CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Disable DES & DH768

  1. #1
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    14

    Default Disable DES & DH768

    I need to disable the following in Smart Center Server as this is listed as a vulnerability in the Qualys report. Where exactly can I find this settings?

    Disable the encryption algorithm "DES" (key length of 56 bits) and the key exchange algorithm DH768 (MODP768).

  2. #2
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    14

    Default Re: Disable DES & DH768

    Is this supported at the Global level?

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Disable DES & DH768

    Can you give more detail?

    Reported in what service?

    I had a similiar report about the WebUI.. which, at the time, I was running on 443. The solution was to disable the WebUI.

  4. #4
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    14

    Default Re: Disable DES & DH768

    It's a UTM-1070 appliance running R71.30 with VPN services. Pls find the details in the attached file. How can I execute the work around?
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	FW_DES.JPG 
Views:	281 
Size:	126.0 KB 
ID:	658  

  5. #5
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Disable DES & DH768

    The phasing used is Potential Vulnerability. Boiled down, this says that a human might make the choice to use DES or Diffie-Hellman Group 1, instead of something a little less weak.

    This is not a technical vulnerability and I can't find any configuration that would allow the choice to be removed/disabled. The option to misconfigure the device cannot be removed.

    I recommend you reject the request on those grounds. If they keep pushing the issue, pinky swear you won't use DES or Diffie-Hellman Group 1.
    Last edited by alienbaby; 2012-08-24 at 13:59.

  6. #6
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    14

    Default Re: Disable DES & DH768

    Global Properties -> Remote Access -> VPN - Authentication and Encryption -> Encryption Suite -> Custom -> Advanced

    Deselect DES and install the policy.

Similar Threads

  1. SPLAT R70.40 - FW with SNX & WebUI & Enpoint Security on SAME Device - SOLVED
    By djstrattos in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2011-09-28, 09:53
  2. SecureXL & Nokia & Licensing
    By weiser in forum Licensing
    Replies: 3
    Last Post: 2011-05-17, 08:44
  3. which versions of secure client only use DES encryption
    By jbuszard in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2010-11-03, 09:38
  4. Connectra && AD integration, show only permitted apps
    By desiac in forum Mobile Access Blade (Formerly Connectra)
    Replies: 2
    Last Post: 2010-04-13, 02:44
  5. enable SSH/HTTPS & disable telnet
    By humayun in forum Miscellaneous
    Replies: 2
    Last Post: 2006-07-25, 11:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •