Migration from SHA1 to SHA256 signing algorithm

With this release, for NS-series and Virtual IPS Sensors, Network Security Platform announces the deprecation of SHA1 certificates to sign Sensor-Manager communication and replaces this with SHA256 certificates for this signature. This results in more secure communication between the Sensor and the Manager.

Previous Releases

In Network Security Platform 8.1 deployments, both the Sensor and Manager certificates used 1024-bit RSA keys and is signed with Sha1WithRSAEncryption based signature. The Manager ports 8501, 8502, and 8503 served the TLS channels from the Sensor. The cipher used by the Sensor and Manager was TLS1.0-RSA-AES128-SHA1.

Starting with the releases listed below, the Sensor certificate used 2048-bit RSA keys and Sha256WithRSAEncryption based signature. The Manager certificate used 2048-bit RSA keys but retained the Sha1WithRSAEncryption based signature. The Manager ports 8506, 8507, and 8508 served the TLS channels from the Sensor. The cipher used by the Sensor was TLS1.0-RSA-AES128-SHA1.

  • NS-series - 8.1.7.5-8.1.5.14 upto but does not include 8.1.7.91-8.1.5.210
  • Virtual IPS Sensor - 8.1.7.5-8.1.7.14 upto but does not include 8.1.7.91-8.1.7.44

Current Release

From release 9.2, the Manager supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature. This release of the Manager reuses ports 8501, 8502, and 8503 to support this new posture that were previously allocated to certificates using 1024-bit RSA keys. The cipher used by the Sensor is TLS1.2-RSA-AES128-GCM-SHA256. Hence, after upgrading the Manager, Sensors deployed on these ports using 1024-bit RSA keys and weaker signatures will not be supported.

Note: The Manager and Sensor supports 2048-bit RSA keys with Sha256WithRSAEncryption based signature in release 8.1.7.91-8.1.5.210 (NS-series) and 8.1.7.91-8.1.7.44 (Virtual IPS).

Need to know

If you have a heterogeneous deployment, your Manager must have both sets of ports (8501, 8502, and 8503 and 8506, 8507, and 8508) open to facilitate migration to a stronger security posture.

If a Sensor is still installed on your current Manager ports 8501, 8502, and 8503 using 1024-bit RSA keys, you will not be able to upgrade your Manager to version 9.1 and later.

All Sensors installed on the 8.1.7.91 Manager ports 8506, 8507, and 8508 using 2048-bit keys, will automatically migrate over back to Manager ports 8501, 8502, and 8503 once the Sensors are also upgraded to 9.2.

To learn about heterogeneous environments, refer to Management of a Heterogeneous Environment.