Jump to:navigation, search
Wiki

Cryptographic settings

From Securepoint Wiki


































































De.png
En.png
Fr.png






Encryption Algorithms of the UTM
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

12.3.6 12.1 11.8.2 11.6

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Authentication Encryption

Introduction

UTM v12.3.6 Verschluesselung.png

In this menu you define the encryption protocol that is used to address the applications on the UTM. The basic settings selected by Securepoint are currently considered secure and have been tested for compatibility.
If a higher level of protection is required, the settings can be changed in the Authentication Cryptographic settings menu (jargon: harden).


  • The tab Global displays the basic settings
  • With Overwrite default values the default settings of Openssl can be overwritten for all following applications:
    • Webserver
    • SSL-VPN
    • Mailrelay
    • Reverse proxy (clients)
  • The changes made in the Global tab can in turn be overwritten separately for each application.
  • Individual settings in the application menus can (partially) apply the global values by selecting Apply value from GLOBAL tab.


The graph on the right shows the dependency on the settings of an application for Global Setting using the minimal TLS version 1.1.
For all settings shown in the graphic: TLS 1.0 is not allowed. TLS 1.2 & TLS 1.3 is allowed.


Cryptographic settings

Global

Global
Caption Value Description UTM v12.6 Verschluesselung Global-en.png Global Encryption Settings
Override defaults: Yes If this function is activated, the settings for the protocols can be changed.
TLS min version: 1.2 TLS 1.0 to TLS 1.3 is available
Default: 1.2
TLS max version: 1.3 TLS 1.0 to TLS 1.3 is available
Default: 1.3
DH Key Size: 4096 The length of the Diffie-Hellmann key can be set to 2048 bit or 4096 bit.
Cipher suite:     In the field Cipher-Suite the desired encryption and modes can be defined.
Use default value If no value is specified, the default value of the respective application (see below) is used

Webserver

Webserver
Override defaults: Yes If this function is activated, the settings for the protocols can be changed. UTM v12.6 Verschluesselung Webserver-en.png
Encryption settings for web server connections
TLS min version: 1.2 TLS 1.0 to TLS 1.3 is available
Default: 1.2
TLS max version: 1.3 TLS 1.0 to TLS 1.3 is available
Default: 1.3
DH Key Size: Wert von GLOBAL-Tab übernehmen The length of the Diffie-Hellmann key can be set to 2048 bit or 4096 bit.
ECDH 384 Bit: On Uses the Elliptic Curve Diffie-Hellman method with 384 bits for key calculation.
Cipher suite: Wert von GLOBAL-Tab übernehmen In the field Cipher-Suite the desired encryption and modes can be defined.
Default:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

SSL-VPN

SSL-VPN
Override defaults: Yes If this function is activated, the settings for the protocols can be changed. UTM v12.6 Verschluesselung SSL-VPN-en.png
Encryption for SSL-VPN connections
TLS min version: 1.2 TLS 1.0 to TLS 1.3 is available
Default: 1.2
TLS max version: 1.3 TLS 1.0 to TLS 1.3 is available
Default: 1.3
DH Key Size: Wert von GLOBAL-Tab übernehmen The length of the Diffie-Hellmann key can be set to 2048 bit or 4096 bit.
TLS 1.3 Cipher Suite Wert von GLOBAL-Tab übernehmen If applicable, restrictions on the cipher suites to be used for TLS 1.3

Default

TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256

Cipher suite: Wert von GLOBAL-Tab übernehmen In the field Cipher-Suite the desired encryption and modes can be defined.

Default

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


Mailrelay

Mailrelay
Override defaults: Yes If this function is activated, the settings for the protocols can be changed. UTM v12.6 Verschluesselung Mailrelay-en.png
Encryption settings for connections via the mail relay
TLS min version: 1.2 TLS 1.0 to TLS 1.3 is available
Default: 1.2
TLS max version: 1.3 TLS 1.0 to TLS 1.3 is available
Default: 1.3
DH Key Size: Wert von GLOBAL-Tab übernehmen The length of the Diffie-Hellmann key can be set to 2048 bit or 4096 bit.
Cipher suite: Wert von GLOBAL-Tab übernehmen In the field Cipher-Suite the desired encryption and modes can be defined.

