This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marcus_Smith
Participant
‎2021-06-24 02:28 AM

What are the recommended Encryption Settings for "Remote Access"?

What are the recommended Encryption Settings for "Remote Access"?

Hi all, I've read lots of SK articles and posts such as the following but I've still yet to understand exactly what the recommended settings for Remote Access should be. A lot of these documents\posts appear to be referring to IPSEC recommendations, which has more encryption options than Remote Access.

I have looked at posts such as the below and the preferred Encryption phase settings don't appear to be available for Remote Access.

Relative speeds of algorithms for IPsec and SSL (checkpoint.com)

Solved: VPN Performance Question - Check Point CheckMates

It appears the highest Diffie-Hellman Group available for Remote Access Phase 1 is Group 14 (2048)?

As per this post from 2019? R80.10 - Remote Access VPN - Endpoint Security Dif... - Check Point CheckMates

How does this look?

Phase 1

  • IKE Phase 1 - AES-256
  • Use Data Integrity - SHA256
  • Use Diffie-Hellman group - Group 14 (2048 bit)

Phase 2

  • AES-256
  • Data Integrity - SHA256
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-06-24 08:57 AM

The answer "depends" on whether you're allowing backward compatible clients to connect or not.
The defaults are defined with backward compatibility in mind and can be adjusted if this is not a requirement.

Marcus_Smith
Participant
‎2021-06-26 01:44 AM
In response to PhoneBoy

Thanks for the reply.  

Under Global Properties Remote Access "Support Legacy Authentication for SC (hybrid mode)" and "Support Legacy EAP" is ticked.  However, on the Gateways under VPN Clients "Allow older clients to connect to this gateway" is unticked.

If I deselect the Global Properties options are you saying additional Encryption algorithms will be available?  

the_rock
Legend
Legend
‎2021-06-26 04:57 AM
In response to Marcus_Smith

I could be wrong, but I do not believe if you unselect that additional options will be available.

Marcus_Smith
Participant
‎2021-06-26 05:10 AM
In response to the_rock

I think your correct.

If you look in your Management, am I correct that the highest option for IKE Phase one Diffie-Hellman group is 14?  

And I don't believe for Remote Access you have an option to choose the Phase 2 Diffie-Hellman group? 

 

Thanks

 

0 Kudos
the_rock
Legend
Legend
‎2021-06-26 04:01 PM
In response to Marcus_Smith

Im pretty positive that is correct...I recall once I was helping customer set up site to site vpn tunnel and Cisco had sha-512 option, but CP did not. I know thats finally available in R81, which is great, since its much more secure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top