This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkpointer
Participant
‎2022-11-15 05:17 AM
Jump to solution

Security Gateway to encrypt LDAP communication for Identity Awareness, port 389 vs 636

 

Hello Gents,

Just seeking an opinion on how risky it would be to stick with port 389 over 636 for communication with domain controller.

Cheers,

CPter

 

 

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2022-11-16 01:32 AM
Jump to solution

Hello,

Make a packet capture while running on encrypted on port 389. You will see everything. This makes it vulnerable for men in the middle attacks. Attackers could steal or change data in the AD. I would strongly recommend to use 636 with fingerprint Check Point. The only downside for 636 in combination with Check Point is the random fingerprint changes. Please refer to this SK to get better understanding: 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-...

 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

(1)
2 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-11-15 05:53 PM
Jump to solution

Suggest researching the relevant Microsoft recommendations and what they're enforcing, for example:

https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-fo...

 

CCSM R77/R80/ELITE
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2022-11-16 01:32 AM
Jump to solution

Hello,

Make a packet capture while running on encrypted on port 389. You will see everything. This makes it vulnerable for men in the middle attacks. Attackers could steal or change data in the AD. I would strongly recommend to use 636 with fingerprint Check Point. The only downside for 636 in combination with Check Point is the random fingerprint changes. Please refer to this SK to get better understanding: 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://community.checkpoint.com/t5/Security-Gateways/Check-Point-LDAPS-connection-breaks-everytime-...

 

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events