10/4/2018

SRX – NGFW SSL Proxy

Jeff Bird, Senior Security Specialist
Aug 2018

Today’s discussion

•Market Trends – Business Need…

•TLS Proxy on NGFW
•TLS Proxy Deployment Modes
•Best Practices
•Summary

Market Trend – Business Need…

Gartner predicts more than 50% of network attacks, both inbound and outbound, will use encrypted TLS flows 

Google to label websites unsafe that are not TLS encrypted in July 20181

PCI Compliance mandates use of TLS1.1 or higher with preference for TLS1.2. June 2018 will sunset all pre‐TLS1.2 specs

Takeaway: Within the next 2‐3 years almost all traffic will be encrypted. 
However this includes hackers as well!

1
 10/4/2018

ENCRYPTED ATTACKS ASCEND

TO RECORD HIGHS

Without the ability to inspect encrypted traffic during 2017, the average
organization would have missed more than 900 file-based attacks
hidden by TLS/SSL encryption. (2018 SONICWALL CYBER THREAT REPORT)

Logically, the use of encrypted cyberattacks also is increasing dramatically.

There were 1.4 million encrypted attacks globally in 2018, a 275% year-to-
date increase over 2017. (2018 SONICWALL CYBER THREAT REPORT)

HTTPS is everywhere.. Source: https://letsencrypt.org/stats/

HTTPS is everywhere… Source - https://transparencyreport.google.com/https/overview

2
 10/4/2018

SSL/TLS Goals: Securing Internet Communication

• Confidentiality: Encryption of data

• Authentication: Validate that your are talking to the right service

• Integrity: Data has not been altered (Secure PII)

All this goodness now widely used on Internet!

3
 10/4/2018

HTTP is Dead…
1991 - 2018

What uses SSL-TLS? EVERYTHING!

• HTTPS – Hypertext Transfer Protocol Secure (port 443)
• FTPS – File Transfer Protocol Secure (port 21, 990, 989)
• LDAPS – Lightweight Directory Access Protocol Secure (port 636)
• SMTPS - Simple Mail Transfer Protocol Secure (port 465)
• POPS – Post Office Protocol Seure (port 995)
• IMAPS - Internet Message Access Protocol Secure (port 993)
• NNTPS – Network News Transfer Protocol Secure (port 563)
• TelnetS – Telnet Secure (port 992)
• IRCS – Internet Relay Chat Secure (port 6697)

SSL Working at application layer

• Analyze Layer 7 payload
– No matter what ports are used
• Detect protocols:
– HTTP, SSL, FTP, SMTP..
• Detect extended Applications:
– Youtube, linkedin, facebook-chat..
• Detect evasive applications
– Skype, Bittorent..

Layers 1 to 7

4
 10/4/2018

NGFW & HTTPS Traffic – Just a TLS session…

ATP Sandbox

TRUST Stateful Firewall UNTRUST

Application Visibility and 
Control
IPS

URL Filtering

Anti‐Malware

Clear
Encrypt

Don’t make your endpoint protection = The Alamo

• ~200 Texan militia defenders

• ~2000 Mexican Army invaders
• 13 day siege
• Did not end well for defenders…
• What other state was a country?

Decrypt & Inspect Encrypted Traffic

1
Client initiates SSL/TLS handshake with 
server

NGFW intercepts request and establishes session 
2 using its own certificate in place of server

NGFW initiates SSL/TLS handshake with server on 
3
behalf of client using admin defined SSL/TLS 
certificate

Server completes handshake and builds a secure 
4
tunnel between itself and NGFW

NGFW decrypts and inspects all traffic coming 
5
from or going to client for encrypted threats

NGFW re‐encrypts safe traffic and sends along 
6
to client and blocks encrypted threats

5
 10/4/2018

Digital Certificate
• Common fields:
• Subject (Common Name..)
• User Identifier
• Public key
• Expiry Date
• Issuer: CA identifier
• Digital signature
• Key Usage
• Extension(s)

• Digital certificate = Certificate signed by the Certificate Authority

• ITU X.509 Standard

The Art & Science of CA

It’s Your Job…
• Deploy free Certs from firewall
• Deploy Via AD
• Landing Page – BYOD
• Buy Certs
• MDM for mobile devices
• Use MDM Certs

BYOD CLICK HERE

BYOD CLICK HERE

6
 10/4/2018

Topology Overview - Man in the Middle (MitM) $$

• A https (TLS-SSL) Session with a NGFW with Decryption enabled
• Data in clear can have NGFW services applied

NGFW SRX Security Features – http/https - See All Traffic!

