Keep failing PCI audit because of sweet32 attack detacted
Nentwich
Newbie ✭
I have just installed two new TZ270 SonicWall firewalls at a customer site running the newest version of the 7.0 OS. Both offices have Internet access from the cable company. To connect the two offices together I have configured an IPSec SSL VPN. The VPN is configured with the encryption type AES-256 and authentication type SHA384.
For PCI compliance and independent audit company needs to run periodical scans against both firewalls. I keep failing the compliance scan due to the firewall being vulnerable to the sweet32 attack within ISAKMP. I have read a few SonicWall KBs but they all reference the 6.x OS which does not pertain to the TZ270.
Could someone please tell me what configuration I need to make within 7.0 to fix the sweet32 attack detection?
Thank you everyone for your help with this issue.
Joel
Answers
Hi @Nentwich
Block the all 64bit ciphers like DES & 3DES and if not resolved the problem, Contact the Technical Support & they will guide you.
@Ajishlal how do I block the 64 bit ciphers? Can you share a link which outlines the steps to block these ciphers?
Thanks,
Joel
So you said "IPSec SSL VPN" which isn't a thing. An IPSec VPN tunnel between locations and SSL VPN for remote client access are two different things.
Are you running the latest firmware version (or at least 7.0.1-1456)? Have you tried replicating the results using NMap? https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Have you tried disabling SSLVPN services (if its on)?
The PCI Scan result will tell you what IP address and port are the problem.
Hi @Nentwich
Follow the below screen shot & better to get sonicwall support if you are not familiar in cipher suits.