On June 18th, 2019 Cisco will be discontinuing support for 3DES cipher for the IP Layer Enforcement service.
The IP Layer Enforcement service is included in the Umbrella roaming client in the form of an IPSec VPN connection to enforce direct to IP connections. This function contains the 3DES cipher along with others such as AES128 and AES256 in the list of supported ciphers when establishing a VPN connection to send IP based traffic to Umbrella cloud. When the 3DES cipher is disabled, the clients will automatically continue to work with AES128 and AES256 ciphers which are more secure. No changes are necessary.
About Legacy Ciphers
Legacy block ciphers having a block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of the SSL/TLS/IPsec protocols that support cipher suites which use 3DES as the symmetric encryption cipher are vulnerable to this.
In order to comply to Cisco’s security compliance standards, the 3DES cipher will be disabled from the IP blocking servers.
No impact is expected with this change to remove legacy ciphers. The IP Layer Enforcement IPSec tunnel will continue to work with AES 128 / AES 256 ciphers.
Please reach out to Umbrella support at support.umbrella.com if you have any questions or encounter any issues as a result of this change.