- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago. This is all checkpoint <-> checkpoint equipment. Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity. Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?
All versions are currently r81.10 hotfix 45
thanks
Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP. May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS. These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.
Thanks Tim, appreciate your advice.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY