Introduction to Cipher Control feature

Description

Cipher control feature was introduced in the feature release firmware version 6.5.4.1. It can be used to allow or block any or all TLS and SSH ciphers. This functionality applies to:

  • DPI-SSL (TLS traffic inspected by the firewall)
  • HTTPS MGMT (TLS sessions accessing the firewall)
  • SSL Control (inspect TLS traffic passing through the firewall: (non DPI-SSL)

Any change to the TLS ciphers applies to all TLS traffic.


Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


The list of ciphers displayed in the Network | Firewall | Cipher Control page are a list of known TLS ciphers. The list of ciphers is a superset of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed on the same Cipher Control page.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Cipher Control page; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in  Cipher Control page. The same is true for HTTPS MGMT ciphers.


TLS Ciphers:

  • The TLS Ciphers page of Network | Firewall | Cipher Control has around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.
    Image

SSH Ciphers:

  • The SSH Ciphers page of Network | Firewall | Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.
    Image




Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


The list of ciphers displayed in the MANAGE | Security Configuration | Firewall Settings | Cipher Control page are a list of known TLS ciphers. The list of ciphers is a superset of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed Cipher Control page.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Cipher Control page; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Cipher Control page. The same is true for HTTPS MGMT ciphers.


TLS Ciphers:

  • The TLS Ciphers page of MANAGE | Security Configuration | Firewall Settings | Cipher Control has around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.Image


SSH Ciphers:

  • The SSH Ciphers page of MANAGE | Security Configuration | Firewall Settings | Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.Image



Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community