Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SomAustrianCity
Participant

Blocking old SSL/TLS Versions on GW

Hi

I'm in the process of implementing HTTPS Inspection on my border Gateway, and while i'm at it, i'd like to block old Versions of SSL and TLS.
On one hand, it may be possible to disable them in the inspection deamon - but in case some software is so old that it still needs them, i need a way to still allow them.

Now if i could do that using IPS, i'd have a policy where i can set exceptions and allow specifically these. And also i could enforce it on uninspected traffic (like when certifcate pinning is used, or client-cert-authentication)

But looking through the IPS Database, i got confused. There are two sets of Protection, which would allow me to do that? But i don't understand, where's the difference? And why are the new ones so bad in comparsion to the older ones? (when looking at performance and confidence)

As info, i want to use outgoing (internal client to internet) and incoming (internet to dmz webserver) inspection.


Transport Layer Security (TLS) Version 1.0
Transport Layer Security (TLS) is a cryptographic protocol meant to provide security and data integrity for communications over TCP/IP networks. TLSv1.0 is considered obsolete and insecure, and is deprecated in favor of a more advanced TLS protocol. This protection will detect and block any use of TLSv1.0 protocol.
Protected Asset: BOTH
Last Update: 2019-01-02
Released: 2016-10-20
Performance Impact: 4/5
Confidence Level: 2/3

Transport Layer Security (TLS) Version 1.1
Transport Layer Security (TLS) is a cryptographic protocol meant to provide security and data integrity for communications over TCP/IP networks. TLSv1.1 is considered obsolete and insecure, and is deprecated in favor of a more advanced TLS protocol. This protection will detect and block any use of TLSv1.1 protocol.
Protected Asset: BOTH
Last Update: 2019-01-02
Released: 2016-10-20
Performance Impact: 4/5
Confidence Level: 2/3

Transport Layer Security (TLS) Version 1.2
Transport Layer Security (TLS) is a cryptographic protocol meant to provide security and data integrity for communications over TCP/IP networks. This protection will detect and block any use of TLSv1.2 protocol.
Protected Asset: BOTH
Last Update: 2019-01-02
Released: 2016-10-20
Performance Impact: 4/5
Confidence Level: 2/3

 


SSLv3 Deprecated Version
Secure Sockets Layer (SSL) is cryptographic protocols that provide security for communications over networks such as the Internet. SSL encrypts the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer. SSL version 3 is an older implementation of the protocol which is still commonly used. Only SSLV3 will be detected by this detection.
Protected Asset: CLIENT
Last Update: 2023-03-22
Released: 2023-03-22
Performance Impact: 5/5
Confidence Level: 1/3

TLSv1.0 Deprecated Version
Secure Sockets Layer (SSL) is cryptographic protocols that provide security for communications over networks such as the Internet. SSL encrypts the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer. SSL version 3 is an older implementation of the protocol which is still commonly used. Only TLS1.0 Server Hello will be detected by this detection.
Protected Asset: CLIENT
Last Update: 2023-03-22
Released: 2023-03-22
Performance Impact: 5/5
Confidence Level: 1/3

TLSv1.1 Deprecated Version
Secure Sockets Layer (SSL) is cryptographic protocols that provide security for communications over networks such as the Internet. SSL encrypts the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer. SSL version 3 is an older implementation of the protocol which is still commonly used. Only TLS1.1 Server Hello will be detected by this detection.
Protected Asset: CLIENT
Last Update: 2023-03-22
Released: 2023-03-22
Performance Impact: 5/5
Confidence Level: 1/3

 

Thank you

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

You can also potentially use App Control to do it also: https://support.checkpoint.com/results/sk/sk112249

0 Kudos
SomAustrianCity
Participant

Thanks for the Hint, but that doesn't work - at least not as i would like it.

To write it down, my design goals are as following: Allowing http and http access to the internet, on any port. But all traffic shoutld be inspected via https inspection and IPS, to protect my network.

At the same time, old TLS versions should be blocked - unless specifically allowed.

