New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How do you determine the protocol security ratings of the SSL Security Check sensor?

Votes:

0

Your Vote:

Up

Down

I use several SSL Security Check sensors to monitor SSL/TLS connectivity to various devices and would like to know how you decide about rating an accepted protocol as weak or strong.

For example, why does the SSL Security Check sensor rate TLS 1.0 as weak and shows a Warning status if a connection with this protocol is possible?

lookups prtg sensor ssl ssl-security-check tls

Created on Oct 10, 2016 2:30:30 PM by  Gerald Schoch [Paessler Support]

Last change on May 31, 2019 12:24:53 PM by  Maike Behnsen [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 16.4.27 or later

Security Ratings of the SSL Security Check Sensor

The SSL Security Check sensor monitors SSL/TLS connectivity to the TCP/IP port of a device and shows which protocols are supported. If a supported protocol is considered to provide only weak security, the SSL Security Check sensors will show a Warning status.

The sensor considers the security of TLS 1.1 to be strong (RFC 4346) and the security of TLS 1.2 to be perfect (RFC 5246). If the target device only supports these protocols, the sensor will show an Up status.

Protocols with Weak Security

The security of the following protocols is considered as weak. For example, the National Institute of Standards and Technology (NIST) declares that “servers shall not support TLS 1.0, SSL 2.0, or SSL 3.0” (see the PDF Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations).

Because of this weak security, the SSL Security Check sensor will show a Warning status if the target device accepts the connection with at least one of these protocols. We strongly recommend that you update the encryption of your servers to TLS 1.1 or TLS 1.2 to secure your communication.

Note: As of version 18.1.38, SSL 2.0 is no longer available in the SSL Security Check sensor.

Change TLS 1.0 Security Rating

The SSL Security Check sensor only checks supported protocols but does not consider the used ciphers. So, after a risk analysis, TLS 1.0 may still be considered as secure in your environment. However, because of the known vulnerabilities, we have decided that the sensor has to reflect this insecurity and show a Warning status for TLS 1.0 connections by default.

We understand that some customers do not want to get the Warning status for TLS 1.0, so we provide the option to use a compatibility lookup file. To set the sensor to an Up status for TLS 1.0, you need to change the used lookup files in two sensor channels.

  • Open the channel settings of the Security Rating channel and choose the lookup file prtg.standardlookups.sslsensor.security.compatibility.
  • Open the channel settings of the TLS 1.0 channel and choose the lookup file prtg.standardlookups.sslsensor.tls
  • Save the changes to both channels.

The sensor will not show a Warning status for TLS 1.0 anymore. Note that we do not recommend this workaround because of the well-known security vulnerabilities in TLS 1.0.

Created on Oct 10, 2016 2:38:56 PM by  Gerald Schoch [Paessler Support]

Last change on May 31, 2019 12:36:23 PM by  Maike Behnsen [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.