Vous êtes sur la page 1sur 11
How to Implement SSL Decryption PANOS has the ability to decrypt and inspect SSL connections

How to Implement SSL Decryption

PANOS has the ability to decrypt and inspect SSL connections going through the firewall. Both inbound and outbound SSL connections can be decrypted and inspected. SSL decryption can occur on interfaces in virtual wire or Layer 3 mode 1 . The SSL rulebase is used to configure which traffic to decrypt—in particular, decryption can be based upon URL categories, as well as source user, and source/target addresses.

Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats/URL filtering/file blocking/data filtering. Note that decrypted traffic is never sent off of the device.

Overview of operation

Inbound SSL decryption

In this case, the administrator imports a copy of the protected server’s certificate and key. Once the SSL server certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound traffic, the device will be able to decrypt and read the traffic as it forwards it on. No changes will be made to the packet data, and the secure channel will be built from the client system to the internal server. The firewall will be able to detect malicious content and control applications running over this secure channel.

Outbound SSL decryption (called “SSL forward proxy”)

In this case, the firewall proxies the outbound connections. It intercepts the outbound requests, and generates a certificate on the fly for the site that the client was going to.

The validity date on the PA-generated certificate is taken from the validity date on the real server certificate

The issuing authority of the PA-generated certificate is the PA device. If the firewall’s certificate is not part of an existing hierarchy or is not added to a client’s browser cache, then the client will receive a warning message when browsing to a secure site.

If the real server certificate has been issued by an authority not trusted by the PA firewall 2 , then the decryption certificate will be issued using a second “untrusted” CA key. This is to insure that the user will be warned if there are subsequent man-in-the- middle attacks occurring.

1 SSL decryption can also be performed on inbound traffic in tap mode if the firewall has the real SSL certificate of the internal server. This document however focuses on inline decryption.

2 The trusted CA certificates on the PA firewall match the trusted CA certificates found in Firefox 3.

Overview of Configuration Steps

Here are the steps to configuring SSL decryption:

1. Configure appropriate interfaces into either virtual wire or Layer 3, and insert the device inline in the network.

2. Install the proper certificates on the firewall.

3. Configure SSL decryption rules.

4. Enable SSL decryption notification page (optional)

5. Commit your changes, and test decryption.

Step 1 above is not discussed in this document. Steps 2-5 are described below.

Step 2: Loading a certificate on the PA device

In the firewall GUI, go to Device tab -> Certificates screen. You will load or generate a certificate for either inbound inspection, or for outbound (forward proxy) inspection.

und inspection, or for outbound (f orward proxy) inspection. For inbound inspection , you will need

For inbound inspection, you will need to load the server certificates for any internal server that you want to decrypt traffic to.

For outbound inspection, you have two choices:

click “Generate a self-signed certificate”, and then install the certificate in the browser of all the client machines. By doing this, the users won’t get security warning messages when their traffic is being decrypted.

or

follow the steps below to import a subordinate CA certificate from your organizations’ Certificate Authority. (This assumes your organization has already deployed a PKI infrastructure.)

Note that if you have an HA pair, you can copy certificates from the first device to the second device via the High Availability widget on the Dashboard of the GUI.

Steps to generate and import a certificate from Microsoft Certificate Server

1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA” 3 . Download the cert.

2. Once the certificate is downloaded, it will need to be exported from the local certificate store. In IE7, this is accomplished by accessing the Internet Options dialog, selecting the Content tab and pressing the Certificates button. The new certificate should be in the Personal certificate store and can then be exported from there. The export button will invoke the “Certificate Export Wizard”. Select to export the private key and then select the format. You will be prompted to supply a passphrase and a file name/ location for the resulting file. The certificate will be in a PFX format (PKCS #12).

3. To extract the certificate, use this openSSL 4 command:

openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys

4. To extract the key, use this openSSL command:

openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts

5. Import the cert.pem file and keyfile.pem file into the PA firewall on the Device tab -> Certificates screen.

6. If you have an HA pair, also load these files onto the second PA firewall, or copy the certificate and key via the High Availability widget on the dashboard.

3 The certificate loaded on the firewall MUST be of type “subordinate CA”, as the firewall needs the ability to issue certificates on the fly for each outbound SSL connection.

4 OpenSSL can be run on Unix operating systems, and can be found as part of the Cygwin package for Windows systems.

Step 3: Configure SSL decryption rules

Here are some suggestions for configuring SSL decryption rules:

Do not decrypt known-good SSL connections, such as connections between internal users and internal servers.

Do not decrypt the following URL categories, as users may consider this to be an invasion of privacy:

o

Financial services

o

Health-and-medicine

o

Shopping

Do not decrypt URL category “unknown”, as it includes many non-HTTP applications, some of which will not correctly SSL decrypt.

Do not decrypt URL category “computer-and-internet info”, as it includes the Windows Update service, which requires specific server certificates from Microsoft. (As an alternative, you can create a rule that does not decrypt traffic to the IP addresses of the Microsoft Update servers.)

Do not decrypt applications where the server requires client-side certificates.

Be precise in your source and target zones—do not use “any”

You should implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device (refer to Appendix A for those commands). You want to make sure you do not exceed the maximum number of concurrent SSL decrypted sessions that is supported on a device. Over time, you can add additional decryption rules.

Here is an example outbound rulebase that follows the above suggestions:

additional decryption rules. Here is an example outbound rulebase that follows the above suggestions: PANOS 3.1.0

Step 4: Enable SSL decryption notification web page (optional)

1. The user can be notified that their SSL connection is going to be decrypted using the response page found on the Device tab -> Response Pages screen.

page found on the Device tab -> Response Pages screen. Enable this feature if you choose.

Enable this feature if you choose. This page can be exported, edited via an html editor, and imported to give company-specific information. Here is an example of the default page:

html editor, and imported to give company-specific informa tion. Here is an example of the default

Step 5: Testing

To test outbound decryption:

1. Make sure that on your outbound policy, you are alerting for any viruses found. Also enable packet capture on that anti-virus security profile. Commit any changes you made.

2. On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner, you will see:

www.eicar.org . In the top-right hand corner, you will see: Click on “anti-malware testfile”. In the

Click on “anti-malware testfile”. In the screen that appears, scroll down to the bottom.

3. Download the eicar test virus using http. Any of the 4 files shown here will be detected.

http . Any of the 4 files shown here will be detected. 4. Go to the

4. Go to the Monitor tab -> Threat log, and look for the log message that detects the eicar file.

Go to the Monitor tab -> Threat log, and look for the log message that detects

5.

Click on the green down arrow in the left-hand column. This brings up a view of the packets that were captured.

This brings up a view of the packets that were captured. 6. Also click on the

6. Also click on the magnifying class in the far left column.

Also click on the magnifying class in the far left column. Scroll to the bottom, and

Scroll to the bottom, and look for the field “SSL Decryption.” You will see that the session was not decrypted:

You will see that the session was not decrypted: 7. Now that you have proven that

7. Now that you have proven that your policy will detect viruses in unencrypted traffic, you will now try detecting the virus in encrypted traffic. Go back to the www.eicar.org downloads page. This time use SSL to download the test virus.

page. This time use SSL to download the test virus. If you get a certificate error,

If you get a certificate error, you can still proceed with downloading the file.

8.

Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. You will see a log message that shows Eicar was detected in web browsing on port 443.

that shows Eicar was detected in web browsing on port 443. You can also view the

You can also view the packet capture by clicking on the green down arrow.

9. To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field “SSL Decrypted”. The value should say “yes”.

field “SSL Decrypted”. The value should say “yes”. Therefore, the virus was successfully detected in an

Therefore, the virus was successfully detected in an SSL-encrypted session.

10. To test the “no-decrypt” rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. Go to http://www.brightcloud.com/testasite.aspx and enter various URLs that you believe fall into those categories.

11. Once you have found some web sites that are classified into categories that will NOT be decrypted, use a browser to go to those sites using https. You should not see a certificate error when you go to those sites. The web pages will be displayed properly. If you look at the traffic logs, the sessions will show application SSL going over port 443, as expected.

To test inbound decryption:

1. Examine the traffic logs that are dated PRIOR to when you enabled SSL inbound decryption on the firewall. Look at traffic targeted towards your internal servers. In those logs, the application detected should be “ssl”, going over port 443.

2. From a machine outside of your network, connect via SSL to a server in your DMZ. There will be no certificate errors, as the connection is not being proxied, just inspected.

3. Examine the logs for this inbound connection. The applications will not be “ssl”, but the actual applications found inside the SSL tunnel. You can click on the magnifying glass icon in those log enties to confirm that the connections were decrypted.

click on the magnifying glass icon in those log entie s to confirm that the conn

Appendix A

Helpful CLI Commands

To see how many existing SSL decryption sessions are going through the device at this moment:

debug dataplane pool statistics | match Proxy

Here is output from a PA-2050 where the first command shows 1024 available sessions, and the output of the second command shows there are 5 SSL sessions being decrypted

(1024–1019=5):

there are 5 SSL sessions being decrypted (1024–1019=5): The following is the maximum number of conc

The following is the maximum number of concurrent SSL decrypted sessions in PANOS 3.1.0 (both directions combined):

o

PA500:

1024 sessions

o

PA2020:

1024 sessions

o

PA2050:

1024 sessions

o

PA4020:

7936 sessions

o

PA4050:

23,808 sessions

o

PA4060:

23,808 sessions

If limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions beyond the session limit of the device:

set deviceconfig setting ssl-decrypt deny-setup-failure yes

To check if there are any sessions hitting the limit of the device:

show counter global name proxy_flow_alloc_failure

To view the SSL decryption certificate:

• To view the SSL d ecryption certificate: • To view SSL decryption settings: PANOS 3.1.0

To view SSL decryption settings:

• To view the SSL d ecryption certificate: • To view SSL decryption settings: PANOS 3.1.0