cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Inspect SSL/TLS on Non-Common Ports

As far as we know, IPS signatures that look for SSL/TLS details like the version, do so in common SSL/TLS ports like TCP 443. We get that inspecting for SSL/TLS on every port will degrade performance, but it would be nice if the admin had the option to enable SSL/TLS inspection on IPS signatures in non-common ports.

This might be needed in scenarios where a company has to change the default port for services that use SSL/TLS and would like to keep the controls provided by the IPS signatures.

5 Replies
Vladimir
Pearl

Re: Inspect SSL/TLS on Non-Common Ports

Miguel,

Actual inspection, as defined, is only for HTTPS, not other protocol that can use SSL/TLS for security. You can clone the  HTPS and define different port for it and it should still be inspected, if this is all that you are trying to accomplish:

0 Kudos

Re: Inspect SSL/TLS on Non-Common Ports

I'm not talking about https inspection itself. Take for example the IPS signatures/protections that look for the SSL/TLS version. You can configure the signatures to block/prevent SSLv3.0 usage as an example. But this protection will only do that in common ports. It will block connections using SSLv3.0 on port 443, but not on a random non-common port that your organization might use like port TCP 334.

0 Kudos

Re: Inspect SSL/TLS on Non-Common Ports

IPS is using streaming to inspect signatures. If you want to port SSL/TLS IPS protection, you need to mark your custom service as HTTPS, as already shown on the picture above. Check Point streaming engine needs to know this specific TCP port needs to be streamed too.

Have you tried doing that?

0 Kudos

Re: Inspect SSL/TLS on Non-Common Ports

We need a simple method of adding a custom port, this means a port different from 443 ( https). So that the inspection could be applied to the inspection selected. So that it allows to choose the protocol different from https and the port in which they are implementing SSL over TLS for example could be implemented in a different port than 443 and the inspection it is still needed. 

0 Kudos

Re: Inspect SSL/TLS on Non-Common Ports

We tried setting a custom port like in the image below. That port uses a propietary protocol based on ISO 8583 over SSL.

In our testings, the signature that prevents SSLv3 usage doest not stop connections that negotiate SSLv3 using that port, but if we use SSLv3 in a port like 443, then it works.

0 Kudos