iCompaas Support

Profile Applicability:

Level 1

Description:

SSL policies control the Transport Layer Security (TLS) features allowed for clients connecting to load balancers. To enhance security, SSL policies should:

1. Require at least TLS 1.2 with the Modern profile, or

2. Use the Restricted profile, which enforces TLS 1.2 by default, or

3. Use a Custom profile that excludes the following weak cipher suites:

   • TLS_RSA_WITH_AES_128_GCM_SHA256

   • TLS_RSA_WITH_AES_256_GCM_SHA384

   • TLS_RSA_WITH_AES_128_CBC_SHA

   • TLS_RSA_WITH_AES_256_CBC_SHA

   • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Rationale:

Load balancers ensure efficient traffic distribution across servers. If configured insecurely, they may permit outdated protocols or weak cipher suites, exposing applications to risks such as:

• Man-in-the-middle attacks

• Data interception

• Traffic hijacking

Ensuring strong SSL policies mitigates these risks and strengthens the security posture of the application.

Impact:

Secure SSL policies may prevent connections from clients using outdated or insecure TLS versions and cipher suites.

Default Value:

By default, GCP load balancers use the least secure SSL policy with:

Audit Steps:

From Google Cloud Console:

1. Visit the Load Balancers page.

2. For each SSL Proxy or HTTPS load balancer:                                                                                                                                                                                                                              

   • Click its name to open the Load Balancer Details page.

• Verify that each Target Proxy in the Frontend table has an SSL policy configure.

3. For each SSL policy:

   • Ensure the policy has one of the following configurations:

     • Profile: Modern, and Min TLS Version: TLS 1.2.

     • Profile: Restricted.

     • Profile: Custom, without the following cipher suites:

       • TLS_RSA_WITH_AES_128_GCM_SHA256

       • TLS_RSA_WITH_AES_256_GCM_SHA384

       • TLS_RSA_WITH_AES_128_CBC_SHA

       • TLS_RSA_WITH_AES_256_CBC_SHA

       • TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Google Cloud CLI:

List all target HTTPS and SSL proxies:

gcloud compute target-https-proxies list
gcloud compute target-ssl-proxies list

For each target proxy, describe its configuration:

gcloud compute target-https-proxies describe TARGET_HTTPS_PROXY_NAME
gcloud compute target-ssl-proxies describe TARGET_SSL_PROXY_NAME

1. Verify that the sslPolicy field is configured:

   • If absent, the GCP default (insecure) SSL policy is being used.

Describe the SSL policy:

gcloud compute ssl-policies describe SSL_POLICY_NAME

2. Ensure the policy meets one of these conditions:

   • Profile: Modern, and Min TLS Version: TLS 1.2.

   • Profile: Restricted.

   • Profile: Custom, excluding the weak cipher suites listed above.

Remediation Steps:

From Google Cloud Console:

1. Navigate to the SSL Policies page.

2. For each insecure policy:

   • Click its name to view details.

• Click Edit.

• Set the following:

  • Minimum TLS Version: TLS 1.2.

  • Profile: Modern or Restricted.

  • If using Custom, ensure the weak cipher suites are disabled.

3. Save the changes.

From Google Cloud CLI:

Update an insecure SSL policy:

gcloud compute ssl-policies update NAME \
  --profile=[COMPATIBLE|MODERN|RESTRICTED|CUSTOM] \
  --min-tls-version=TLS_1_2 \
  --custom-features=FEATURES

Attach the updated SSL policy to the target proxy:

gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME --ssl-policy SSL_POLICY_NAME

• Min TLS Version: TLS 1.0

• Profile: Compatible

References:

1. Using SSL Policies

2. NIST SP 800-52r2 Guidelines

CIS Controls: