Description
|
Using insecure and deprecated protocols can make connections
vulnerable to exploits such as DROWN (Decrypting RSA using
Obsolete and Weakened eNcryption), which targets a specific
weakness in the OpenSSL implementation of SSLv2 protocol, and
POODLE (Padding Oracle On Downgraded Legacy Encryption). This
vulnerability allows an attacker to read information encrypted
with SSLv3 protocol in plain text, using a person-in-the-middle
or an eavesdropping attack.
|
||
Remediation
|
If you use Protocol-SSLv2 and/or Protocol-SSLv3 and/or
Protocol-TLSv1 (PCI council requires TLS1.0 to be disabled
soon), we highly recommend updating these protocols.
|
||
Rule ID
|
NS-SSL-001
|
||
Risk level
|
High (not acceptable risk)
|
||
Rule description
|
Protect against Secure Sockets Layer (SSL) negotiation
configuration for SSLv2, SSLv3, and TLSv1.0 insecure /
deprecated SSL protocols.
This can help you with the following compliance standards:
This rule can help you form your AWS Well-Architected
Framework for seamless integration of AWS, Network
Security, and Trend Micro Cloud One -
Conformity.
|
Audit SSL/TLS protocol connection
To determine if you are blocking outdated SSL/TLS protocol connections, perform the
following actions:
- From the Network Security management interface, click the Policy icon
in the navigation panel.
- Select Intrusion Prevention Filtering.
- Search for the following filters to ensure they are enabled. If any are not
enabled, then follow steps in the steps to below to enable SSL/TLS protection.
- SSLv2 = filter 3892
- SSLv3 = filter 13895
- TLS 1.0 = filter 13896
- TLS 1.1 = filter 13897
- TLS 1.2 or 1.3 = filter 13898
- TLS 1.3 = filter 13899
Enable SSL/TLS protocol connection protection
To block outdated SSL/TLS protocol connections, perform the following actions:
- From the Network Security management interface, click the Policy icon
in the navigation panel.
- Select Intrusion Prevention Filtering.
- Search for the following filters, and enable each of them.
- SSLv2 = filter 3892
- SSLv3 = filter 13895
- TLS 1.0 = filter 13896
- TLS 1.1 = filter 13897
- TLS 1.2 or 1.3 = filter 13898
- TLS 1.3 = filter 13899