KB30342 - How to disable RC4 cipher suites on a Pulse Connect Secure (PCS) device

This article describes how to disable RC4 cipher suites on a Pulse Connect Secure (PCS) device.

After upgrading to 8.2R1 and above, the following message will appear in the PCS admin console.

Your SSL settings allow insecure RC4 cipher.

This message will occur as a precautionary warning to disable RC4 cipher suites. Due to known weaknesses, RC4 cipher suites are no longer recommended. If these weaknesses were exploited they could allow an attacker the ability to recover plain text from the encrypted information.

Pulse Secure is recommending to use AES cipher suites and disabling RC4.  Customer with low end devices (MAG 2600 and MAG 4610) should take careful consideration before disabling RC4 on a heavily loaded device where traffic is mainly SSL (VPN Tunneling in SSL mode, rewrite traffic, SAM and Terminal Services). While AES provides better security, AES does cause a decrease in performance on the PCS device.  If the device is mainly utilizing ESP mode for VPN Tunneling, the amount of SSL traffic is minimal (all data would be sent over UDP port 4500) and should result in little performance impact on the PSC device.

Note:  Starting with 8.2R1, AES will be the preferred cipher suite over RC4 (when both options are selected). When RC4 is disabled, this setting change will cause the web server to restart and cause end users to reconnect.  The recommendation is to make the following change during a maintenance window.
 
To disable RC4 cipher suites, please perform the following steps:

8.2R2 and below:

1. Login to the administrator console.
2. Navigate to System > Configuration > Security > SSL Options
3. Under Allow Encryption Strength, select Custom SSL Cipher Suites.
4. From the chart, select the checkboxes only for AES/3DES and AES

8.2R3 and above:

1. Login to the administrator console.
2. Navigate to System > Configuration > Security > Inbound SSL Options
3. Under Allow Encryption Strength, select Custom SSL Cipher Suites.
4. From the right pane (under Selected Cipher Suites), remove all cipher suites with RC4
5. Click Save Changes

Note:  Before disabling RC4 to Outbound SSL Options, please consult with backend application vendors and administrator.  Legacy applications may be dependent on RC4 cipher suites and may break after disabling this option.
 

Workaround:

If disabling RC4 cannot be performed, Pulse Secure is recommending to set the max session time to 1 to 2 days.  This should help minimize the risk as the potential attacker will need to monitor the user's session for several hours to potential break the encryption.  However, these estimated times will continue to get shorter over time and is not recommended as a long term solution.