Imperva Cyber Community

Expand all | Collapse all

Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

  • 1.  Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Posted 02-25-2020 08:09
      |   view attached
    We have implemented the Imperva WAF (securesphere) in Bridge mode( In-Line Mode) and for all the applications which are integrated under WAF monitoring are showing unsupported cipher issue. Currently all application are using Diffie–Hellman_key_exchange as per security perspective. So due to this unsupported cipher issue, SSL inspection is not happening. Can Imperva will add this DHE cipher in his future release or there any option to resolve this issue. 

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tushar Sawant
    ------------------------------


  • 2.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Imperva Employee
    Posted 02-25-2020 09:37
    DHE is specifically designed to prevent sniffing.  You can only decrypt DHE if you are terminating the session (so you can't use regular Bridge Mode to monitor DHE traffic).  You need to use another mode/architecture (such as Kernel Reverse Proxy (KRP)).

    Check out https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/534.htm for details on DHE support (see the note at the bottom).

    Also check out https://docs.imperva.com/bundle/v13.6-administration-guide/page/7203.htm for details on KRP.

    Jim

    ------------------------------
    Jim Burtoft
    Imperva
    PA
    ------------------------------



  • 3.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Imperva Employee
    Posted 02-25-2020 09:56
    Hi Tushar,

    To decrypt DHE ciphers in Bridge Mode, Transparent Reverse Proxy must be enabled.

    TRP runs on top of Bridge Mode, operates at the HTTP service layer, and is completely configurable within the SecureSphere GUI.

    For a general overview, please see:

         https://docs.imperva.com/bundle/v13.5-administration-guide/page/7200.htm


    For TRP configuration information, please see:

         https://docs.imperva.com/bundle/v12.5-web-application-firewall-user-guide/page/3097.htm

    Please note that it is important the previously uploaded SSL certificates contain the full chain (intermediate and root) before enabling TRP or the client may experience errors.






    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------