This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create firewall rule to block TLS1.0

Hi Group,

I have an unusual SOC audit request. The request is to "Encryption of Data in Transit: Provide screenshot of firewall setting that shows TLS 1.0 or lower encryption protocols are prevented."

If I read this correctly, they are asking for the firewall to filter any traffic that is requesting TLS1.0 and lower from passing through. Any thoughts on how this could be accomplished?

This thread was automatically locked due to age.

0 LuCar Toni over 5 years ago

I would assume, this can only be archived on a Stream based. Sophos XG V18 can do such a blocking.

UTM can only prevent to communicate with UTM TLS1.0. So you cannot talk to the Proxy with TLS1.0.

But it cannot prevent the user to open a Port to a server with TLS1.0.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tom B over 5 years ago in reply to LuCar Toni

You are saying UTM does not have this capability but XG does?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Tom B

Maybe the IPS could do this kind of blocking, but i am not aware of any pattern in UTM to do so.

For such context blocking, you would need to have a architecture in real time, to analyse the used cipher in each connection.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tom B over 5 years ago in reply to LuCar Toni

You think this is more Layer 7 application filtering?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Tom B

There is the Handshake. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

The client tries to open a connection (TCP Handshake). After the TCP, the TLS Handshake follows.

In one of the packets, there is the "wanted version". (ServerHello).

UTM can disable the TLS1.0 version everywhere. Hence the Client cannot communicate to UTM with TLS1.0.

The issue will come up, if you have Clients communicating to each other or to the Internet "through" UTM. It cannot prevent the TLS1.0 version in Transit, like requested.

Maybe it is enough for your SoC, to have TLS1.0 disabled for everything on UTM. But if you need to prevent TLS1.0 everywhere, you would need XG Firewall with V18.

Overall you should get in touch with your Sophos Partner to discuss this further.
Cancel
Vote Up 0 Vote Down

Cancel