Overview of Cipher control in Gen7-SonicOS

   Cipher Control:

  Cipher Control feature can allow or block any or all TLS and SSH ciphers in SonicOS. This functionality applies to:

•      DPI-SSL (TLS traffic inspected by the firewall)
•      Https MGMT (TLS sessions accessing the firewall)
•      SSL Control (inspect TLS traffic passing through the firewall: non-DPI-SSL)

  Any change to the TLS ciphers applies to all TLS traffic.

 The list of ciphers is a super set of supported ciphers.While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below

NOTE: DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak cipher

TLS cipher

Almost 333 TLS ciphers are in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.

It can be configured from the Network |Firewall | Cipher Control |TLS Cipher tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.

• Strength: Recommended, Secure, Weak, Insecure
• Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
• TLS version: We have toggle switches for TLS version 1.0 through 1.3
• Action: 

  You can also view all allowed/blocked ciphers using this drop-down

       TLS Ciphers can be explained in detail by elaborating below headings:

• Blocking/Unblocking Ciphers
• Filtering Ciphers

Blocking/Unblocking Ciphers

To block ciphers

1. Navigate to Network |Firewall | Cipher Control |TLS Cipher.
2. Click TLS Ciphers.
3. Either:

• Select the cipher(s) to block.
• Click the checkbox in the table header.

     4.Click Block. A confirmation dialog is displayed to block the selected ciphers.

     5.Click OK. A Blocked icon displays in the Blocked column for each blocked cipher(s).

To unblock ciphers

1. Navigate to Network |Firewall | Cipher Control |TLS Cipher.
2. Click TLS Ciphers.
3. Either:

• Select the cipher(s) to block.
• Click the checkbox in the table header.

     4.Click UnBlock. A confirmation dialog is displayed to unblock the selected ciphers.

     5.Click OK. The Blocked icon is no longer displayed in the Blocked column for each blocked cipher(s).

  Filtering Ciphers

  You can filter ciphers to easily configure which ciphers should be allowed or blocked.

• Selecting Display Options
• Displaying Ciphers by Strength
• Displaying Ciphers by Block/Unblock
• Displaying Ciphers by CBC Mode
• Displaying Ciphers by TLS Protocol Version

Selecting Display Options

The TLS Ciphers table displays which TLS protocols support which ciphers. You can also display other protocols that support the ciphers:

• DPI-SSL
• HTTPS management
• SSL control

To filter TLS Ciphers based on its protocols

1.  Navigate to Network |Firewall | Cipher Control |TLS Cipher.

2.  Click TLS Ciphers.

3.  Click Column Configuration option. The Select Columns to show/hide drop-down displays.

      4.Select the protocol(s) to display:

• Select All– This option is selected by default.
• DPI-SSL– This option is selected by default.
• HTTPS MGMT– This option is selected by default.
• SSL Control– This option is selected by default.

Displaying Ciphers by Strength

Ciphers are rated according to their strength:

• Recommended
• Secure
• Insecure
• Weak

The TLS Ciphers table displays all ciphers of all strengths. You can restrict the TLS Cipher table to display only those ciphers of a particular strength.To display ciphers by strength

1. Navigate to Network |Firewall | Cipher Control |TLS Ciphers
2. Click TLS Ciphers.
3. Select the required option from Strength drop-down. The default is All.

TLS Cipher table redisplays, showing only those ciphers with the corresponding strength and the Strength drop-down menu reflects the displayed strength.

Displaying Ciphers by Block/Unblock

The TLS Ciphers table displays all blocked and unblocked ciphers. You can restrict the TLS Cipher table to display only those ciphers that are blocked or unblocked.

To display blocked/unblocked ciphers

1. Navigate to Network |Firewall | Cipher Control |TLS Ciphers
2. Click TLS Ciphers.
3. Select the allow/block action from Actiondrop-down.

• All (default)
• Allow (unblock)
• Block

Displaying Ciphers by CBC Mode

The TLS Ciphers table displays all ciphers for all ciphers regardless of whether they use CBC mode. You can restrict the display to whether a cipher uses CBS mode.

To display whether ciphers use CBC mode

1. Navigate to Network |Firewall | Cipher Control |TLS Cipher.
2. Click TLS Ciphers.
3. Select whether the cipher uses CBC mode from CBC.

• All (default)
• Is (uses CBC mode)
• Not (does not use CBC mode)

The TLS Cipher table redisplays according to the selection, showing an Enabled icon in the Is CBC column for those ciphers using CBC mode and nothing in the CBC column for those that don’t.

Displaying Ciphers by TLS Protocol Version

The TLS Ciphers table displays all ciphers for all TLS protocol versions. You can restrict the display by version of TLS protocol the cipher supports.

To display ciphers by TLS protocol

1. Navigate to Network |Firewall | Cipher Control |TLS Cipher.
2. Click TLS Ciphers.
3. Click the TLS version(s) for displaying ciphers:

If a cipher supports more than the selected version, the Enabled icon displays for the other supported versions as well.

SSH Ciphers

The SSH Ciphers page of Network |Firewall | Cipher Control |SSH Ciphers  allows you to specify which cryptographic SSH ciphers SONICOS uses.

To select or deselect SSH ciphers:

1. Navigate to Network |Firewall | Cipher Control.
2. Click SSH Ciphers.
3. Select the SSH algorithm to use or ignore.

♦ All SSH ciphers are selected by default.

Cipher Control feature in GEN6 SonicOS: How to allow or block TLS and SSH ciphers using the Cipher Control feature