Imperva Cyber Community

Expand all | Collapse all

Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

  • 1.  Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Posted 02-25-2020 08:09
      |   view attached
    We have implemented the Imperva WAF (securesphere) in Bridge mode( In-Line Mode) and for all the applications which are integrated under WAF monitoring are showing unsupported cipher issue. Currently all application are using Diffie–Hellman_key_exchange as per security perspective. So due to this unsupported cipher issue, SSL inspection is not happening. Can Imperva will add this DHE cipher in his future release or there any option to resolve this issue. 

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tushar Sawant
    ------------------------------


  • 2.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Imperva Employee
    Posted 02-25-2020 09:37
    DHE is specifically designed to prevent sniffing.  You can only decrypt DHE if you are terminating the session (so you can't use regular Bridge Mode to monitor DHE traffic).  You need to use another mode/architecture (such as Kernel Reverse Proxy (KRP)).

    Check out https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/534.htm for details on DHE support (see the note at the bottom).

    Also check out https://docs.imperva.com/bundle/v13.6-administration-guide/page/7203.htm for details on KRP.

    Jim

    ------------------------------
    Jim Burtoft
    Imperva
    PA
    ------------------------------



  • 3.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Posted 10-23-2020 03:10
    Hi Jim,

      Is that possible to decrypt "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)" on sniffing mode? as i read sniffing mode not supporting DHE cipher, and need to change the Web server certificate to supporting cert, but i can't find that what cipher list can be decrypted by securesphere sniffing mode? because it is already included on the supporting cipher list


    --

    1. Disable the unsupported Ciphers on the Web server 

    Verify which Ciphers are enabled on your Web server and compare them to the Ciphers supported by On-Premises (SecureSphere). Refer for the list of supported Ciphers described in user guide "SSL Ciphers"
    Verify what Cipher was used to trigger the alert by referring to the Main-> Monitor -> Alerts screen and search for "Untraceable SSL session: Unsupported Ciphers" alert. In event details of the alert, you can find the Cipher name.

    ------------------------------
    Tulga Bat
    Ulaanbaatar
    ------------------------------



  • 4.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Imperva Employee
    Posted 02-25-2020 09:56
    Hi Tushar,

    To decrypt DHE ciphers in Bridge Mode, Transparent Reverse Proxy must be enabled.

    TRP runs on top of Bridge Mode, operates at the HTTP service layer, and is completely configurable within the SecureSphere GUI.

    For a general overview, please see:

         https://docs.imperva.com/bundle/v13.5-administration-guide/page/7200.htm


    For TRP configuration information, please see:

         https://docs.imperva.com/bundle/v12.5-web-application-firewall-user-guide/page/3097.htm

    Please note that it is important the previously uploaded SSL certificates contain the full chain (intermediate and root) before enabling TRP or the client may experience errors.






    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 5.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Posted 10-26-2020 03:53
    HI Jaired 

    I am very sure that SSL certificates contain the full chain is required, but it should only be intermediate and not root, right?
    After all, does root hold and verify the intermediate on the client?


    B.R

    ------------------------------
    CJ Kuo
    Ciphertech
    Taipei
    ------------------------------



  • 6.  RE: Imperva Securesphere in Bridge mode (In-line mode) does not DHE Cipher suites

    Posted 10-29-2020 09:29
    Hi Tushar,

    on prem WAFs is having these issues. It cannot decrypt the DHE or ECDHE ciphers, I faced this too. There is one mode called Transparent Reverse Proxy mode, you can set this for individual application server group. This can help you in remediating this but at times, the applications don't work (keep that in mind).

    Because of this, we moved to Incapsula Cloud WAF. It handles ciphers effectively.

    ------------------------------
    Nikhil Chodankar
    Prudential Services Asia
    ------------------------------