michael david
asked on
SonicWall tz180 PCI compliance issues
just had two sites fail pci compliance tests with certificate errors on sonicwall tz180. trustwave does the scans and this is what they said: The server should be configured to disable the use of the deprecated SSLv2, SSLv3, and TLSv1.0 protocols. The server should instead use stronger protocols such as TLSv1.1 and/or TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the SSLv2, SSLv3, and TLSv1.0 protocols on this service is sufficient.
i have no idea how to do what they said. any help is really appreciated. thanks
i have no idea how to do what they said. any help is really appreciated. thanks
ASKER
yes it is an old sonicwall so i guess i need to know (for now) how to disable SSLv2, SSLv3, & TLSv1.0 protocols and also how to add TLSv1.1 and/or TLSv1.2 on this current sonicwall. thanks
By replacing it. Your Sonicwall is too old to do what you're hoping for. Disabling remote administration might help slightly, but you would still fail a scan.
I still have to ask: are there any publically accessible servers behind the Sonicwall? If yes, these are items that still may need to be addressed as well.
ASKER
not sure what that entails. this is one pc that is behind that sonicwall.
OK, so you have no sort of port forwarding going on. That keeps things simpler.
But yes, at the end of the day, that Sonicwall has to get replaced. Take advantage of the Secure Upgrade Plus program to lower your upgrade costs a bit if you're looking for a newer Sonicwall.
But yes, at the end of the day, that Sonicwall has to get replaced. Take advantage of the Secure Upgrade Plus program to lower your upgrade costs a bit if you're looking for a newer Sonicwall.
ASKER
maybe this will help what im looking to resolve? these are the 5 fail issues
1. SSL Certificate is Not Trusted (External Scan) 6.80 Medium Fail Port: tcp/443
It was not possible to validate the SSL certificate, and thus it could not be trusted. Users may receive a security warning when using this service. This occurs because either the certificate or a certificate in its chain has issues that prevent validation. Some examples of these issues are, but not limited to, a certificate having expired, the hostname does not have match the name on the certificate, or the certificate is not signed by a well-known Certificate Authority (CA).
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: http
Application: sonicwall:http_server
Evidence:
Subject: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Issuer: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Certificate Chain Depth: 0
Reason: The hostname on the certificate does not match any of the
hostnames provided to the scanner.
Reason: The leaf certificate is self-signed but is not trusted.
Reason: One or more certificates in the chain has a suspicious or illegal
subject name.
2. SSL Certificate Common
Name Does Not Validate
(External Scan)
6.80 Medium Fail Port: tcp/443
This SSL certificate has a common name (CN) that does not appear to match the identity of the server. Modern browsers may present a warning to users who attempt to browse this service as it is currently configured. Note that in some networks in which load balancers are used, it may not be possible for the scanner to perform this test correctly.
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Application: sonicwall:http_server
Evidence:
Subject: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Issuer: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Certificate Chain Depth: 0
Hostnames provided to scanner: 96.81.83.28
Subject Name: 192.168.168.166
3. Weak Encryption Ciphers identified on VPN Device 6.80 Medium Fail Port: udp/500
Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device. These weak ciphers could make it easier for a context dependent attack to compromise the integrity of IKE sessions established with this device.
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: isakmp
Application: dell:sonicwall_ipsec
Evidence:
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: GSS or XAUTH1, DH Group: Group 2
4. Weak Diffie-Hellman groups 6.80 Medium Fail Port: udp/500
identified on VPN Device Diffie-Hellman Groups 1 to 4 are no longer considered safe for strong encryption. It is estimated that these groups have a security level of 80-90 bits which is no longer adequate to protect the encryption keys used during IKE phase 2. Furthermore, Group 5 (Modp-1536) has a security level of 120 bits which is slightly under to protect AES-128 encryption keys. Stronger groups have been designed for the Diffie- Hellman key exchange in RFC 3526. CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: isakmp
Application: dell:sonicwall_ipsec
Evidence:
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: SHA, Auth method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: MD5, Auth method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: SHA, Auth method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: MD5, Auth method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: GSS or XAUTH1, DH Group: Group 2
5. CVE-2013-2566 CVE-2015-2808 SSL RC4-based Ciphers Supported 4.30 Medium Fail Port: tcp/443
An attack is possible when using RC4-based ciphers that takes advantage of single-byte biases within the RC4 algorithm, that could
make it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of cipher text in a larger number of
sessions (i.e. millions of sessions) that use the same plain text.
CVE: CVE-2013-2566, CVE-2015-2808
NVD: CVE-2013-2566, CVE-2015-2808
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N
Service: http
Application: sonicwall:http_server
Evidence:url: http://96.81.83.28/
1. SSL Certificate is Not Trusted (External Scan) 6.80 Medium Fail Port: tcp/443
It was not possible to validate the SSL certificate, and thus it could not be trusted. Users may receive a security warning when using this service. This occurs because either the certificate or a certificate in its chain has issues that prevent validation. Some examples of these issues are, but not limited to, a certificate having expired, the hostname does not have match the name on the certificate, or the certificate is not signed by a well-known Certificate Authority (CA).
