cipher X is no longer a part of the TLS context and is not a part of the client advertised ciphers sent by the firewall handshaking with origin server.
  • HTTPS MGMT – Cipher X is not a part of the HTTPS MGMT server application running on the firewall. Thus, if a TLS client negotiates just cipher X, the TLS handshake between client and firewall fails.
  • SSL Control – As this refers to traffic (other than DPI-SSL decrypted sessions) passing through the firewall, the firewall blocks any TLS connection between origin client and origin server that uses/negotiates Cipher X.

You can also use the gear icon  Image to check if the cipher is applicable to DPI-SSL, HTTPS management, or SSL control.

Image

You can select multiple cipher suites after filtering and use the block and unblock buttons to block or allow the cipher respectively.


SSH Ciphers:

The SSH Ciphers page of Network | Firewall| Cipher Control | SSH Ciphers allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked using check/Uncheck option based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.

Image


Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


TLS Ciphers:

We have around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.

It can be configured from the MANAGE | Security Configuration | Firewall Settings | Cipher Control tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.

  • Strength: Recommended, Secure, Weak, Insecure
  • Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
  • TLS version: We have toggle switches for TLS version 1.0 through 1.3
  • Action: 

    You can also view all allowed/blocked ciphers using this drop-down


Image

The red  Image indicates that the cipher is blocked and the green checkmark  Image  indicates if the property of the column is true for that cipher. You can use the Action drop-down to filter all the blocked/allowed ciphers.

For Eg: The cipher TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 is a CBC cipher and TLS_ECDH_ECDSA_WITH_RC4_128_SHA is blocked as per the screenshot below.

Image

The expected behavior, when a cipher is blocked, is as below. For example, if cipher X is blocked, the expected behavior is:

  • DPI-SSL – Cipher X is no longer a part of the TLS context and is not a part of the client advertised ciphers sent by the firewall handshaking with origin server.
  • HTTPS MGMT – Cipher X is not a part of the HTTPS MGMT server application running on the firewall. Thus, if a TLS client negotiates just cipher X, the TLS handshake between client and firewall fails.
  • SSL Control – As this refers to traffic (other than DPI-SSL decrypted sessions) passing through the firewall, the firewall blocks any TLS connection between origin client and origin server that uses/negotiates Cipher X.

You can also use the display icon  Image to check if the cipher is applicable to DPI-SSL, HTTPS management, or SSL control.

Image

You can select multiple cipher suites after filtering and use the block and unblock buttons to block or allow the cipher respectively.


SSH Ciphers:

The SSH Ciphers page of MANAGE | Security Configuration -> Firewall Settings -> Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked using check/Uncheck option based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.

Image


Related Articles

  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More
  • CFS blocks valid sites due to incorrect 64: Not Rated tag
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community
was this article helpful?
YesNo