With that in mind, i made a few tests. As test commands, i used curl:

curl -k --tlsv1.0 --tls-max 1.0 https://tls-v1-0.badssl.com:1010/
curl -k --tlsv1.1 --tls-max 1.1 https://tls-v1-0.badssl.com:1010/
curl -k --tlsv1.2 --tls-max 1.2 https://tls-v1-0.badssl.com:1010/

curl -k --tlsv1.0 --tls-max 1.0 https://tls-v1-1.badssl.com:1011/
curl -k --tlsv1.1 --tls-max 1.1 https://tls-v1-1.badssl.com:1011/
curl -k --tlsv1.2 --tls-max 1.2 https://tls-v1-1.badssl.com:1011/

curl -k --tlsv1.0 --tls-max 1.0 https://tls-v1-2.badssl.com:1012/
curl -k --tlsv1.1 --tls-max 1.1 https://tls-v1-2.badssl.com:1012/
curl -k --tlsv1.2 --tls-max 1.2 https://tls-v1-2.badssl.com:1012/ 

These are my conclusions:

ClientService/Application ObjectSSL InspectionIPS Protectionstls-v1-0.badssl.comtls-v1-1.badssl.comtls-v1-2.badssl.comBehaviourConclusion
Client TLS 1.0 OnlySimple HTTPS-Protocol Objectnonoyesno (log: allow)no (log: allow)Expected behaviourUndesired
Client TLS 1.1 OnlySimple HTTPS-Protocol Objectnonono (log: allow)yesno (log: allow)Expected behaviourUndesired
Client TLS 1.2 OnlySimple HTTPS-Protocol Objectnonono (log: allow)no (log: allow)yesExpected behaviourUndesired
Client TLS 1.0 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
nonono (log: reject)no (log: reject)no (log: reject)Expected behaviourUndesired
Client TLS 1.1 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
nonono (log: reject)no (log: reject)no (log: reject)Expected behaviourUndesired
Client TLS 1.2 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
nonono (log: allow)no (log: allow)yesExpected behaviourUndesired
Client TLS 1.0 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
nono (log: reject)yesyesUnexpected Yes with 1.1Undesired
Client TLS 1.1 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
noyesno (log: reject)yesUnexpected Yes with 1.0Undesired
Client TLS 1.2 OnlyPort 1010: Block via TLS10 Protocol
Port 1011: Block via TLS11 Protocol
Port 1011: Allow via HTTPS Protocol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
noyesyesyesUnexpected Yes with 1.0 and 1.1Undesired
Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectnoOld Protections activeyesno (log: allow)no (log: allow)Unexpected Yes with 1.0, No IPS blocksUndesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectnoOld Protections activeno (log: allow)yesno (log: allow)Unexpected Yes with 1.1, No IPS blocksUndesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectnoOld Protections activeno (log: allow)no (log: allow)yesNo IPS blocksUndesired
Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectnoNew Protections activeyesno (log: allow)no (log: allow)Unexpected Yes with 1.0, No IPS blocksUndesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectnoNew Protections activeno (log: allow)yesno (log: allow)Unexpected Yes with 1.1, No IPS blocksUndesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectnoNew Protections activeno (log: allow)no (log: allow)yesNo IPS blocks

Undesired

 

Even if i include the Port s1010 to 1012 under "Manage & Settings / Application Control & URL Filtering / Advanced Settings / Application Control Web Browsing Services", the IPS never blocks my connections. So somethings not working there, at least not on non-default ports, even though i used objects with protocols.

 

Blocking via tcp/https object works, as long as i don't use ssl inspection. Once i turn on inspection - which i want, to filter urls and viruses - blocking

 

I had the best results with this tests, but even here the TLS1.2 Server was reachable with a TLS1.1 client (with HTTPS Inspection). It's a better result than other, but i'd prefer all clients to use 1.2 or 1.3, and no version below.

