I have been using a Netscreen SSG-5 firewall for my home office since 2009. It has been a few years since I updated the firmware or configuration and I need some advice/help. I recently received an email from Lifelock warning me about VPNFilter malware that is targeting routers. This made me think that I should make sure my SSG5 is as secure as possible. I plan on using this firewall until support ends in 2020.
Note: For admin purposes, I never access the firewall OS externally, I only access it on the 192.168 internal subnet.
The first hint of problems came when I tried connecting to it at https://192.168.X.XX/ using Firefox. I get an error message that the Secure Connection Failed with this specific error message: Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP. I then tried using Chrome and IE and had similar errors. I finally gained access by creating a new Firefox profile and installing Firefox 33.
Here is my current config:
ScreenOS: Currently running 6.1.0r2.0.
- I downloaded 6.3.0r.25
- Would like advice on safest steps to install this
Certificate: Current certificate is Default System Self Signed Certificate. It expired 7+ years ago in December 2010. When I view the certificate from my server, it has a common name but the Organization and Organization Unit fields are blank - they say <Not Part of Certificate>. The fingerprints are SHA-256 and SHA-1
- How do I create a new certificate that is valid for several years?
- Is there a way to have the Orgaization field filled in?
- How do I install the new certificate and get rid of the old?
- What are the best Fingerprints to use? Is having SHA1 a security risk?
- I'm confused that I have SHA-256 because I read it was added in 6.2.0 and I am using 6.1.2
Other config settings:
HTTP port is 80 but redirect HTTP to HTTPS automatically is checked
HTTPS/SSL port is 443
Cipher: currently set to RC4_MD5. Other options include RC4_40_MD5, DES_SHA-1, and 3DES_SHA-1.
- Are HTTP and HTTPS settings correct?
- What Cipher(s) should I use? Out of the above choices, is 3DES_SHA-1 the safest?
- Is there anyway to get AES on this firewall? I read it is the most secure?
- How do I make sure that old, unsecure Ciphers are not supported in any way?
Finally, once I implement your suggested changes, is there anything I have to do on my servers and PCs (install new certificates, change settings)?
I know there are a lot of questions. I great appreciate any help. Thanks!