Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: WebMarshal HTTPS inspection and SSL/TLS versions

Expand / Collapse


This article applies to:

  • WebMarshal 6.1 and above
    • Note changes at version 7.3, 6.12, and 6.11
  • HTTPS Content Inspection
  • SSL/TLS version settings

Question:

  • How does WebMarshal HTTPS content inspection affect SSL/TLS settings?

Information:

SSL (secure sockets layer) and TLS (Transport Layer Security) are the protocols that allow web browsers and web sites to communicate securely using HTTPS.

The following versions of SSL/TLS algorithms are currently supported by WebMarshal:

  • SSLv2 (the original protocol, less secure and now deprecated)
  • SSLv3 (also considered less secure)
  • TLSv1.0
  • TLSv1.1 (WebMarshal 6.11 and above)
  • TLSv1.2 (WebMarshal 6.11 and above)
  • TLSv1.3 (WebMarshal 7.3 and above)

When a web browser connects to a site using HTTPS, the browser and the site negotiate an encryption algorithm, based on the algorithms that they share (usually the most secure available). This algorithm is used to create the encrypted connection.

  • Some recent security standards (such as the US Government FIPS) require use of TLSv1.0 (or above).
  • All recent web browsers support the latest TLS versions.
  • Some recent web browsers have completely disabled support for SSLv2.
  • Internet Explorer 6 has disabled support for TLSv1 by default.

How WebMarshal affects SSL

When WebMarshal HTTPS Content Inspection is enabled, two secure connections are required: one between the browser and WebMarshal, and another between WebMarshal and the web site. These connections are negotiated separately. WebMarshal supports all three algorithms.

If a remote site does not support the strongest algorithms, by default WebMarshal will use any available algorithm. The algorithm used is not reported to the browser. Therefore, even if a user sets their browser to refuse SSLv2, the Internet connection through WebMarshal could still be using SSLv2.

WebMarshal SSL Options

You can configure WebMarshal HTTPS rules to accept or refuse a SSL protocol (using the rule condition "Where the security protocol is".  WebMarshal can warn a user, or block a connection, if a lower security algorithm is in use.

If SSL security is important to your organization, and you are using WebMarshal HTTPS inspection, you should configure WebMarshal rules in support of your SSL security policy.

Change in version 7.3 and above

  • TLSv1.3 is supported in 7.3 and above.

Change in version 6.12 and above

  • SSLv2 is no longer supported through WebMarshal.
  • All configuration options related to SSLv2 are removed from WebMarshal as of version 6.12.
  • When HTTPS inspection is enabled, Trustwave recommends you use the rule condition "Where SSL/TLS could not be negotiated" to block any attempt to connect with SSLv2.
  • A rule to block connections "Where SSL/TLS could not be negotiated" is created and enabled on new installation and on upgrade.
  • SSLv3 is blocked by default as for version 6.11 (see below).

Change in version 6.11

When HTTPS Content Inspection is enabled, connections that use SSLv2 or SSLv3 are blocked by default regardless of rule conditions. To configure the list of SSL and TLS protocols that will be negotiated and allowed, see Trustwave Knowledge Base article Q20067.

Notes:

  • When WebMarshal HTTPS Content Inspection is not enabled, or if HTTPS Content Inspection is not enabled for a particular site, the secure connection is made directly between the browser and the site. The settings in the browser control the protocols that are accepted. 
  • You can select TLS/SSL options for Internet Explorer from the IE Tools > Options > Advanced tab, Security section.

To contact Trustwave about this article or to request support:


Rate this Article:
     

Related Articles



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.