Client TLS 1.0 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1012: Inspect via HTTPS Protocol
nonononoExpected behaviourDesired
Client TLS 1.1 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1012: Inspect via HTTPS Protocol
nononoyesUnexpected Yes with 1.2Undesired
Client TLS 1.2 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1010: Inspect via HTTPS Protocol
Port 1011: Inspect via HTTPS Protocol
Port 1012: Inspect via HTTPS Protocol
nononoyesExpected behaviourDesired
Client TLS 1.0 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
nononononoExpected behaviourDesired
Client TLS 1.1 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
nononononoExpected behaviourDesired
Client TLS 1.2 OnlyPort 1010: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1011: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
Port 1012: Block via TLS10 and TLS11 Protocol; Allow via HTTPS Protcol
nonononoyesExpected behaviourDesired

 

One last info, my Gateway is running R81.10 HFA81

 

0 Kudos
SomAustrianCity
Participant

**bleep**, i messed up the tests with IPS Protections - one should also install the IPS Policy, when activating protections, otherwise it won't  work...

Please see my revised table for IPS protections: The old protections work, but only when not inspecting the traffic. Once i inspect the traffic, the Protections stop working. Also, the new protections don't work, or at least not as well as the old ones.

Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectnoOld Protections activenononoExpected behaviourDesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectnoOld Protections activenononoExpected behaviourDesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectnoOld Protections activenonoyesExpected behaviourDesired
Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectnoNew Protections activeyesnonoUnexpected Yes with 1.0Undesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectnoNew Protections activenoyesnoUnexpected Yes with 1.1Undesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectnoNew Protections activenonoyesExpected behaviourDesired
Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectOld Protections activeyesyesyesUnexpected Yes with wrong protocolsUndesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectOld Protections activeyesyesyesUnexpected Yes with wrong protocolsUndesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectOld Protections activeyesyesyesUnexpected Yes with wrong protocolsUndesired
Client TLS 1.0 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectNew Protections activeyesyesyesUnexpected Yes with wrong protocolsUndesired
Client TLS 1.1 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectNew Protections activeyesyesyesUnexpected Yes with wrong protocolsUndesired
Client TLS 1.2 OnlySimple HTTPS-Protocol ObjectSimple HTTPS-Protocol ObjectNew Protections activeyesyesyesUnexpected Yes with wrong protocols

Undesired

 

 

My conclusion so far:

Uninspected Traffic: In can block via IPS or Service-Objects.

Inspected Traffic: I can block 1.0 and 1.1 Servers, but only 1.0 Clients. Not Ideal, but better than nothing.

 

Does anyone have other ideas, how i could achieve blocking 1.0 and 1.1 in all cases?

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

What did you configure for https inspection in cipher_util (sk126613: Cipher configuration tool 'cipher_util' for Security Gateways) ?

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
SomAustrianCity
Participant

Yeah, i already disabled the 3DES and RC4 Ciphers there. Disabling CBC is on my roadmap, but less important than other steps.

If i disable 1.0 and 1.1 in the inspection daemon, then sure, all inspected traffic has to be 1.2 or it won't work. But that also means, if there is an old application (or server) that doesn't support 1.2 yet, i have to disable inspection for that connection. Not ideal 😞

Hm, yeah i could disable these ciphers. Accoring to ssllabs, these are used in 1.0 and 1.1 connections

# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

 

0 Kudos
PhoneBoy
Admin
Admin

A similar issue was discussed here with HTTPS Inspection: https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237

0 Kudos
SomAustrianCity
Participant

Hi

Ok, so with the commands from https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237, i can disable old Versions in the HTTPS Inspection deamon, blocking said versions when inspecting.

And in case i'm not inspecting, i can either use a blocking rule with TLS1.0 and TLS1.1 Objects, or use the old IPS Patterns to block these TLS HELLOs. 

Great, thank you.

0 Kudos
PhoneBoy
Admin
Admin

I will warn you that the older protections for this are marked with performance impact critical (5/5).
This means that traffic subject to these protections will be processed in the slow (F2F) path.
Be aware of this if you notice any performance issues after enabling them.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events