Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Keep failing PCI audit because of sweet32 attack detacted

I have just installed two new TZ270 SonicWall firewalls at a customer site running the newest version of the 7.0 OS. Both offices have Internet access from the cable company. To connect the two offices together I have configured an IPSec SSL VPN. The VPN is configured with the encryption type AES-256 and authentication type SHA384.

For PCI compliance and independent audit company needs to run periodical scans against both firewalls. I keep failing the compliance scan due to the firewall being vulnerable to the sweet32 attack within ISAKMP. I have read a few SonicWall KBs but they all reference the 6.x OS which does not pertain to the TZ270.

Could someone please tell me what configuration I need to make within 7.0 to fix the sweet32 attack detection?

Thank you everyone for your help with this issue.

Joel

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Nentwich

    Block the all 64bit ciphers like DES & 3DES and if not resolved the problem, Contact the Technical Support & they will guide you.

  • NentwichNentwich Newbie ✭

    @Ajishlal how do I block the 64 bit ciphers? Can you share a link which outlines the steps to block these ciphers?


    Thanks,

    Joel

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭
    edited August 12

    So you said "IPSec SSL VPN" which isn't a thing. An IPSec VPN tunnel between locations and SSL VPN for remote client access are two different things.

    Are you running the latest firmware version (or at least 7.0.1-1456)? Have you tried replicating the results using NMap? https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

    Have you tried disabling SSLVPN services (if its on)?

    The PCI Scan result will tell you what IP address and port are the problem.

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @Nentwich

    Follow the below screen shot & better to get sonicwall support if you are not familiar in cipher suits.


Sign In or Register to comment.