Overview of Cipher control in Gen7-SonicOS

08/25/2022 2 People found this article helpful 337,292 Views

Description

Cipher Control:

Cipher Control feature can allow or block any or all TLS and SSH ciphers in SonicOS. This functionality applies to:

DPI-SSL (TLS traffic inspected by the firewall)
Https MGMT (TLS sessions accessing the firewall)
SSL Control (inspect TLS traffic passing through the firewall: non-DPI-SSL)

Any change to the TLS ciphers applies to all TLS traffic.

The list of ciphers is a super set of supported ciphers.While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below

NOTE: DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak cipher

Resolution

TLS cipher

Almost 333 TLS ciphers are in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.

It can be configured from the Network |Firewall | Cipher Control |TLS Cipher tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.

Strength: Recommended, Secure, Weak, Insecure
Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
TLS version: We have toggle switches for TLS version 1.0 through 1.3
Action:
You can also view all allowed/blocked ciphers using this drop-down

TLS Ciphers can be explained in detail by elaborating below headings:

Blocking/Unblocking Ciphers
Filtering Ciphers

Blocking/Unblocking Ciphers

To block ciphers

Navigate to Network |Firewall | Cipher Control |TLS Cipher.
Click TLS Ciphers.
Either:

Select the cipher(s) to block.
Click the checkbox in the table header.

4.Click Block. A confirmation dialog is displayed to block the selected ciphers.

5.Click OK. A Blocked icon displays in the Blocked column for each blocked cipher(s).

To unblock ciphers

Navigate to Network |Firewall | Cipher Control |TLS Cipher.
Click TLS Ciphers.
Either:

Select the cipher(s) to block.
Click the checkbox in the table header.

4.Click UnBlock. A confirmation dialog is displayed to unblock the selected ciphers.

5.Click OK. The Blocked icon is no longer displayed in the Blocked column for each blocked cipher(s).

Filtering Ciphers

You can filter ciphers to easily configure which ciphers should be allowed or blocked.

Selecting Display Options
Displaying Ciphers by Strength
Displaying Ciphers by Block/Unblock
Displaying Ciphers by CBC Mode
Displaying Ciphers by TLS Protocol Version

Selecting Display Options

The TLS Ciphers table displays which TLS protocols support which ciphers. You can also display other protocols that support the ciphers:

DPI-SSL
HTTPS management
SSL control

To filter TLS Ciphers based on its protocols

1. Navigate to Network |Firewall | Cipher Control |TLS Cipher.

2. Click TLS Ciphers.

3. Click Column Configuration option. The Select Columns to show/hide drop-down displays.

4.Select the protocol(s) to display:

Select All– This option is selected by default.
DPI-SSL– This option is selected by default.
HTTPS MGMT– This option is selected by default.
SSL Control– This option is selected by default.

Displaying Ciphers by Strength

Ciphers are rated according to their strength:

Recommended
Secure
Insecure
Weak

The TLS Ciphers table displays all ciphers of all strengths. You can restrict the TLS Cipher table to display only those ciphers of a particular strength.To display ciphers by strength

Navigate to Network |Firewall | Cipher Control |TLS Ciphers
Click TLS Ciphers.
Select the required option from Strength drop-down. The default is All.

TLS Cipher table redisplays, showing only those ciphers with the corresponding strength and the Strength drop-down menu reflects the displayed strength.

Displaying Ciphers by Block/Unblock

The TLS Ciphers table displays all blocked and unblocked ciphers. You can restrict the TLS Cipher table to display only those ciphers that are blocked or unblocked.

To display blocked/unblocked ciphers

Navigate to Network |Firewall | Cipher Control |TLS Ciphers
Click TLS Ciphers.
Select the allow/block action from Actiondrop-down.

All (default)
Allow (unblock)
Block

The TLS Cipher table redisplays, showing only those ciphers with the corresponding action and Action reflects the displayed action.

Displaying Ciphers by CBC Mode

The TLS Ciphers table displays all ciphers for all ciphers regardless of whether they use CBC mode. You can restrict the display to whether a cipher uses CBS mode.

To display whether ciphers use CBC mode

Navigate to Network |Firewall | Cipher Control |TLS Cipher.
Click TLS Ciphers.
Select whether the cipher uses CBC mode from CBC.

All (default)
Is (uses CBC mode)
Not (does not use CBC mode)

The TLS Cipher table redisplays according to the selection, showing an Enabled icon in the Is CBC column for those ciphers using CBC mode and nothing in the CBC column for those that don’t.

Displaying Ciphers by TLS Protocol Version

The TLS Ciphers table displays all ciphers for all TLS protocol versions. You can restrict the display by version of TLS protocol the cipher supports.

To display ciphers by TLS protocol