11

ssl/tls decryption

Importance of decryption

• Secures network communication

  • Hashes - data integrity

  • Certificates - authentication

• Prevent Malware introduction and data exfiltration

⭐We should decrypt network traffic - most web traffic is encrypted

This helps the firewall to gain visibility into the network

SSL/TLS Operation Review

Certificate Management

• Follows PKI

• Uses digital certificate to verify and prove the owner of public key

Chain of Trust

Device trusts the intermediate CA, and intermediate CA trusts the Root CA

Certificate Creation Overview

1. Self Signed (Firewall generates a certificate, then this certificate is imported into the browser of the client device)

2. CA Signed Certificate

   1. CA creates a certificate and Public/Private Key

      1. Import this certificate and public/private key into the firewall

   2. Firewall generates a CSR and public/private key, exported to a CSR file

      1. CSR file given to the CA for signing, and file is returned with the CA's signature.

      2. This signed file is then imported into the firewall

Self Signed Cert	CA Signed Certificate
Free, do not need to pay	Relies on CA
Browser does not initially trust the certificate	Client browser will directly trust the certificate

Certificate Signing Request

1. Device creates public/private key pair

2. Device encrypts information about its identity using its private key

3. Sends the encrypted information and public key to the CA

4. CA returns with a signed certificate

Certificate Checking and Revocation

• Can be done using thel (OSCP) or Certificate revocation list (CRL)

Firewall Decryption Types

1. SSL Forward Proxy (Outbound)

   1. Process:

      1. SSL client initiates a SSL handshake

      2. Firewall intercepts the handshake request and re-issues its own handshake request to the server

      3. SSL server responds with its certificate(signed by a common CA that both SSL server and Firewall have access to -> allows firewall to use CA to validate the certificate and identity of the server)

      4. Firewall copies server certificate and signs it with its own and public key.

      5. SSL client uses forward trust certificate of firewall to validate firewall identity, using a CA common to both the firewall and the SSL client

      6. If firewall cannot verify the server certificate, the firewall signs the server certificate with a forward untrust certificate to inform the SSL client that the SSL server certificate could not be verified.

      7. In this case, SSL client will see a block page warning the website it is trying to connect to is not trusted by the firewall that is acting as an SSL Proxy.

2. SSL Inbound Inspection

   1. This process is only done when the firewall has access to the certificate and private key of the SSL server.

   2. Requires:

      1. Both SSL Server and SSL Client to have a common CA-> for SSL Client to validate the server identity

      2. Server private key and certificate must be imported into the firewall

   3. Process:

      1. SSL client initiates a SSL handshake

      2. SSL Server responds with its certificate

      3. SSL Client uses the common CA to validate certificate and server identity

      4. Firewall does not proxy the connection between client and server. But does use the certificate and private key of the SSL server to decrypt and inspect data flowing between client and server

3. SSH Decryption

   1. This uses both forward proxy and inbound inspection

Decryption Profile

• Does more granular controls

• Applied on decrypted traffic

Decryption Exclusion

Device > Certificate Management > SSL Decryption Exclusion

SSH Decryption

• Breaks into 2 sessions

Network Packet Broker

• Replaces Decryption Broker

• Identifies non-decrypted TLS, decrypted TLS and non-TLS packet can forward these traffic to another third party tool for analysis