We have a requirement to deploy a SAS SSL VPN solution using some MAGs. The requirements as defined by the customer are to use:
- Encryption: AES with 128-bit key in GCM mode
- Authentication: ECDSA-256 with SHA-256 on P-256 curve
- Key Exchange: ECDH using P-256 curve
As all fall under the combination 1 of the Suite B profile for TLS (RFC 6460).
The Junos SAS does support suite B, however, I'm a little unsure as to how we actually ensure that these parameters are used when the client connects (via Pulse only, never a web browser).
In our lab we have a MAG and a Pulse client. Under Configuration > Security > SSL Options I have the following configured:
1. Turn on FIPS mode
2. Accept only TLS
3. Custom SSL Cipher Selection (AES/3DES and AES ticked)
When we fire up the Pulse client we see that we only ever agree between Pulse and the SAS the Ciper Suite:
This may be a silly question but what is the best way to ensure that we use the following Ciper Suite so as to comply with the customer's requirements:
Anyone have ideas?
The only way you can do this is by changing the cipher orders to put PFS ciphers at the top, a feature that is not currently available. You can see my thread on this here: https://forums.pulsesecure.net/topic/pulse-connect-secure/265658-allow-changing-cipher-order
Juniper indicated it was likely to be included in the next major release, but with everything up in the air with Juniper transitioning to pulse secure, who knows when thats going to happen.