Copy of Copy of PCNSE_ Study Notes (5)

Decryption Concepts

  • Encrypted traffic is growing every year
  • PAN’s can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
  • SSL Establishment includes:
    • Client – requests SSL connection
    • Server – sends server public cert
    • Client – Verifies Cert
    • Client – sends encrypted session key
    • Server – begins encrypted communications session
  • When an SSL session is first established or needs to re-establish a session and rekey, this is known as PFS (Perfect Forward Secrecy)
  • The FW can act as an Outbound SSL Proxy:
    • A client initiates a session to an external server
    • The FW intercepts the connection, decrypts it, applies any security policies, re-encrypts the traffic and sends to the external server
  • The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and inspects)
    • The internal server’s certificate and private key need to be added to the PAN firewall for this to function properly
  • The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
    • If SSH Tunneling of another application is found, the session is blocked to prevent apps from bypassing firewall rules.
  • Public Key Infrastructure (PKI) solves issue of secure identification of public keys
    • Uses digital certificates to verify public key owners (x.509 format)
    • Typical PKI components include:
      • Root CA: Provides service that confirm identity and public keys to people and companies.
      • Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB that will issue, revoke certs and stores CSR’s
      • Device has the certificate and private keys. They maintain a list of trusted CA’s, and can be updated by admins or by system updates.
    • Certificate Chain starts with the device and ends with the Root CA. As long as there is a Root CA in the chain, the certificate can be checked as valid (or revoked).
    • Certificate Hashes can be validated to confirm that it hasn’t been intercepted and altered.
  • Firewalls can use for many purposes:
    • SSL/TLS
    • MGT Interface User Auth
    • Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
    • Captive Portal User Auth
    • IPSec VPN IKE Auth
    • HA Auth
    • Secure Syslog Auth
  • All Certificates in a chain must be checked and validated before an SSL session is permitted
  • Checking a Certificate includes:
    • Is the signature valid
    • Is the date range valid
    • is it intact/not malformed?
    • Has the certificate been revoked?
      • CRL (certificate revocation list) has a list of revoked certificates
      • OCSP (online cert status protocol) can check revocation status
      • Certs can be revoked for: Private key compromised, Hostname/username changed, counterfeit key found
  • Certificate signing request (CSR) is generated by the device. This is used by a certificate issuing authority to generate the device. The private key generated with this CSR never leaves the device.

Certificate Management

  • Devices are managed under Device > Certificate Management > Certificates
    • Operations supported include:
      • Generate CSR’s
      • View Certificates
      • Modify Certificate Use
      • Import/Export Certificates
      • Delete Certificates
      • Revoke Certificates
    • Different certificates have different features
      • A signing certificate is required for SSL Forward Proxy and Global Protect
    • There are 3 methods of getting a certificate on the FW
      • Generate a self-signed CA Certificate from the FW
      • Generate a CA Cert using CSR
      • Import a CA Certificate
  • The FW will sort the certificates in a hierarchy in order of the CA chain, root to intermediate to device.

SSL Forward Proxy Decryption

  • An SSL Forward Proxy decryption is used to intercept and decrypt SSL session in order to inspect the traffic for nefarious contents
  • Steps in this process are:
    • Client sends request to external server through firewall
    • Firewall intercepts the SSL request
    • Firewall then contacts the external server and sends that server the FW cert
    • External server responds with its server certificate; firewall validates certificate
    • The SSL session is then established between the server and the firewall
    • The firewall then sends a copy of the remote server cert, signed with the FW SSL certificate
    • The client validates the certificates and the session continues
  • The firewall will sign the certificate sent to the client with its firewall trust cert if the external servers cert is signed by a CA it trusts. If it doesn’t have a CA the FW knows/trusts, the FW will send back it’s firewall untrust certificate, and the client is shown an untrusted warning page in their browser.
  • To configure Forward Proxy: (see PAN Docs for more details and instructions)
    • Configure a Forward Trust Certificate
    • Configure a Forward Untrust Certificate
      • Generate a new cert on FW; cert should not be trusted by SSL clients, but ability to sign other server certs.
      • Do not copy; this should be untrusted and unknown to any CA.
      • Select ‘CA’ checkbox on this cert
      • Configure as forward untrust cert in properties
    • Configure SSL Forward Proxy
      • Under Policies > Decryption (be sure to know what traffic is protected by local/state/national laws and cannot be decrypted).
    • A decryption profile allows check on both decrypted traffic and traffic excluded from decryption
      • Allows to block sessions unsupported protocols, cypher suites, or SSL client auth.
      • Block sessions based on certificate status: revoked, unknown, expired, etc
      • After creating a profile, it can be applied to a decryption policy.
      • A default profile is provided that can be used/cloned/modified.
      • Rules for the decrypted traffic will need to be present. For example, if traffic is web-browsing, google docs, or another encrypted application setting, security policies allowing that traffic must be present or the traffic will be dropped as matching no FW rules.

SSL Inbound Inspection

  • FW Can inspect inbound SSL traffic
  • The internal server’s cert and private key must be loaded on the firewall.
  • The firewall will decrypt and read the traffic, and then forwards the original encrypted traffic to the server
    • Note that the traffic will be forwarded only if it is not blocked/dropped by a security policy on the firewall.
  • To create an SSL inbound inspection policy:
    • Import the server certificate and private key into the firewall (PEM and PKCS12 formats supported)
    • Create a decryption policy under Policies > Decryption > Add – under Options, select ‘Decrypt’
    • (Optional) Create a decryption profile that can be added to the decryption policy

Other Decryption Topics

  • Some applications may not work with SSL Forward Proxy
    • Application with client-side certs
    • Non-RFC compliant apps
    • Servers using unsupported cryptographic settings
  • If an application fails, the site is added to the excluded cache list for 12 hours
  • Decryption Exclusion are apps that encryption is known to break
    • The prepopulated list is under Device > Certificate Management > SSL Decryption Exclusion
    • Custom domains can be added to this list, and wildcards are supported.
  • If the decryption policy is set to an action of ‘no-decrypt’, the profile attached to the rule can still check for expired or untrusted certificates. This can be done under ‘No Decryption’ tab in the profile.
  • Decryption Mirroring can mirror decrypted traffic to a capture device for DLP and/or network forensics
    • Requires a (free) licence to activate; contact TAC support to get the license key. Key is perpetual, does not need renewal.
    • Only available on the PA-3000, PA-5000 and PA-7000 series firewall.
  • Hardware Security Module (HSM) are a hardware storage for keys for additional security features (FIPS)
    • PA-3000, PA-5000, PA-7000, and PA-VM series; Panorama VM, and M100e
  • The traffic log can be used to determine if the traffic is being decrypted by the firewall
    • Also can be done by setting a log filter for Flags, Has, SSL Proxy.
  • Troubleshooting SSL sessions
    • Using the log filter to search for ‘session end reason’ ‘equal’ ‘decrypt error’, you can see what sessions are not being decrypted.

Source:User submitted post