Your entire post was a flame, IMO. If you can’t get SSLVPN to work on a sonicwall you don’t belong in the industry. And you clearly don’t understand vulnerability scans. Later.
If you disable VPN altogether then the scans pass. But if you enable any kind of Group VPN at all it also advertises weaker encryption negotiation methods. Even if they are disabled and you’ve upped the encryption requirements. SonicWall has no way of fixing it.
Uhh in my experience they will tell you to buy a new firewall so you are compliant.
Yes we’ve purchased 3rd party ssl certificates to use instead of pre shared keys. Still advertises weak ciphers as well even though they are no longer in use and fails
This will soon be the necessary way in future implementations IMHO.
First via VLAN and then perhaps later through physical device segregation of switches, etc.
With attack vectors shrinking, the only choice for most will be to attack the LANs through proxies.
Target showed us why this would be likely. Their setup, even as of today’s standards were/are PCI compliant.
My engineers are sophos certified also. We ended up with Fortinet
Sophos Certified Engineer is an open-Internet quiz. I wouldn’t put that on your resume, lol.
Central management is a normal term.
Still can’t read? Using SSLVPN did not fix the issue, even per SonicWall support’s findings. Feel free to come back and comment when you’ve gained both reading and comprehension skills.
Even though it advertises them, does it block clients from using them?
Which ports is it failing on, if at all? I’ve had an issue similar to this and I was able to dispute the findings basically saying that this is a secure connection. I was using ssl-vpn. You should definitely start using that instead of group vpn.
That’s never happened to us. We have a fleet of over 300 sonicwalls
If GlobalVPN is enabled UDP 500 will be automatically opened to the world and you will fail a scan.
that’s not the point.
If you have VPN enabled in any capacity on the sonicwall the scans will fail at some point.
source: just got through a months long compliance battle.
But does it still let you use them? The level of shade being thrown around here makes it seem they left some type of hard coded development password in code allowing anyone to login.
Don’t worry about it. I have a 2650 being delivered next week so I guess I’ll get my own answer then.
talk to the compliance vendor.
In my case I had a local branch manager that could cut through the red tape and talk to a manager.
tell them why it’s failing and write out a business case for the open ports that failed.
In our situation we provided a network diagram & firewall rules that showed why the ports were opened .
Are you talking about opening ports for a server behind the firewall to be accessible?
no. I probably worded my original response wrong.
I meant the SSL or IPSEC ports that the pci scanner reports as opened. Even if you have every other port closed off, Sonicwall VPN still uses those ports. I suppose any other vendor VPN would have some port opened to use the service.