Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 1202 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create firewall rule to block TLS1.0

Tom B

Hi Group,

I have an unusual SOC audit request.  The request is to "Encryption of Data in Transit: Provide screenshot of firewall setting that shows TLS 1.0 or lower encryption protocols are prevented."

 

If I read this correctly, they are asking for the firewall to filter any traffic that is requesting TLS1.0 and lower from passing through.  Any thoughts on how this could be accomplished?



This thread was automatically locked due to age.
Parents
  • 0

    I would assume, this can only be archived on a Stream based. Sophos XG V18 can do such a blocking. 

    UTM can only prevent to communicate with UTM TLS1.0. So you cannot talk to the Proxy with TLS1.0.

    But it cannot prevent the user to open a Port to a server with TLS1.0. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    You are saying UTM does not have this capability but XG does?

  • 0 in reply to Tom B

    Maybe the IPS could do this kind of blocking, but i am not aware of any pattern in UTM to do so. 

    For such context blocking, you would need to have a architecture in real time, to analyse the used cipher in each connection. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    You think this is more Layer 7 application filtering?

  • 0 in reply to Tom B

    There is the Handshake. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

    The client tries to open a connection (TCP Handshake). After the TCP, the TLS Handshake follows. 

    In one of the packets, there is the "wanted version". (ServerHello).

    UTM can disable the TLS1.0 version everywhere. Hence the Client cannot communicate to UTM with TLS1.0. 

    The issue will come up, if you have Clients communicating to each other or to the Internet "through" UTM. It cannot prevent the TLS1.0 version in Transit, like requested. 

    Maybe it is enough for your SoC, to have TLS1.0 disabled for everything on UTM. But if you need to prevent TLS1.0 everywhere, you would need XG Firewall with V18. 

     

    Overall you should get in touch with your Sophos Partner to discuss this further. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Tom B

    There is the Handshake. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

    The client tries to open a connection (TCP Handshake). After the TCP, the TLS Handshake follows. 

    In one of the packets, there is the "wanted version". (ServerHello).

    UTM can disable the TLS1.0 version everywhere. Hence the Client cannot communicate to UTM with TLS1.0. 

    The issue will come up, if you have Clients communicating to each other or to the Internet "through" UTM. It cannot prevent the TLS1.0 version in Transit, like requested. 

    Maybe it is enough for your SoC, to have TLS1.0 disabled for everything on UTM. But if you need to prevent TLS1.0 everywhere, you would need XG Firewall with V18. 

     

    Overall you should get in touch with your Sophos Partner to discuss this further. 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML