• No results found

SSL Inspection Step-by-Step Guide. June 6, 2016

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SSL Inspection Step-by-Step Guide. June 6, 2016"

Copied!
46
0
0

Loading.... (view fulltext now)

Download now ( 46 Page )

Full text

(1)

June 6, 2016

SSL Inspection

(2)

Eliminate blind spots of SSL encrypted communication to/from the enterprise

Maintaining information’s communication’s privacy

Compliance and regulatory need for information disclosure

– Log all information access details (what, who when and from where)

– Prevent unauthorized (source or destination) data communication

Prevent data leakage of business critical information

Prevent ingress of malware and advanced persistent threats

– through SSL encrypted channel

Monitor traffic to/from cloud applications and services

– Enforce the organization’s data privacy policies on cloud applications as well

(3)

Gain visibility on SSL traffic

• For inbound traffic, where the organization owns the SSL key

• For outbound traffic, where the organization doesn’t own the SSL key

Transparent traffic inspection

• Seamless

implementation, eliminating any user client reconfiguration • Enables traffic inspection

of various profiles (not just SSL traffic on port 443)

Support more than one security solution

• Enable security services chaining (e.g. DLP, anti-malware, instruction detection)

• Flexible security policies – per service, user profile etc.

• Minimal latency impact

Ensure high availability of connectivity

• Even when security solutions suffer from outages

Scalable solution

• Supporting security

solution scalability as well • Capable of supporting

(4)

Introducing Radware’s SSL Inspection Solution

WAN

Perimeter

LAN

Security Appliances

(i.e. DLP) Client facing

SSL handshake

(server emulation)

Server facing SSL handshake

(client emulation)

Transparently Intercept target data flows and decrypt SSL traffic

Steer traffic to security appliances

(5)

Transparent Proxy device

– One leg IPS deployment mode

– Usually used for application level protection

• Anti virus, anti bot, anti malware, WAF

– HTTPS traffic from client is decrypted and forwarded to VAS – VAS configured in L3 for IPS analysis

No-MAC (bridge) device

– Two leg IPS deployment mode

– Usually used for network level protection – Anti DDoS

– HTTPS traffic from client is decrypted and forwarded to VAS – VAS is configured as transparent L2

(no IP connectivity from Alteon to VAS)

(6)

SSL inspection demo setup

Web Server

– VLAN 100, Alteon port 3

Client PC

– VLAN 101, Alteon port 5

VAS

– VLAN 111, Alteon port 8

Alteon v30.2.0 and up with SSL license activated

Note: For Web server please use any web server that you feel comfortable with using HTTPS To simulate VAS, please use any Linux based server with IP forwarding function enabled

SSL Inspection Lab Setup

(7)

1.

Set IP interfaces and VLANs for Web server, Client and VAS

2.

Set frontend and backend SSL policies

3.

Set real server for VAS and assign to server group

4.

Create filter “redirect” from client to VAS

5.

Create filter “allow” from VAS to Server

6.

Enable filters on client/server/VAS ports (port processing)

7.

Create new certificate for SSL inspection

8.

Load the certificate to the client’s browser trusted CA certificate

(8)

1. Set IP and VLAN for Interfaces

Configure IP address and VLAN for all

interfaces

• Set Interfaces for Client, Server and VAS • Set IP address for the interfaces

(9)

2. Frontend SSL Policy Configuration

2.1 Frontend SSL policy configuration

• Configure SSL policy for frontend SSL traffic from local clients to Alteon

(10)

2. Frontend SSL Policy Configuration

2.2 Disable backend SSL

(11)

2. Backend SSL Policy Configuration

2.3 Backend SSL policy configuration

• Configure SSL policy for Backend SSL traffic

(12)

2. Backend SSL Policy Configuration

2.4 Backend SSL policy configuration

• Configure the Backend SSL – this is the outbound traffic that need to be re-encrypted after inspected by the VAS • Set Backend SSL Encryption to – Enable

(13)

3. Configure Real Server for VAS

3.1 Create Real Server

(14)

3. Configure Real Server for VAS

3.2 Create Real Server Group

(15)

4. Filter from Client to VAS

4.1 Create redirect filter from client to the VAS

Match Settings:

• This filter will detect any HTTPS traffic coming from the client on port 443 and redirect it to the VAS

• Create new filter • Set Action – Redirect

• Set Protocol – TCP and Application HTTP • Set destination parameters –

• IP address/Network – Any • Mask – 0.0.0.0

(16)

4. Filter from Client to VAS

4.2 Action Setting

• Set Delayed Bind – Forceproxy • Set Real Server Port – 80

• Set Return to Last Hop – Enable • Set Reverse Session – Enable

(17)

4. Filter from Client to VAS

4.3 SSL settings

• Set SSL inspection – Enable

(18)

5. Filter from VAS to Web Server

5.1 Create filter from VAS to Web Server

Match Settings:

• This filter will detect the HTTP traffic coming from the VAS on port 80 and will encrypt it to be set to the Web server as HTTPS

• Create new filter • Set Action – Allow

• Set Protocol – TCP and Application HTTP • Set destination parameters –

• IP address/Network – Any • Mask – 0.0.0.0

(19)

5. Filter from VAS to Web Server

5.2 Action Setting

• Set Delayed Bind – Forceproxy • Set Real Server Port – 443

(20)

5. Filter from VAS to Web Server

5.3 SSL settings

• SSL Inspection – Enable

(21)

6. Port Processing Configuration

Client Port Processing:

• Enable Filter/Outbound LLB • Add the “Client to VAS” filter

VAS Port Processing:

• Enable Filter/Outbound LLB • Add the “VAS to Server” filter

Server Port Processing:

• Enable Filter/Outbound LLB

(22)
(23)

7. New Certificate For Inspection

7.1 Create new certificate repository entry

For SSL inspection to operate there is a need for CA certificate with a known private key, such as a self- signed CA certificate generated on Alteon. It will be used for signing dynamically dummy certificates

(24)

7. New Certificate For Inspection

7.2 Generate the certificate

(25)
(26)

7. New Certificate For Inspection

7.3 Set the SSL Inspection parameters

• Select the Key which defined in previous step • Select the Signing CA Certificate which defined in

(27)

8. Client Certificate Settings

8.1 Export certificate

Under SSL configuration

• Export the certificate to a file

(28)

8. Client Certificate Settings

8.2 Add certificate to client’s PC

Under control panel

Internet Options  Content  Certificates

Select Trusted Root Certification

Authorities  Import

(29)

8. Client Certificate Settings

8.3 Upload certificate in FireFox

• Options  Advanced

• Certificates  View certificates • Authorities  Import

(30)

Dummy VAS Configuration

In order for traffic to be forwarded to VAS and back to the server, a Linux based

server can be used to simulate VAS

Configure the Linux server to forward (simulate router functionality), all incoming

traffic back to Alteon

(31)

Check SSL Inspection

Connect to the web application

(32)

Check SSL Inspection

Open the secure connection info

(33)

Check SSL Inspection

(34)
(35)

SSL inspection demo setup

Web Server

– VLAN 100, Alteon port 3

Client PC

– VLAN 101, Alteon port 5

VAS

– Ingress traffic – VLAN 222, Alteon port 7, IP: 3.3.3.3

– Egress traffic – VLAN 333, Alteon port 9, IP: 4.4.4.4

Alteon v30.2.0 and up with SSL license activated

SSL Inspection – IPS Mode

(36)

IP Interface for VAS Traffic

Set IP interface for VAS

ingress traffic

In this deployment mode

user’s decrypted traffic is sent between two Alteon ports where the VAS is listening and inspect the traffic.

Need to setup “dummy”

interfaces to pass the traffic • Set interface ID

• Set IP address, mask and VLAN

(37)

Create Dummy Real Server for VAS traffic

• Create real server for ingress VAS traffic

(38)

Create Dummy Real Server for VAS traffic

• Create real server for egress VAS traffic

(39)

Create Real Server Group

• Create real server group

• assign ingress VAS real server created

(40)

Create new Health Check

• Create new logical expression health check based on ARP and Link to

(41)

Create Real Server Group

(42)

Add Static ARP

(43)

Port Processing Configuration

• Enable filter on Client port #5 • Select “client to VAS” filter which

(44)

Port Processing Configuration

(45)

Port Processing Configuration

(46)

References

Download now ( PDF - 46 Page - 3.80 MB )

Related documents

Ohio Department of Education Food Service Management Company Fixed Fee Sample Bid/Contract

The FSMC shall maintain state and/or local health certifications for any facility outside the SFA in which it proposes to prepare meals and shall maintain this

Tools. Caution. What tcpdump can do for you? What Tcpdump can do for you. Network Analyzer

#tcpdump host client.example.com and port 80 – No traffic, so web server is not a problem. 

TL-ER604W Wireless N Gigabit Broadband VPN Router

Choose the menu Network→Switch→Port Mirror to load the configuration page. Check the box before Enable Port Mirror and select the Ingress&Egress mode. Select the Port 5 for

HP 3600 SI Switch Series

mirrors ingress/egress ACL-selected traffic from a switch port or VLAN to a local or remote switch port anywhere on the network • IPv6 management. future-proofs networking, as

An evaluation of the use of participatory processes in wide-scale dissemination of research in micro dosing and conservation agriculture in Zimbabwe

Since 1997, the International Crops Research Insti- tute for the Semi-Arid Tropics (ICRISAT) has been conducting a program of FPR in Zimbabwe to iden- tify practical and

Arrival Time Distributions of Muons from Extensive Air Showers as Signature of the Mass Composition of Cosmic Rays

The mean arrival times of the muon component, inferred for relatively small distances from the shower core (regime of Loren tz effects) prove to be rather insensitive

Source-based questions for 2059 Pakistan Studies-Paper 1/History

Source B: A British political cartoon by Leslie Illingworth showing New British Policy for India. How does Source A help us to understand

Moving the Needle: Exploring Key Levers to Boost College Readiness Among Black and Latino Males in New York City

This chapter presented data on the graduation and college-related outcomes of Black and Latino males in New York City. While there has been substantial growth in both graduation