PNCSE Study Notes: Chapter 8: Decryption
Decryption
Decryption Concepts
Encrypted traffic is growing every year
PAN's can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
SSL Establishment includes:
Client - requests SSL connection
Server - sends server public cert
Client - Verifies Cert
Client - sends encrypted session key
Server - begins encrypted communications session
When an SSL session is first established or needs to re-establish a session and rekey, this is known as PFS (Perfect Forward Secrecy)
The FW can act as an Outbound SSL Proxy:
A client initiates a session to an external server
The FW intercepts the connection, decrypts it, applies any security policies, re-encrypts the traffic and sends to the external server
The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and inspects)
The internal server's certificate and private key need to be added to the PAN firewall for this to function properly
The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
If SSH Tunneling of another application is found, the session is blocked to prevent apps from bypassing firewall rules.
Public Key Infrastructure (PKI) solves issue of secure identification of public keys
Uses digital certificates to verify public key owners (x.509 format)
Typical PKI components include:
Root CA: Provides service that confirm identity and public keys to people and companies.
Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB that will issue, revoke certs and stores CSR's
Device has the certificate and private keys. They maintain a list of trusted CA's, and can be updated by admins or by system updates.
Certificate Chain starts with the device and ends with the Root CA. As long as there is a Root CA in the chain, the certificate can be checked as valid (or revoked).
Certificate Hashes can be validated to confirm that it hasn't been intercepted and altered.
Firewalls can use for many purposes:
SSL/TLS
MGT Interface User Auth
Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
Captive Portal User Auth
IPSec VPN IKE Auth
HA Auth
Secure Syslog Auth
All Certificates in a chain must be checked and validated before an SSL session is permitted
Checking a Certificate includes:
Is the signature valid
Is the date range valid
is it intact/not malformed?
Has the certificate been revoked?
CRL (certificate revocation list) has a list of revoked certificates
OCSP (online cert status protocol) can check revocation status
Certs can be revoked for: Private key compromised, Hostname/username changed, counterfeit key found
Certificate signing request (CSR) is generated by the device. This is used by a certificate issuing authority to generate the device. The private key generated with this CSR never leaves the device.
Certificate Management
Devices are managed under Device > Certificate Management > Certificates
Operations supported include:
Generate CSR's
View Certificates
Modify Certificate Use
Import/Export Certificates
Delete Certificates
Revoke Certificates
Different certificates have different features
A signing certificate is required for SSL Forward Proxy and Global Protect
There are 3 methods of getting a certificate on the FW
Generate a self-signed CA Certificate from the FW
Generate a CA Cert using CSR
Import a CA Certificate
The FW will sort the certificates in a hierarchy in order of the CA chain, root to intermediate to device.
SSL Forward Proxy Decryption
An SSL Forward Proxy decryption is used to intercept and decrypt SSL session in order to inspect the traffic for nefarious contents
Steps in this process are:
Client sends request to external server through firewall
Firewall intercepts the SSL request
Firewall then contacts the external server and sends that server the FW cert
External server responds with its server certificate; firewall validates certificate
The SSL session is then established between the server and the firewall
The firewall then sends a copy of the remote server cert, signed with the FW SSL certificate
The client validates the certificates and the session continues
The firewall will sign the certificate sent to the client with its firewall trust cert if the external servers cert is signed by a CA it trusts. If it doesn't have a CA the FW knows/trusts, the FW will send back it's firewall untrust certificate, and the client is shown an untrusted warning page in their browser.
To configure Forward Proxy: (see PAN Docs for more details and instructions)
Configure a Forward Trust Certificate
Configure a Forward Untrust Certificate
Generate a new cert on FW; cert should not be trusted by SSL clients, but ability to sign other server certs.
Do not copy; this should be untrusted and unknown to any CA.
Select 'CA' checkbox on this cert
Configure as forward untrust cert in properties
Configure SSL Forward Proxy
Under Policies > Decryption (be sure to know what traffic is protected by local/state/national laws and cannot be decrypted).
A decryption profile allows check on both decrypted traffic and traffic excluded from decryption
Allows to block sessions unsupported protocols, cypher suites, or SSL client auth.
Block sessions based on certificate status: revoked, unknown, expired, etc
After creating a profile, it can be applied to a decryption policy.
A default profile is provided that can be used/cloned/modified.
Rules for the decrypted traffic will need to be present. For example, if traffic is web-browsing, google docs, or another encrypted application setting, security policies allowing that traffic must be present or the traffic will be dropped as matching no FW rules.
SSL Inbound Inspection
FW Can inspect inbound SSL traffic
The internal server's cert and private key must be loaded on the firewall.
The firewall will decrypt and read the traffic, and then forwards the original encrypted traffic to the server
Note that the traffic will be forwarded only if it is not blocked/dropped by a security policy on the firewall.
To create an SSL inbound inspection policy:
Import the server certificate and private key into the firewall (PEM and PKCS12 formats supported)
Create a decryption policy under Policies > Decryption > Add - under Options, select 'Decrypt'
(Optional) Create a decryption profile that can be added to the decryption policy
Other Decryption Topics
Some applications may not work with SSL Forward Proxy
Application with client-side certs
Non-RFC compliant apps
Servers using unsupported cryptographic settings
If an application fails, the site is added to the excluded cache list for 12 hours
Decryption Exclusion are apps that encryption is known to break
The prepopulated list is under Device > Certificate Management > SSL Decryption Exclusion
Custom domains can be added to this list, and wildcards are supported.
If the decryption policy is set to an action of 'no-decrypt', the profile attached to the rule can still check for expired or untrusted certificates. This can be done under 'No Decryption' tab in the profile.
Decryption Mirroring can mirror decrypted traffic to a capture device for DLP and/or network forensics
Requires a (free) licence to activate; contact TAC support to get the license key. Key is perpetual, does not need renewal.
Only available on the PA-3000, PA-5000 and PA-7000 series firewall.
Hardware Security Module (HSM) are a hardware storage for keys for additional security features (FIPS)
PA-3000, PA-5000, PA-7000, and PA-VM series; Panorama VM, and M100e
The traffic log can be used to determine if the traffic is being decrypted by the firewall
Also can be done by setting a log filter for Flags, Has, SSL Proxy.
Troubleshooting SSL sessions
Using the log filter to search for 'session end reason' 'equal' 'decrypt error', you can see what sessions are not being decrypted.
No comments:
Post a Comment