CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 6 of 6

Thread: What are the recommended protocols for s2s vpn today?

  1. #1
    Join Date
    2017-07-10
    Posts
    6
    Rep Power
    0

    Default What are the recommended protocols for s2s vpn today?

    Hello all,

    I would like to know, security wise, what are the recommended protocols to use in site to site vpn for phase 1 and phase 2 e.g. ASE256 phase 1 -SHA1/256 pahse2?

    Please let me know what is recommended for most secured tunnel.

    Thanks

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,002
    Rep Power
    12

    Default Re: What are the recommended protocols for s2s vpn today?

    Quote Originally Posted by daniba View Post
    Hello all,

    I would like to know, security wise, what are the recommended protocols to use in site to site vpn for phase 1 and phase 2 e.g. ASE256 phase 1 -SHA1/256 pahse2?

    Please let me know what is recommended for most secured tunnel.

    Thanks
    Obviously the "most secure" would involve cranking all algorithms to their maximum values. However I'd postulate that the following is "reasonable" in today's world, others may disagree:

    Phase 1: Main Mode (not Aggressive Mode unless absolutely necessary)
    Encryption: AES-256
    Hashing: SHA-256 (Not SHA-384 since this keeps the VPN traffic from being accelerated)
    DH Group: 19
    SA Lifetime: 8 hours (default is 24 hours)

    Phase 2 Quick Mode:
    Encryption: AES-128
    Hashing: SHA-256 (Not SHA-384 since this keeps the VPN traffic from being accelerated)
    PFS: Yes, DH Group 5
    SA Lifetime: 1 hour

    Avoid 3DES and SHA-384 due to performance reasons; avoid SHA1 due to security reasons. Bit disappointing that R80.10 still defaults to SHA1 for IKE Phase 1 & 2...
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    937
    Rep Power
    12

    Default Re: What are the recommended protocols for s2s vpn today?

    Quote Originally Posted by ShadowPeak.com View Post
    Obviously the "most secure" would involve cranking all algorithms to their maximum values. However I'd postulate that the following is "reasonable" in today's world, others may disagree:

    Phase 1: Main Mode (not Aggressive Mode unless absolutely necessary)
    Encryption: AES-256
    Hashing: SHA-256 (Not SHA-384 since this keeps the VPN traffic from being accelerated)
    DH Group: 19
    SA Lifetime: 8 hours (default is 24 hours)

    Phase 2 Quick Mode:
    Encryption: AES-128
    Hashing: SHA-256 (Not SHA-384 since this keeps the VPN traffic from being accelerated)
    PFS: Yes, DH Group 5
    SA Lifetime: 1 hour

    Avoid 3DES and SHA-384 due to performance reasons; avoid SHA1 due to security reasons. Bit disappointing that R80.10 still defaults to SHA1 for IKE Phase 1 & 2...

    Second that. One just need to see these settings are legal in your country. Not the case for Russia, China and probably some other places.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,002
    Rep Power
    12

    Default Re: What are the recommended protocols for s2s vpn today?

    Quote Originally Posted by varera View Post
    Second that. One just need to see these settings are legal in your country. Not the case for Russia, China and probably some other places.
    Er yes, but that's not purely a technical issue. :-)
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  5. #5
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    937
    Rep Power
    12

    Default Re: What are the recommended protocols for s2s vpn today?

    Quote Originally Posted by ShadowPeak.com View Post
    Er yes, but that's not purely a technical issue. :-)
    Correct. My point was, the full answer would be "those encryption and hash protocols, unless your local laws require something different"
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  6. #6
    Join Date
    2014-04-10
    Posts
    2
    Rep Power
    0

    Default Re: What are the recommended protocols for s2s vpn today?

    For additional guidance you can start on page 39 from the following guide:

    https://bettercrypto.org/static/appl...-hardening.pdf

    Authentication: IPSEC authentication should optimally be performed via RSA signatures, with
    a key size of 2048 bits or more. Configuring only the trusted CA that issued the peer certificate
    provides for additional protection against fake certificates.
    If you need to use Pre-Shared Key authentication:
    1. Choose a random, long enough PSK (see below)
    2. Use a separate PSK for any IPSEC connection
    3. Change the PSKs regularly

    The size of the PSK should not be shorter than the output size of the hash algorithm used in
    IKE

    For a key composed of upper- and lowercase letters, numbers, and two additional symbols table 2.2 gives the minimum lengths in characters.

    Table 2.2.: PSK lengths
    IKE Hash PSK length (chars)
    SHA256 43
    SHA384 64
    SHA512 86


    Table 2.4.: IPSEC Phase 1 parameters
    Mode Main Mode
    Encryption AES-256
    Hash SHA2-*
    DH Group Group 14-18

    Table 2.5.: IPSEC Phase 2 parameters
    Perfect Forward Secrecy ✔
    Encryption AES-GCM-16, AES-CTR, AES-CCM-16, AES-256
    Hash SHA2-* (or none for AEAD)
    DH Group Same as Phase 1

    Regards,

    Luis

Similar Threads

  1. New Recommended JHF for R77.30: Take 185
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 10
    Last Post: 2016-11-21, 20:21
  2. New Recommended JHF for R77.30: Take 159
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 11
    Last Post: 2016-08-23, 13:26
  3. Dual ISP in Active/Active forwarding traffic based on protocols
    By bhavinjbhatt in forum ISP Redundancy
    Replies: 2
    Last Post: 2015-03-06, 08:56
  4. Stateful Protocols - ICMP
    By manuadoor in forum Miscellaneous
    Replies: 5
    Last Post: 2010-07-26, 11:47
  5. R62 and incorrect handling syslog and ESP protocols
    By sabyno in forum Miscellaneous
    Replies: 2
    Last Post: 2006-12-05, 05:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •