Inspect SSL/TLS on Non-Common Ports

Idea created by Miguel Sanchez on Aug 21, 2018

Comment • 3

Active

Score20

As far as we know, IPS signatures that look for SSL/TLS details like the version, do so in common SSL/TLS ports like TCP 443. We get that inspecting for SSL/TLS on every port will degrade performance, but it would be nice if the admin had the option to enable SSL/TLS inspection on IPS signatures in non-common ports.

This might be needed in scenarios where a company has to change the default port for services that use SSL/TLS and would like to keep the controls provided by the IPS signatures.

3 Comments

Vladimir Yakovlev Aug 21, 2018 7:40 PM
Miguel,

Actual inspection, as defined, is only for HTTPS, not other protocol that can use SSL/TLS for security. You can clone the HTPS and define different port for it and it should still be inspected, if this is all that you are trying to accomplish:
Like • Show 1 Like1
Actions
- Miguel Sanchez @ Vladimir Yakovlev on Aug 22, 2018 7:33 AM
  I'm not talking about https inspection itself. Take for example the IPS signatures/protections that look for the SSL/TLS version. You can configure the signatures to block/prevent SSLv3.0 usage as an example. But this protection will only do that in common ports. It will block connections using SSLv3.0 on port 443, but not on a random non-common port that your organization might use like port TCP 334.
  Like • Show 1 Like1
  Actions
  - Valeri Loukine @ Miguel Sanchez on Aug 24, 2018 3:56 AM
    IPS is using streaming to inspect signatures. If you want to port SSL/TLS IPS protection, you need to mark your custom service as HTTPS, as already shown on the picture above. Check Point streaming engine needs to know this specific TCP port needs to be streamed too.
    
    Have you tried doing that?
    Like • Show 0 Likes0
    Actions

Inspect SSL/TLS on Non-Common Ports

Related Content

Recommended Content