cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Jason_Dance
Copper

No authentication for port 18231 Policy Server Login (old)

Hello fellow community members!

Our security vulnerability scan has flagged that there is no authentication algorithm / ciphers for connections to port 18231 on our gateways (which according to the awesome diagram from Heiko Ankenbrand is "Policy Server Login (old)"). 

As we're using E80.xx Endpoint protect against a separate Policy server, I'm guessing we don't use this port any more (perhaps it was for the older R75 VPN client??).

Does anyone know of a way to secure this port, either by blocking it, or by making it offer secure SSL ciphers??

Regards,

Jason

5 Replies
Admin
Admin

Re: No authentication for port 18231 Policy Server Login (old)

Re: No authentication for port 18231 Policy Server Login (old)

Yes, with a SYN scan you see the port as open. 

If you check the TLS certificates, you see an TLS handshake.

Afterwards the Check Point communication follow.

Regards

Heiko

Jason_Dance
Copper

Re: No authentication for port 18231 Policy Server Login (old)

Thanks Dameon Welch-Abernathy‌.

Do you know if the E80.xx client will have any issues with setting this to TLS1.2?

0 Kudos
Admin
Admin

Re: No authentication for port 18231 Policy Server Login (old)

Possible some older VPN clients might.

0 Kudos
Jason_Dance
Copper

Re: No authentication for port 18231 Policy Server Login (old)

Interesting.  I applied the first two options in SK132712 to my R77.30 gateways, and the nmap scan has not shown any improvement.

PORT      STATE SERVICE         VERSION

18231/tcp open  ssl/fw1-pslogon Check Point FireWall-1 Policy Server logon

| ssl-enum-ciphers:

|   TLSv1.0:

|     ciphers:

|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - F

|       TLS_DH_anon_WITH_AES_128_CBC_SHA - F

|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F

|     compressors:

|       NULL

|     cipher preference: client

|_  least strength: F

0 Kudos