Document:Prisma Cloud Compute Edition Administrator’s Guide

TLS v1.2 cipher suites

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift v4
- OpenShift v3.11
- Console on Fargate
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
- Log Scrubbing
Authentication
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- WAAS Explorer
- Deploying WAAS
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Splunk alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

TLS v1.2 cipher suites

Prisma Cloud Compute uses the Go programming language cryptographic libraries to protect all network communications via the Transport Layer Security (TLS) v1.2 protocol.

Prisma Cloud Compute Self-Hosted

The User Interface (UI) and API access is protected using server side TLS v1.2 authentication. The cipher suites offered by the Console adhere to NIST SP800-52r2 guidance.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

The Console enforces HTTP Strict Transport Security (HSTS).

Validating Console’s UI and API TLS cipher suites

Use nmap to confirm the cipher suites supported by the Console.

Install nmap

Call the Console’s UI/API endpoint (default TCP port 8083) to enumerate the ciphers suites supported by the Console.

$ nmap -sV --script ssl-enum-ciphers -p 8083 172.17.0.2

The following is an abbreviated return from the nmap command:

Starting Nmap 7.60 ( https://nmap.org ) at 2022-02-16 21:32 UTC
Nmap scan report for 172.17.0.2
Host is up (0.000046s latency).

PORT     STATE SERVICE     VERSION
8083/tcp open  ssl/us-srv?
| fingerprint-strings:

..
..
..

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Console to Defender communication

The Console and Defenders communication using a mutual TLS v1.2 web-socket session (default TCP 8084). The allowed cypher suites used for this communication adhere to NIST SP800-52r2 guidance.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA

The certificate/keys used for the Console to Defender mutual TLS v1.2 web socket session are generated during the Console’s initiation process. The reason for this is to ensure the Console is only communicating with the Defenders it has deployed and the Defenders only communicate with its controlling Console.

Validating Console to Defender communication

Use nmap to confirm the cipher suites supported by the Console.

Install nmap

Call the Console’s Defender communications endpoint (default TCP port 8084) to enumerate the ciphers suites supported by the Console for Defender communications.

$ nmap -sV --script ssl-enum-ciphers -p 8084 172.17.0.2

Following is a return from the nmap command

Starting Nmap 7.60 ( https://nmap.org ) at 2022-02-16 22:30 UTC
Nmap scan report for 172.17.0.2
Host is up (0.000048s latency).

PORT     STATE SERVICE     VERSION
8084/tcp open  ssl/unknown
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Prisma Cloud Compute Enterprise (SaaS)

The Compute Console runs within a Google Cloud Platform’s Google Kubernetes Engine (GKE). The GKE Console containers are fronted by GCP Load Balancers that have been configured to use the Modern pre-configured profile. The Modern profile supports a wide set of SSL features, allowing modern clients to negotiate SSL.

Validating Console’s UI and API TLS cipher suites (SaaS)

Use nmap to confirm the cipher suites supported by the Console.

Install nmap

Call the Console’s UI/API endpoint (default TCP port 443) to enumerate the ciphers suites supported by the Console. The Console’s URL can be found within the Compute Module’s Manage > System > Utilities > Path to Console
.

$ nmap -sV --script ssl-enum-ciphers -p 443 us-west1.cloud.twistlock.com

The following is an abbreviated return from the nmap command:

Starting Nmap 7.70 ( https://nmap.org ) at 2022-02-28 22:44 UTC
Nmap scan report for us-west1.cloud.twistlock.com (34.82.51.12)
Host is up (0.073s latency).

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx 1.17.10
|_http-server-header: nginx/1.17.10
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Console to Defender communication (SaaS)

The SaaS Console and Defender communication uses the same TCP port (i.e. 443) and cipher suites as the UI/API endpoint.

Credential store’s secrets storage

Local username/password accounts within a local database table using HMAC256. This is in compliance with NIST SP800-107r1. Currently, there are seven approved hash algorithms specified in FIPS 180-4: SHA-1, SHA-224, SHA-256
, SHA-384 SHA-512, SHA-512/224 and SHA-512/256.

Industrial guidance

NIST SP800-52r2

NIST Special Pulication 800-52r2 provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. Prisma Cloud Compute’s cipher suites adhere to SP800-52r2 guidance.

NIST SP800-52r2 approved suites	Compute cipher suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384	TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA	TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

NSA approved

The NSA’s Commercial National Security Algorithm Suite provides cryptographic guidance for replacement of Suite B algorithms prior to the availability of quantum resistant algorithms. "For those customers who are looking for mitigations to perform while the new algorithm suite is developed and implemented into products, there are several things they can do." These recommendations have been implemented within Prisma Cloud’s cryptographic settings.

Document:Prisma Cloud Compute Edition Administrator’s Guide

TLS v1.2 cipher suites

Table of Contents

TLS v1.2 cipher suites

Prisma Cloud Compute Self-Hosted

Validating Console’s UI and API TLS cipher suites

Console to Defender communication

Validating Console to Defender communication

Prisma Cloud Compute Enterprise (SaaS)

Validating Console’s UI and API TLS cipher suites (SaaS)

Console to Defender communication (SaaS)

Credential store’s secrets storage

Industrial guidance

NIST SP800-52r2

NSA approved