Blocking Legacy TLS Versions

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as emailinstant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

The TLS protocol aims primarily to provide security, including privacy (confidentiality), integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications. It runs in the presentation layer and is itself composed of two layers: the TLS record and the TLS handshake protocols.

The closely related Datagram Transport Layer Security (DTLS) is a communications protocol that provides security to datagram-based applications. In technical writing, references to “(D)TLS” are often seen when it applies to both versions.[1]

TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999, and the current version is TLS 1.3, defined in August 2018. TLS builds on the now-deprecated SSL (Secure Sockets Layer) specifications (1994, 1995, 1996) developed by Netscape Communications for adding the HTTPS protocol to their Netscape Navigator web browser.

The internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 due to several security issues. Starting with Windows 11 Insiders Preview and Windows Server Insiders Preview releases in 2024, they will be disabled by default.

Some applications are not able to disable the deprecated protocols due to requirements, therefore how do we protect it from the external network. Here is how we can block deprecated protocols from the Edge network.

  1. Log onto the firewall
  2. Go to Security Profiles.
  3. Application Control.
  4. Select the profile which is attached to the policy.
  5. Create a new “application and Filter overrides”
  6. Ensure the action is set to Block.
  7. Search for TLS.
  8. Added selected TLS versions.
  9. Click OK to save.

Steps: 1 – 4

Steps: 5 – 7

Steps: 8 – 9

Applying to an inbound rule would be the recommend case here even if it is between inter-vlan and external.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.