This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2024-01-15 07:24 AM

Disable weak ciphers on remote access clients?

We hardened a customers' security gatway via cipher_util (sk126613) and disabled all weak ciphers to reach PCI DSS compliance. Then remote access clients (MacOS using visitor mode) failed to connect, so we opened a SR.

Check Point support advised to enable these three ciphers according to sk108426.

  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

and noted:

It is best to keep the 3 ciphers on to avoid any issues regarding remote access/mobile access connectivity
Currently there is no ETA to whether the client will be on the same cipher suite as the GW itself.

Of course that doesn't satisfy our customer as it conflicts with PCI DSS requirements for strong ciphers, such as SHA-2.
Is there any other solution or workaround available?

(1)
4 Replies
the_rock
Legend
Legend
‎2024-01-15 11:49 AM

Hey Danny,

Guy in TAC told me while back that some of these settings in global properties may have something to do with it, but I never ended up testing it, so hard to say.

Andy

 

Screenshot_1.png

0 Kudos
Martin_Schwarz
Explorer
‎2024-01-15 11:38 PM
In response to the_rock

These are the settings for the IKE algorithms. So they should not impact how the IPsec traffic is tunneled over HTTPS in Visitor Mode. It seems like the Visitor Mode is part of the MultiPortal daemon (sk107852) and is therefore affected by the settings of the cipher_util.

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 04:49 AM
In response to Martin_Schwarz

Thats true, thats why I found it a bit odd when TAC told me that was related to remote access, but maybe as it was under remote access section, not sure.

Andy

0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2024-01-16 06:59 AM

You may find this SK helpful which details how to completely banish 3DES from being used in any part of the Check Point product including Remote Access VPN, Gaia Portal, management API, etc.  This is mentioned in my Gateway Performance Optimization class as improving performance, but certainly improves security as well:

sk113114: Check Point response to CVE-2016-2183 (Sweet32)

Might be able to deconstruct the provided commands and banish SHA1 and other weak ciphers too.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events