External Internal
INTERNET Threats Threats

Block access to unapproved sites

Enhanced Web Filtering Real time threat score for each URL

Stops known and unknown viruses, file-based trojans

Anti-Malware or spread of spyware, adware, keyloggers

IPS IDP detects/stops Worms, Trojans,

exploits, shellcode, Scans

UserID tied to FW policies

User Role FW Allows UserID to apply to all L7 Security
Application level visibility and classification
AppSecure Application security policies tied to user roles

SSL Proxy Inspect Encrypted Traffic

15.1X49 D80

Selective SSL Proxy Based on URL Category

Use Case: For Legal
Compliance or to achieve
optimal Corporate Policy.

Configure whitelist to bypass

certain Domain Names, IP
addresses, or SSL URL
Categories.

For example Banks, Medical,

Legal, Gov’t…

7
 10/4/2018

Think before doing – With great power…

• Banking and Financial
• PCI and other federal financial compliances will apply to the firewall in
ways that most are not used too: SOX, GLBA & now GDPR as of
6/1/18 for European Union

• HealthCare
• HIPAA, HITECH, Meaningful Use. These are all regulations that will be
a requirement of that firewall if you are decrypting ALL data

• The Big Question:

• If you are inspecting it… Are you ready to be questioned in a legal
forum about what you are scanning and why?

Compliance – the fun never ends…

 GLBA
 HIPAA
 SOX
 GDPR
 Industry specific…

In 2018 all asking YOUR plan for inspecting SSL traffic!

BTW, HTTPS renders ATP less useful too…

• Files & Web links coming in via https connections are NOT inspected
by Sandbox solutions either – Advanced Threat Protection?
• 70% of all Internet traffic is https today 2018
• According to NIST 99%+ of all Internet traffic will https by 2024

8
 10/4/2018

Offload TLS Proxy to another device (Out of Band)

Redirect Traffic based 
on policy

TRUST UNTRUST

TLS Proxy 

For heavy TLS traffic, consider a design where TLS Proxy is offloaded to another device 
acting exclusively as TLS Proxy

Scrubbing Encrypted Traffic via ICAP service

TLS Proxy 

TRUST UNTRUST

ICAP Request ICAP Response

DLP Service

DRM Service

Threat Prevent

ICAP Server

ICAP or Internet Content Address Protocol Servers
With Proper design, your NGFW can also act as TLS Proxy to interwork with other security 
appliances, eliminating need for a dedicated TLS Proxy

Comparison of TLS PROXY Deployment MODES

NGFW Proxy Out of Band ICAP Server
Proxy
No extra Hardware
required
Visibility of the ICAP servers can
flow without allow multiple
No extra
disrupting the services to be
management
flow itself run on the flow
required
(KISS)

9
 10/4/2018

Stop Tor – what bad guys use

• Tor is an encrypted browser for anonymous communication
• Tor is the gateway to the Dark Web
• Bounce Internet signal all over the world. Consisting of more than
7000 relays to conceal a user's location and usage from anyone
conducting network surveillance or traffic analysis.
• Tor's intended use is to protect the personal privacy of its users, as
well as their freedom and ability to conduct confidential
communication by keeping their Internet activities from being
monitored.
• Used to drop CA for ransomware…

PAC
File Sandbox SSL DLP
Web Filter
28 1

Aggregation firewall 26 10
2
27
Flow management 11
SSL 3 Email Inspection
Client - side Load balancers
SSL tunnel 15, 16

Log files

Perimeter firewalls

Size matters

10
 10/4/2018

How to size a NGFW for SSL FP?

