How to block SSLv3 (SSL version 3.0) using IPS signatures

SSLv3 (SSL version 3.0) is known to be vulnerable to multiple attacks (POODLE, BEAST, CRIME etc.). SonicWall Threat Team has released signature, Downgraded TLS Traffic, ID 5770, to prevent a server from negotiating an SSLv3 connection when the client proposes higher level protocols like TLS 1.0, 1.1 or 1.2. This article describes how to enable this signature.

NOTE: This signature does not block a connection when the Client proposes and the Server is enabled for SSL 3.0. To block SSL 3.0 completely, refer this article - How to Block SSLv3.0 (SSL version 3.0) connections using App Control Advanced

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Feature/Application:

SSLv3 (SSL version 3.0) is known to be vulnerable to multiple attacks (POODLE, BEAST, CRIME etc.). SonicWall Threat Team has released signature, Downgraded TLS Traffic, ID 5770, to prevent a server from negotiating an SSLv3 connection when the client proposes higher level protocols like TLS 1.0, 1.1 or 1.2. This KB article describes how to enable this signature.

NOTE:  This signature does not block a connection when the Client proposes and the Server is enabled for SSL 3.0. To block SSL 3.0 completely, refer this KB article - How to Block SSLv3.0 (SSL version 3.0) connections using App Control Advanced

Procedure:

Enabling Signature ID 5770

1. Login to the SonicWall management GUI
2. Navigate to the Policy | Security Services | Intrusion Prevention page
3. Make sure Enable IPS is checked.
4. Enable the checkboxes under Prevent All and Detect All for High and Medium Priority Attacks
5. Enable the checkbox under Detect All for Low Priority Attacks.
6. Under Lookup Signature ID, enter 5770 and click on the find icon
7. In the Edit IPS Signature window, set Prevention and Detection to Enable.
8. Click on OK to save and close the window.
   
   

Enabling IPS on zones

1. Navigate to Object | Zones
2. Click on the configure button under the zone where you want to enable IPS.
3. Enable the checkbox Enable IPS.
4. Click on OK to save.

Testing

With this signature enabled, when an SSL client proposes TLS 1.x in its Client Hello and the server responds with SSL 3.0, the response is blocked by SonicWall IPS. The following log message is generated when this signature blocks such traffic:

Navigate to Monitor| Logs | System Logs

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Feature/Application:

SSLv3 (SSL version 3.0) is known to be vulnerable to multiple attacks (POODLE, BEAST, CRIME etc.). SonicWall Threat Team has released signature, Downgraded TLS Traffic, ID 5770, to prevent a server from negotiating an SSLv3 connection when the client proposes higher level protocols like TLS 1.0, 1.1 or 1.2. This KB article describes how to enable this signature.

NOTE:  This signature does not block a connection when the Client proposes and the Server is enabled for SSL 3.0. To block SSL 3.0 completely, refer this KB article - How to Block SSLv3.0 (SSL version 3.0) connections using App Control Advanced

Procedure:

Enabling Signature ID 5770

1. Login to the SonicWall management GUI
2. Navigate to the Manage | Security Services | Intrusion Prevention page
3. Make sure Enable IPS is checked.
4. Enable the checkboxes under Prevent All and Detect All for High and Medium Priority Attacks
5. Enable the checkbox under Detect All for Low Priority Attacks.
6. Under Lookup Signature ID, enter 5770 and click on the find icon
7. In the Edit IPS Signature window, set Prevention and Detection to Enable.
8. Click on OK to save and close the window.
   

Enabling IPS on zones

1. Navigate to Manage | Network | Zones
2. Click on the configure button under the zone where you want to enable IPS.
3. Enable the checkbox Enable IPS.
4. Click on OK to save.

Testing

With this signature enabled, when an SSL client proposes TLS 1.x in its Client Hello and the server responds with SSL 3.0, the response is blocked by SonicWall IPS. The following log message is generated when this signature blocks such traffic:

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Procedure:

Enabling Signature ID 5770

1. Login to the SonicWall management GUI
2. Navigate to the Manage | Security Services | Intrusion Prevention page
3. Make sure Enable IPS is checked.
4. Enable the checkboxes under Prevent All and Detect All for High and Medium Priority Attacks
5. Enable the checkbox under Detect All for Low Priority Attacks.
6. Under Lookup Signature ID, enter 5770 and click on the find icon
7. In the Edit IPS Signature window, set Prevention and Detection to Enable.
8. Click on OK to save and close the window.

Enabling IPS on zones

1. Navigate to Manage | Network | Zones
2. Click on the configure button under the zone where you want to enable IPS.
3. Enable the checkbox Enable IPS.
4. Click on OK to save.

Testing

With this signature enabled, when an SSL client proposes TLS 1.x in its Client Hello and the server responds with SSL 3.0, the response is blocked by SonicWall IPS. The following log message is generated when this signature blocks such traffic: