USING DECRYPTION TO BLOCK THREATS IN ENCRYPTED TRAFFIC
SSL/TLS review
Importance of SSL/TLS
Why Decrypt Network Traffic?
...SSL decryption on the firewall helps to prevent the introduction of malware -->in .... Data exfiltration -->out .
.create policy rules to decrypt traffic preventing malicious encrypted content from entering your network and sensitive content from leaving your network concealed as encrypted traffic. ...Palo Alto Networks firewall can decrypt SSHv2 and SSL/TLS inbound and outbound network traffic.
SSL/TLS Operation Review
Firewall Decryption Types
..firewall provides 3 types of Decryption policy rules:
- SSL Forward Proxy to control outbound SSL
- SSL Inbound Inspection to control inbound SSL traffic
- SSH Proxy to control tunnelled SSH
traffic. SSL decryption (both forward proxy and inbound inspection) requires certificates to establish the
..SSH decryption does not require certificates.
>>Certificate management
Public Key Infrastructure (PKI)
Root CA-- Certifies Intermediate CA -- Certifies Device
..Palo Alto Networks firewalls support X.509 format certificates. ..public key infrastructure solves the problem of verifying the identity of a public key owner. ..PKI certificate authority (or CA) provides services that authenticate devices, services, and people by issuing the certificates that confirm their identity and public key. ..trusted CAs can be updated by a user or by a device software update.
Certificate Chain of Trust
Root CA-- Trust Intermediate CA -- Trust Device
Certificate Management in the Web Interface
Device > Certificate Management > Certificates
Certificate Hierarchy
Certificate Creation Overview
Generate a Self-Signed Certificate
Device > Certificate Management > Certificates > Add
Import a CA Certificate
Certificate Signing Request (CSR)
Generate a CSR for the CA Signed Certificate
Certificate Checking and Revocation
Configuring SSL Decryption Certificate Revocation Checking
Device > Setup > Session > Certificate Revocation Checking
>>SSL/TLS decryption
SSL Forward Proxy Review
..The SSL client and the firewall must have access to a common CA for the client to validate the identity of the firewall.
Two SSL tunnels have been established: one between the client and the firewall, and another between the firewall and the server. The firewall acts as an SSL proxy between the client and server and can decrypt and inspect data flowing between the client and server.
Forward Trust and Forward Untrust Certificates
..as a trusted third party, the firewall uses its forward trust or forward untrust certificates to inform the SSL client whether the firewall has verified the validity of the web server’s certificate.
Configure a Forward Trust Certificate
Device > Certificate Management > Certificates
Configure a Forward Untrust Certificate
Device> Certificate Management > Certificates
Renew an SSL Forward Untrust Certificate
Device > Certificate Management > Certificates
Configure SSL Forward Proxy Decryption Policy
Policies > Decryption
Not all traffic should be decrypted. Some traffic cannot legally be decrypted, depending on local laws and regulations concerning health records, financial records, and other privacy concerns.
Forward Proxy Decryption Profile
Objects > Decryption > Decryption Profile
Create the Corresponding Security Policy Rules
Policies > Security
SSL Inbound Inspection Review
.. deploy the certificates that are used by SSL to confirm an endpoint identity. The SSL server and client must share a CA that is common to them both for the client to be able to validate the server identity... ..import the private key and certificate of the server into the firewall.
Import Server Certificate and Private Key
Device > Certificate Management > Certificates > Import
Configure an SSL Inbound Inspection Policy
Policies > Decryption > Add
The firewall enforces the Decryption Profile settings on traffic matched to the Decryption policy rule...
Ensure that you also create a Security policy rule that allows the encrypted traffic to pass through the firewall.
Configure an Inbound Inspection Decryption Profile
Objects > Decryption > Decryption Profile > Add
Decryption Profile enables the firewall to perform checks on decrypted traffic and traffic that you have excluded from decryption. You should block sessions using unsupported versions or cipher suites.
Decryption Exclusions
Device > Certificate Management > SSL Decryption Exclusion
..Decryption exclusions prevent the firewall from attempting to decrypt traffic to specific websites.
No Decryption
Policies > Decryption
and Objects > Decryption Profile > Add
..use for to block sessions with expired or untrusted certificates...
SSL Decryption Troubleshooting
Monitor > Logs > Decryption
and ACC > SSL Activity
Troubleshoot SSL Session Terminations
Monitor > Logs > Traffic
Session End Reason
decrypt cert validation :
decrypt unsupport param :
decrypt error :
Decryption in the Traffic Log
Monitor > Logs > Traffic
>>SSH decryption
SSH Decryption
in encrypted SSH tunnels. SSH tunnels are a common way to subvert firewalls and breach security policies. SSH does not require digital certificates, as SSL does. The firewall can decrypt, inspect, and re encrypt inbound and outbound SSHv2 connections passing through the firewall. With SSH Proxy, separate SSH sessions are created between the client and the firewall, and the firewall and the server.
SSH Traffic and the Security Policy
Policies> Security > Add
>> Other decryption methods and features
Reasons to Not Configure SSL Decryption
Decryption is not a good choice when it is not allowed by local laws or company policy governing personal, financial, medical, government, and military information.
Decryption Port Mirroring
The decryption port mirroring feature enables a firewall to forward packet captures of decrypted traffic to a traffic collection tool, such as NetWitness or Solera, for archiving and analysis. ..for organizations that require comprehensive data capture for forensic and historical purposes or to enhance data loss prevention functionality.
Network Packet Broker
OS 10.1 the Network Packet Broker feature replaces the Decryption Broker
Hardware Security Modules (HSMs)
An HSM is a physical device that generates, stores, and manages digital keys. It provides logical and physical
Hardware Security Modules (HSMs)
Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.)
a.
malware introduction
b.
denial of service attacks
c.
sensitive data exfiltration
d.
protocol based attacks
2.
True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
a.
true
b.
false
3.
Which type of firewall decryption requires the administrator to import a server certificate and a private
key into the firewall?
a.
SSH decryption
b.
SSH tunnel decryption
c.
SSL Forward Proxy decryption
d.
SSL Inbound Inspection decryption
4.
True or false? The SSL forward untrust certificate should not be trusted by the client but should still be a
CA certificate.
a.
true
b.
false
1 Which feature can be configured to block sessions that the firewall cannot decrypt?
a. Decryption profile in security policy NO
b. Decryption profile in security profile <--NO
c. Decryption profile in decryption policy
d. Decryption profile in PBF
2 What is default setting for "Action" in a decryption policy rule?
a. Any NO
b. None
c. Decrypt <--NO
d. No-decrypt
3. Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server?
a. SSL Forward Proxy
b. SSH
c. SSL Inbound Inspection <--NO
d. SSL Outbound Inspection NO
4. When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing?
a. Encryption-ID
b. Content-ID
c. App-ID
d. User-ID
5. Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers?
a. SSL Forward Proxy
b. SSL Inbound Inspection
c. SSL Outbound Inspection
d. SSH
6 True . In the Next Generation Firewall, even if the Decryption policy rule action is “no-decrypt,” the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.
7. Which two types of activities does SSL/TLS decryption on the firewall help to block?
If you choose an incorrect choice your question score will be deducted
a. denial-or-service attacks NO
b. malware introduction YES
c. protocol-based attacks
d. sensitive data exfiltration <--
8. false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
9. Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?
a. SSL Inbound Inspection Decryption
b. SSH Decryption
c. SSH Tunnel Decryption
d. SSL Forward Proxy Decryption
Comments