Inspect SSL/TLS on Non-Common Ports

Idea created by Miguel Sanchez on Aug 21, 2018

Comment • 5

Active

Score25

As far as we know, IPS signatures that look for SSL/TLS details like the version, do so in common SSL/TLS ports like TCP 443. We get that inspecting for SSL/TLS on every port will degrade performance, but it would be nice if the admin had the option to enable SSL/TLS inspection on IPS signatures in non-common ports.

This might be needed in scenarios where a company has to change the default port for services that use SSL/TLS and would like to keep the controls provided by the IPS signatures.

5 Comments

Vladimir Yakovlev Aug 21, 2018 7:40 PM
Miguel,

Actual inspection, as defined, is only for HTTPS, not other protocol that can use SSL/TLS for security. You can clone the HTPS and define different port for it and it should still be inspected, if this is all that you are trying to accomplish:
Like • Show 2 Likes2
Actions
- Miguel Sanchez @ Vladimir Yakovlev on Aug 22, 2018 7:33 AM
  I'm not talking about https inspection itself. Take for example the IPS signatures/protections that look for the SSL/TLS version. You can configure the signatures to block/prevent SSLv3.0 usage as an example. But this protection will only do that in common ports. It will block connections using SSLv3.0 on port 443, but not on a random non-common port that your organization might use like port TCP 334.
  Like • Show 2 Likes2
  Actions
  - Valeri Loukine @ Miguel Sanchez on Aug 24, 2018 3:56 AM
    IPS is using streaming to inspect signatures. If you want to port SSL/TLS IPS protection, you need to mark your custom service as HTTPS, as already shown on the picture above. Check Point streaming engine needs to know this specific TCP port needs to be streamed too.
    
    Have you tried doing that?
    Like • Show 0 Likes0
    Actions
    - Miguel Sanchez @ Valeri Loukine on Nov 8, 2018 11:53 AM
      We tried setting a custom port like in the image below. That port uses a propietary protocol based on ISO 8583 over SSL.
      
      In our testings, the signature that prevents SSLv3 usage doest not stop connections that negotiate SSLv3 using that port, but if we use SSLv3 in a port like 443, then it works.
      
      Like • Show 0 Likes0
      Actions
Isaias Mercado Nov 8, 2018 11:41 AM
We need a simple method of adding a custom port, this means a port different from 443 ( https). So that the inspection could be applied to the inspection selected. So that it allows to choose the protocol different from https and the port in which they are implementing SSL over TLS for example could be implemented in a different port than 443 and the inspection it is still needed.
Like • Show 0 Likes0
Actions

Inspect SSL/TLS on Non-Common Ports

Related Content

Recommended Content