This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arne_Boettger
Collaborator
7 hours ago

VPN Parameters through API misleading

Hello,

we have a script running over our SmartCenters via API inventorizing all VPN communities to make sure we don't use any outdated or insecure methods.

Today, I found a VPN community supposedly using weak parameters. But a closer look showed this was not the case. I could reproduce it with R82 in Demo mode.

The details:

The Community uses suite-b-gcm-256 which is defined as AES-GCM-256, SHA-384, EC Diffie-Hellman Group 20.

The API returns this correctly, but also returns the values from the"Custom encryption Suite".

I would have expected that the values returned are actually the ones in use, and would really like to see the behaviour changed to that if I choose a predefined encryption suite, all other fields are changed to the values defined by this encryption suite.

Am I wrong with this wish? Please find below a screenshot and an excerpt from the API response:

VPN Community Test in SmartConsoleVPN Community Test in SmartConsole
- uid: "b3d0fe99-b042-47f8-a72f-b3b85068d80d"
  name: "Test"
  type: "vpn-community-star"
  encryption-suite: "suite-b-gcm-256"
  ike-phase-1: 
    encryption-algorithm: "aes-256"
    diffie-hellman-group: "group-15"
    data-integrity: "sha384"
  ike-phase-2: 
    encryption-algorithm: "aes-gcm-128"
    ike-p2-use-pfs: false
    ike-p2-pfs-dh-grp: "group-15"
        ike-p2-rekey-time: 3600
    data-integrity: "sha384"

 

Preview file
39 KB
2 Replies
the_rock
Legend
Legend
6 hours ago

You are 100% correct. I just tested in my lab and got same results.

Andy

Hugo_vd_Kooij
Advisor
4 hours ago

But if I read the API and the screenshot output correctly the results in themselves are consistent in that both Smart Console and the API show the exact same details.

So the issue has been there for a long time. As I recall the settings weren't consistent for like ... ages with the Suite and the individual settings not matching in Smartconsole.

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events