Default

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


Reverse-Proxy

Reverse-Proxy

notempty

These TLS settings apply to the connection between this appliance and the clients.

The TLS settings between the servers' (to be reached via the reverse proxy) and this appliance are configured under Applications Reverse Proxy . See the wiki for Reverse Proxy

Override defaults: Yes If this function is activated, the settings for the protocols can be changed. UTM v12.6 Verschluesselung Reverse-Proxy-en.png
Encryption for reverse proxy connections
TLS min version: 1.2 TLS 1.0 to TLS 1.3 is available
Default: 1.2
TLS max version: 1.3 TLS 1.0 to TLS 1.3 is available
Default: 1.3
DH Key Size: Wert von GLOBAL-Tab übernehmen The length of the Diffie-Hellmann key can be set to 2048 bit or 4096 bit.
Cipher suite: Wert von GLOBAL-Tab übernehmen In the field Cipher-Suite the desired encryption and modes can be defined.

Default

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


Save / Restore

The button Reset resets the settings in the currently opened area to the global values. If Overwrite default values is deactivated again, the settings in the currently opened area are reset to the default values of the individual application.

notempty
Changing the default settings may result in not all target systems being available for all users. For example, if they use older clients or web browsers that do not support the required encryption.

notempty

The services are restarted when the new settings are saved. §This results in the web server requiring the administrator and/or user of the UTM web interface to log on again.

CLI

The settings that are made in the web interface are visible on the Command Line Interface using the following commands.

Global settings

extc value get application "securepoint_firewall"


The result should look similar to the following: 

application         |variable                       |value
--------------------+-------------------------------+----- 
securepoint_firewall|ANONYMIZELOGS                  |1    
                    |CIPHER_LIST                    |     
                    |CLUSTERADVBASE                 |2    
                    |CLUSTERDEADRATIO               |15   
                    |CLUSTERPREEMTIVE               |0    
                    |CLUSTER_ID                     |1    
                    |CLUSTER_SECRET                 |secret
                    |CRYPTO_OVERRIDE                |0    
                    |DHPARAM_LENGTH                 |2048 
                    |DHPARAM_LENGTH_DEFAULT         |2048 
                    |ECDHE_CURVE                    |secp384r1
                    |FULLCONENAT_ZONE_DST           |external
                    |FULLCONENAT_ZONE_SRC           |internal
                    |HTTP_TRANSPARENT_EXCEPTION_LIST|     
                    |HTTP_TRANSPARENT_LIST          |LAN2 
                    |IPCONNTRACK                    |32000
                    |LANG                           |en_US
                    |LASTRULE_LOGGING               |2    
                    |POP3_TRANSPARENT_EXCEPTION_LIST|     
                    |POP3_TRANSPARENT_LIST          |LAN2 
                    |PPPOE_LCP_ECHO                 |1    
                    |TIF_WHITELIST                  |     
                    |TLS_VERSION_MAX                |1.3  
                    |TLS_VERSION_MAX_DEFAULT        |1.3  
                    |TLS_VERSION_MIN                |1.2 
                    |TLS_VERSION_MIN_DEFAULT        |1.2  
                    |UPDATE_TRIGGER_DELAY           |2    
                    |USE_ECDHE                      |1    
                    |USE_OTP                        |0


In order to change the value of a single variable, the following command can be used. The value of the TLS_VERSION_MIN variable is changed. 

extc value set application "securepoint_firewall" variable "TLS_VERSION_MIN" value 1.1

The result should look similar to the following: 

                    |TLS_VERSION_MAX                |1.3  
                    |TLS_VERSION_MAX_DEFAULT        |1.3  
                    |TLS_VERSION_MIN                |1.1  
                    |TLS_VERSION_MIN_DEFAULT        |1.2

Individual applications

The encryption of the individual applications can be done with the same command. Only the name of the application must be exchanged. The following applications are available: 

extc value get application "webserver"
extc value get application "openvpn"
extc value get application "smtpd"
extc value get application "squid-reverse"


Changes made on the CLI must be activated by restarting the respective application. The command for this is: 

appmgmt restart application "[Name of the application]"
Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/AUTH/Verschlüsselung&oldid=89288"