SSL VPN also failed. Sonicwall support says that the units will still advertise the weak ciphers even if you use sslvpn and there’s nothing they can do about it.
Qualys has a history of “ahead of their time” minimum requirements specifically intended to present scan “findings” that keep them relevant and their sales up. The requirements aren’t wrong so much as excessive for PCI.
I hear ya there.
This is our experience too
Yes the sonic walls still advertise the weak ciphers even when ssl VPN is configured and in use
Because then you’re cheating?
MOST OF THEM could be logged into with their default PWs.
I thought we were hating on SonicWalls, not bad implementations!
we did an eval, MOST OF THEM could be logged into with their default PWs.
How is that a fault of the manufacturer?
We had to dump the Sophos XG firewall because their HA and IPSec implementation are trash and fail constantly. Not to mention their QA Dept is horrible and roll out features and fixes that are broken.
Command an control servers have a different connotation amongst security professionals.
Check your facts before flaming. SonicWall refers to the feature as both GroupVPN and GlobalVPN. Group VPN is a general VPN term meaning multiple endpoints dialing into a central VPN appliance. Not sure why you think we are struggling trying to make customers compliant that don’t need PCI compliance? How would we be failing PCI compliance scans then? Get a clue. And we have also tried to use SSLVPN on the SonicWalls and they also failed. You would know this if you stopped to read? I mentioned it several times to the people on this thread that are actually helpful (hint: that’s not you).
Did you disable the* accept multiple client proposals under the advanced tab in the group vpn settings? That’s the part that allows for weaker ciphers
edit: a word
Who’s your compliance vendor? We use Trustwave and have never had any issue With SonicWall and SSL VPN while weak ciphers are disabled.
So does it advertise them but you can’t use them. Or even after disabling them people can still use them?
Just my personal view based on interaction. We support hundreds of clients, almost exclusively SonicWall. Many years ago, we started having more and more issue with the Global VPN client. After opening and closing several tickets in a few short days/weeks, the general response from support became “Use SSL VPN, it doesn’t have this problem.” We switched right then and there, and never looked back. Basically, I got the feeling that even their support is like “this is a dumpster fire of a VPN solution, please use our SSL VPN product instead.”
You should also be able to tell whomever is doing the scan that this is a needed thing for business operations and they will make an exception for it.
Go into the hidden diag page and turn off the cipher you want disabled?
I’m not and the article does not suggest using SSL VPN. It suggests using certificates instead of passphrases in your IPSec VPN configuration.
I meant for card data devices not to lie about a pci scan like people seem to assume here
I myself am a certified Sophos Engineer and I have had excellent results with Sophos over everything else. I am kinda curious actually. What did you end up going with?
Oh I agree, but we had to setup an AWS rdp server so we can isolate out management of the firewalls and not allow anyone else except our IP address, so I guess kinda fitting, but yeah, I see your perspective.