Hello everyone,
we just updated our Gateways to R80.30 including JH T155. We also wanted to seize the opportunity to harden the web portal so we used cipher_util to deactivate several Ciphers:
Enabled:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
After this, the vulnerability scan looks much better. Only one vulnerability is left:
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
The recommendation from Qualys is to check for client-initiated renegotiation support in your servers, and disable it where possible. Is there a way to perform this in Gaia?
There is an IPS Protection to block this kind of exploit, but I think this refers to external Web Servers, not to the firewall’s own service. In any case, we're not doing IPS on this gateway anyways.
Therefore, I'm looking for a way to disable the response to the client-initiated renegotiation on the Check Point gateway.
Thank you in advance!
Br,
Miguel