Views:
Description
Using insecure and deprecated protocols can make connections vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol, and POODLE (Padding Oracle On Downgraded Legacy Encryption). This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a person-in-the-middle or an eavesdropping attack.
Remediation
If you use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council requires TLS1.0 to be disabled soon), we highly recommend updating these protocols.
Note
Note
The ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1, which is considered insecure.
Rule ID
NS-SSL-001
Risk level
High (not acceptable risk)
Rule description
Protect against Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1.0 insecure / deprecated SSL protocols.
This can help you with the following compliance standards:
This rule can help you form your AWS Well-Architected Framework for seamless integration of AWS, Network Security, and Trend Micro Cloud One - Conformity.

Audit SSL/TLS protocol connection

To determine if you are blocking outdated SSL/TLS protocol connections, perform the following actions:
  1. From the Network Security management interface, click the Policy icon policies=ff596731-bea4-4606-8d29-f24182765cb4.png in the navigation panel.
  2. Select Intrusion Prevention Filtering.
  3. Search for the following filters to ensure they are enabled. If any are not enabled, then follow steps in the steps to below to enable SSL/TLS protection.
    • SSLv2 = filter 3892
    • SSLv3 = filter 13895
    • TLS 1.0 = filter 13896
    • TLS 1.1 = filter 13897
    • TLS 1.2 or 1.3 = filter 13898
    • TLS 1.3 = filter 13899

Enable SSL/TLS protocol connection protection

To block outdated SSL/TLS protocol connections, perform the following actions:
  1. From the Network Security management interface, click the Policy icon policies=ff596731-bea4-4606-8d29-f24182765cb4.png in the navigation panel.
  2. Select Intrusion Prevention Filtering.
  3. Search for the following filters, and enable each of them.
    • SSLv2 = filter 3892
    • SSLv3 = filter 13895
    • TLS 1.0 = filter 13896
    • TLS 1.1 = filter 13897
    • TLS 1.2 or 1.3 = filter 13898
    • TLS 1.3 = filter 13899