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: http
Application: sonicwall:http_server
Evidence:
Subject: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Issuer: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Certificate Chain Depth: 0
Reason: The hostname on the certificate does not match any of the
hostnames provided to the scanner.
Reason: The leaf certificate is self-signed but is not trusted.
Reason: One or more certificates in the chain has a suspicious or illegal
subject name.
2. SSL Certificate Common
Name Does Not Validate
(External Scan)
6.80 Medium Fail Port: tcp/443
This SSL certificate has a common name (CN) that does not appear to match the identity of the server. Modern browsers may present a warning to users who attempt to browse this service as it is currently configured. Note that in some networks in which load balancers are used, it may not be possible for the scanner to perform this test correctly.
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Application: sonicwall:http_server
Evidence:
Subject: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Issuer: /C=US/ST=California/L=Sunn
Certificate for SonicWALL (self-signed)/OU=HTTPS Management
Certificate for SonicWALL (self-signed)/CN=192.168.1
Certificate Chain Depth: 0
Hostnames provided to scanner: 96.81.83.28
Subject Name: 192.168.168.166
3. Weak Encryption Ciphers identified on VPN Device 6.80 Medium Fail Port: udp/500
Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device. These weak ciphers could make it easier for a context dependent attack to compromise the integrity of IKE sessions established with this device.
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: isakmp
Application: dell:sonicwall_ipsec
Evidence:
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: GSS or XAUTH1, DH Group: Group 2
4. Weak Diffie-Hellman groups 6.80 Medium Fail Port: udp/500
identified on VPN Device Diffie-Hellman Groups 1 to 4 are no longer considered safe for strong encryption. It is estimated that these groups have a security level of 80-90 bits which is no longer adequate to protect the encryption keys used during IKE phase 2. Furthermore, Group 5 (Modp-1536) has a security level of 120 bits which is slightly under to protect AES-128 encryption keys. Stronger groups have been designed for the Diffie- Hellman key exchange in RFC 3526. CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P
Service: isakmp
Application: dell:sonicwall_ipsec
Evidence:
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: SHA, Auth method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: MD5, Auth method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: pre-shared key, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: SHA, Auth method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: AES, Key Length: 256, Hash
type: MD5, Auth method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: SHA, Auth
method: GSS or XAUTH1, DH Group: Group 2
Transform Set:: Mode: Main, Encryption: 3DES, Hash type: MD5, Auth
method: GSS or XAUTH1, DH Group: Group 2
5. CVE-2013-2566 CVE-2015-2808 SSL RC4-based Ciphers Supported 4.30 Medium Fail Port: tcp/443
An attack is possible when using RC4-based ciphers that takes advantage of single-byte biases within the RC4 algorithm, that could
make it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of cipher text in a larger number of
sessions (i.e. millions of sessions) that use the same plain text.
CVE: CVE-2013-2566, CVE-2015-2808
NVD: CVE-2013-2566, CVE-2015-2808
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N
Service: http
Application: sonicwall:http_server
Evidence:url: http://96.81.83.28/
TZ180? that thing is ancient... and has been end of lifed and end of support for may a years....
Suggest strongly you upgrade to a latest model of SonicWall.
Suggest strongly you upgrade to a latest model of SonicWall.
As I have been mentioning the entire time, you need to replace the Sonicwall. I know you want to find another way to solve your issue, but there isn't one.
ASKER
thats odd because im getting same exact fail messages on another machine behind dell sonic wall Soho Appliance (01-SSC-0217)
It appears that you have a VPN enabled, which was something not mentioned before. If you have no need for that, then get rid of it. But additionally, it looks like you have Remote Administration turned on (does this need to be on?).
Basically, those items should get you towards the least bad position. But still won't address everything.
- This is becasue your Sonicwall has a self-signed certificate. You can obtain and try to install (import) an SSL certificate purchased from a provider such as Digicert, 1&1, or GoDaddy
- When setting up the new cert, you're going to need the Subject name to include the proper IP address, along with any domain names you might be pointing at it. But it would be far easier to simply turn off Remote Administration (pointed this piece out earlier).
- Assuming you have VPN set up, you want to use Group 5 rather than group 2 (unless the VPN clients don't support it, which you'll want to fix). Also, change encryption to AES-128 or AES-256. Note this doesn't fix the fact that the Sonicwall you have supports the weaker ciphers.
Basically, those items should get you towards the least bad position. But still won't address everything.
ASKER
thank you ill try those options for now :-)
As for the last change, remember you also have to do that on the other Sonicwall (assuming you have a site to site VPN in place)
ASKER
someone also suggested i use this crypto tool but im not sure what to uncheck. see enclosed pdf file
iis-crypto-settings.pdf
iis-crypto-settings.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, do you have open ports on the Sonicwall? And what systems behind the Sonicwall can users connect to from outside? The servers in question may need their configurations changed.