TLS Protocol and Compliance Standards
Overview
The Transport Layer Security (TLS) protocol is the primary means of protecting network communications over the Internet. Organizations encrypt network traffic using TLS to protect data in transit. TLS allows client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery.
In August of 2018, RFC 8446 was published providing the specifications for TLS 1.3 and some new requirements for TLS 1.2 implementations. To keep a security posture aligned with the newest standards, Meraki has added TLS 1.3 to our supported protocol versions.
Using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it is not. Specifically, TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. Ensuring your Meraki devices have upgraded to current firmware versions, that only connect to the Meraki cloud with TLS 1.2 and/or TLS 1.3 and choosing configuration options that specify TLS 1.2 and higher for client-side services helps protect your network.
Keeping the Network Safe
The best way to keep your network safe is to keep your Meraki firmware current. Generally Available (GA) versions of firmware will include TLS 1.3.
Common Compliance Standards
The most common compliance standards that include guidelines for TLS are as follows:
- NIST Standards
- The Health and Insurance Portability and Accountability Act (HIPPA)
- The Payment Card Industry Data Security Standard (PCI-DSS)
Each of these standards are described in the following sections.
NIST Standards
In 2005, NIST published Special Publication (SP) 800-52, describing the correct operational procedures to securely configure a TLS instance for government servers. SP 800-52 has since been replaced by versions SP 800-52r1 (2014) and SP 80052r2 (2019).
NIST SP 800-52r2 states the following:
Servers that support government-only applications shall be configured to use TLS 1.2 and should be configured to use TLS 1.3 as well. These servers should not be configured to use TLS 1.1 and shall not use TLS 1.0, SSL 3.0, or SSL 2.0.
Servers that support citizen or business-facing applications (i.e., the client may not be part of a government IT system) shall be configured to negotiate TLS 1.2 and should be configured to negotiate TLS 1.3. The use of TLS versions 1.1 and 1.0 is generally discouraged, but these versions may be configured when necessary to enable interaction with citizens and businesses… These servers shall not allow the use of SSL 2.0 or SSL 3.0.
Agencies shall support TLS 1.3 by January 1, 2024. After this date, servers shall support TLS 1.3 for both government-only and citizen or business-facing applications. In general, servers that support TLS 1.3 should be configured to use TLS 1.2 as well. However, TLS 1.2 may be disabled on servers that support TLS 1.3 if it has been determined that TLS 1.2 is not needed for interoperability.
HIPPA
HIPAA is a regulation enacted by the US government in 1996, concerning the secure handling of Protected Health Information (PHI). PHI refers to any digital patient information, such as test results or diagnoses. A HIPAA guidance document published in 2013 states the following:
Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
PCI-DSS
PCI-DSS is a compliance standard maintained by the Payment Card Industry (PCI) Standards Security Council (SSC) which establishes how payment and card information are handled by e-commerce web sites. Regarding the proper configuration of TLS instances, PCI-DSS states:
“Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g. NIST SP 800-52 and SP 800-57, OWASP, etc.)”