Beruflich Dokumente
Kultur Dokumente
Today’s discussion
Gartner predicts more than 50% of network attacks, both inbound and outbound, will use encrypted TLS flows
Google to label websites unsafe that are not TLS encrypted in July 20181
PCI Compliance mandates use of TLS1.1 or higher with preference for TLS1.2. June 2018 will sunset all pre‐TLS1.2 specs
Takeaway: Within the next 2‐3 years almost all traffic will be encrypted.
However this includes hackers as well!
1
10/4/2018
Without the ability to inspect encrypted traffic during 2017, the average
organization would have missed more than 900 file-based attacks
hidden by TLS/SSL encryption. (2018 SONICWALL CYBER THREAT REPORT)
2
10/4/2018
3
10/4/2018
HTTP is Dead…
1991 - 2018
Layers 1 to 7
4
10/4/2018
URL Filtering
Anti‐Malware
Clear
Encrypt
NGFW intercepts request and establishes session
2 using its own certificate in place of server
NGFW initiates SSL/TLS handshake with server on
3
behalf of client using admin defined SSL/TLS
certificate
Server completes handshake and builds a secure
4
tunnel between itself and NGFW
NGFW decrypts and inspects all traffic coming
5
from or going to client for encrypted threats
NGFW re‐encrypts safe traffic and sends along
6
to client and blocks encrypted threats
5
10/4/2018
Digital Certificate
• Common fields:
• Subject (Common Name..)
• User Identifier
• Public key
• Expiry Date
• Issuer: CA identifier
• Digital signature
• Key Usage
• Extension(s)
6
10/4/2018
External Internal
INTERNET Threats Threats
15.1X49 D80
7
10/4/2018
• HealthCare
• HIPAA, HITECH, Meaningful Use. These are all regulations that will be
a requirement of that firewall if you are decrypting ALL data
8
10/4/2018
TRUST UNTRUST
TLS Proxy
For heavy TLS traffic, consider a design where TLS Proxy is offloaded to another device
acting exclusively as TLS Proxy
TRUST UNTRUST
ICAP Request ICAP Response
DLP Service
DRM Service
Threat Prevent
ICAP Server
ICAP or Internet Content Address Protocol Servers
With Proper design, your NGFW can also act as TLS Proxy to interwork with other security
appliances, eliminating need for a dedicated TLS Proxy
9
10/4/2018
PAC
File Sandbox SSL DLP
Web Filter
28 1
Aggregation firewall 26 10
2
27
Flow management 11
SSL 3 Email Inspection
Client - side Load balancers
SSL tunnel 15, 16
Log files
Perimeter firewalls
Size matters
10
10/4/2018
Always Be Prepared…
• Ensure you size the appliance for doing decryption of SSL-TLS traffic! Right
tool for the job… Look up a few models… F-150, F-250, F-350
• Certificate Pinning
Is a security mechanism which allows HTTPS websites to resist impersonation by attackers
using miss‐issued or otherwise fraudulent certificates.
Certificate pinning allows the client to decide whether or not to send traffic based on
whether it trusts the server certificate.
Apps such as: DropBox
• SSL Proxy is “Deep Packet Inspection”, where payload in packets are scanned against signatures
which are referenced by security services such as IPS/IDS, AV-Gateway, URL/Web Filtering, Anti-
Spyware, Application Awareness, Bot prevention, ATP…
• In order for the SSL inspection appliance to decrypt and re-encrypt the content before it’s sent
back to the end users, it must be able to issue SSL Certificates on the fly.
• SSL Forward Proxy is an administratively-sanctioned MitM (Man in the Middle) attack, which
allows the firewall to inspect traffic payload, regardless of the SSL/TLS characteristics of
the traffic in question.
• SSL Proxy is not protocol-specific. It can be used to allow JunOS security services to inspect
several encrypted protocols such as SMTPS, LDAPS, HTTPS, FTPS, etc. SSL FP works
independently of port numbers used. Everything uses SSL…
11
10/4/2018
Thank you
Internet
Campus
Edge
Multi Services Gateway Firewall
HQ or Campus
Wireless APs L2 Switch
Branch
Internet
Firewall
Branch Offices
Branch Office Devices
12