• Number of users? What kind of users – power users or office workers?
• How many SSL sessions can different SRX’s process/second? Lightbeam…
• WAN Bandwidth? Today and tomorrow?
• WAN interfaces, firewall interfaces, HA & growth? 1G/10G/40G/100G ports
• What Other NGFW features turned on?
 Application Aware
 IDS/IPS
 URL/Web Filtering
 AV Gateway

• VPN’s SSL & IPSec?

• Routing features running? NAT, BGP, OSPF… Use Firewall as router…
• Error on side of larger NGFW model – an up tic or two in firewall line…

Always Be Prepared…
• Ensure you size the appliance for doing decryption of SSL-TLS traffic! Right
tool for the job… Look up a few models… F-150, F-250, F-350

• SSL-TLS Certificates – It’s your job…

 Pushing Certificates to end points (don’t be afraid of third-party)
 BYOD Devices?
 Do not use a build in certificate unless it is last resort

• Certificate Pinning
 Is a security mechanism which allows HTTPS websites to resist impersonation by attackers 
using miss‐issued or otherwise fraudulent certificates.
 Certificate pinning allows the client to decide whether or not to send traffic based on 
whether it trusts the server certificate. 
 Apps such as: DropBox

SSL Proxy Implementation – Final Thoughts

• SSL Proxy is “Deep Packet Inspection”, where payload in packets are scanned against signatures
which are referenced by security services such as IPS/IDS, AV-Gateway, URL/Web Filtering, Anti-
Spyware, Application Awareness, Bot prevention, ATP…

• In order for the SSL inspection appliance to decrypt and re-encrypt the content before it’s sent
back to the end users, it must be able to issue SSL Certificates on the fly.

• SSL Forward Proxy is an administratively-sanctioned MitM (Man in the Middle) attack, which
allows the firewall to inspect traffic payload, regardless of the SSL/TLS characteristics of
the traffic in question.

• SSL Proxy is not protocol-specific. It can be used to allow JunOS security services to inspect
several encrypted protocols such as SMTPS, LDAPS, HTTPS, FTPS, etc. SSL FP works
independently of port numbers used. Everything uses SSL…

11
 10/4/2018

Thank you

SRX5000 w/SPC3: campus & secure router use cases

Secure Router /
SD-WAN NGFW/ATP
VPN - Hub

Internet

Campus 
Edge 
Multi Services Gateway Firewall
HQ or Campus
Wireless APs L2 Switch

Branch 
Internet
Firewall

Branch Offices
Branch Office Devices

SRX5000 w/SPC3 easily meets the needs of diverse deployments

Multi-services Gateway:* Feature rich services*
• 1G/10G/40G/100G interfaces • Integrated security • SDSN – Intent based policy,
• Upgradeable performance • IPsec = 80-800Gbps Sky ATP & E2E Policy
• Tunnels = 15K-70K • SSL Proxy = 18-180Gbps
* high number: SRX5800 with 10 SPC3 cards;
low number: SRX5000 w/1 SPC3 card

SRX5K-SPC3 performance projections (1/2)

Performance metric Per card Per SRX 5800 chassis (10 SPC3 + 2 IOC4)* Improvement over SPC2

IMIX Firewall 160Gbps 1.4Tbps (9 SPC3 + 3 IOC4) 11X

IMIX CGNAT 160Gbps 1.4Tbps (9 SPC3 + 3 IOC4) 11X
IMIX IPsec 80Gbps 800Gbps  16X
Max IPsec tunnel size 6.8Gbps / tunnel 1X
Session count 50M 500M 2X
FW CPS 1M 10M 5X
IPsec tunnels 15K 70K 3x / card; 25% / system

IPsec TPS (mutual 2K certs) 40 150 4X

IPS HTTP / enterprise mix 80/60Gbps 800/600Gbps 6X

*Unless otherwise noted
L4‐L7 app FW 80Gbps 800Gbps 3X

12