This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steve_Pearson
Collaborator
‎2024-06-21 08:00 AM

Disabling weak ciphers

There are quite a few "weak" ciphers that are enabled on the gateways and I'm looking to disable them, which I can do this with the cipher_util tool on each gateway.

My query is, is there a way to do this from the management, such that the config remains following an upgrade, or is it something that you have to remember to do every time you upgrade or rebuild?

This is primarily for the SSLVPN portal, as these weak ciphers are being listed as available by a vulnerability scan.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-06-21 08:20 AM

You can make the settings on one gateway and copy the necessary configuration files to the other gateways.
See: https://support.checkpoint.com/results/sk/sk126613 
Note that we include support for new ciphers in every release, so it should probably be re-generated versus simply blindly copied on an upgrade.

0 Kudos
Steve_Pearson
Collaborator
‎2024-06-24 01:51 AM
In response to PhoneBoy

Does this recreation apply just to version upgrades (eg R81.10 -> R81.20) or to Jumbo's too?

Is there a way to disable them from the CLI? (thinking I could create a script to do this)

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-24 09:36 AM
In response to Steve_Pearson

Not sure these files are updated on a JHF upgrade.

cipher_util is a CLI tool.
However, I assume you mean a non-interactive CLI tool, which I don't believe we have currently.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-06-21 09:57 AM

You may also find the following SK quite helpful to track down all the places weak ciphers might be used; it details the precise steps to completely banish 3DES from being used anywhere on a Check Point firewall, and there are quite a few places to change: sk113114: Check Point response to CVE-2016-2183 (Sweet32)  

In case it is not obvious after reading that SK, 3DES is an absolute no-go in today's world from both a security and performance perspective, as 3DES is easily 2-3 times slower than AES.  3DES was hurriedly rolled out in a bit of a panic back in the day when it was realized that DES 56-bit was not secure enough anymore, due mainly to Moore's Law.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-21 10:22 AM

Same question came up once with one of customers I was helping with and TAC confirmed it has to be done manually. Not sure if that changed, as this was 3 years ago.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events