01-27-2022 03:38 AM - edited 01-27-2022 06:37 AM
Hi Team,
This post is for all of you in the Netherlands who have customers (or your own company) that want to comply to internet.nl and get to that hall of fame with Cisco ESA's but have no clue how to get there or dont want to be too strict.
What is Internet.nl? https://internet.nl/
Internet.nl helps you to check whether your internet is up to date. Do your website, email and internet connection use modern and reliable Internet Standards? And if they don't, what can you do about it? Who is behind Internet.nl? The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The platform is a collaboration between parties from the Internet community and the Dutch government.
And here is a link to the most recent publications about the guidelines for TLS in the netherlands:
https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1
I want to share 2 cipher strings with you that are not super strict. There are stricter options, so if you want to provide more security dont use these 2. If you want to comply with internet.nl but not be the strictest on the internet you can use one of these two:
ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-EXPORT:@STRENGTH
ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!aNULL:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-aNULL:-EXPORT:@STRENGTH
If you have even better ideas, please post in the comments so we can all help each other. And lets get to that hall of fame!
01-27-2022 04:13 AM
Thanks Maartje! Great Post!
01-27-2022 05:20 AM
01-27-2022 05:38 AM
Thanks Ken! i will change that!
On the other part, medium does allow some ciphers that are still being used and are also considered good by the NCSC.
So like i said there are more secure options but if you want to comply with internet.nl but not be the strictest on the internet you can use one of these two.
If you would like to share the strongest suggestion, please feel free to do so!
02-04-2022 12:58 AM
@Maartje wrote:Hi Team,
This post is for all of you in the Netherlands who have customers (or your own company) that want to comply to internet.nl and get to that hall of fame with Cisco ESA's but have no clue how to get there or dont want to be too strict.
What is Internet.nl? https://internet.nl/
Internet.nl helps you to check whether your internet is up to date. Do your website, email and internet connection use modern and reliable Internet Standards? And if they don't, what can you do about it? Who is behind Internet.nl? The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The platform is a collaboration between parties from the Internet community and the Dutch government.
And here is a link to the most recent publications about the guidelines for TLS in the netherlands:
https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1-deshevshe
I want to share 2 cipher strings with you that are not super strict. There are stricter options, so if you want to provide more security dont use these 2. If you want to comply with internet.nl but not be the strictest on the internet you can use one of these two:
ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-EXPORT:@STRENGTH
ECDH+TLSv1.2:ECDH+HIGH:MEDIUM:!LOW:!EXP:!aNULL:!RC4:!DSS:!SEED:!IDEA:!MD5:!PSK:!3DES:!SRP:!TLSv1.1:!TLSV1:!SSLv3:-aNULL:-EXPORT:@STRENGTH
If you have even better ideas, please post in the comments so we can all help each other. And lets get to that hall of fame!
Thanks for the info, I don't know what we would do without the Internet
08-15-2023 08:05 AM
If you want 100% compliance you can use: ECDHE:!3DES:!NULL:-SSLv3
Or use the next one which is considered sufficient: ECDHE:RSA:!3DES:!MD5:!IDEA:!CAMELLIA:!SEED:!NULL:-SSLv3
Also check Method TLS 1.2 only.
To enter the Internet.nl Hall of Fame something more needs to be done, this is the easy part.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide