Controlling SSL Decryption. Overview. SSL Variability. Tech Note



Similar documents
The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

REPORT & ENFORCE POLICY

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Safe internet for business use: Getting Started Guide

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Networking for Caribbean Development

AccessEnforcer. HTTPS web filter overview

Configuring PA Firewalls for a Layer 3 Deployment

Moving Beyond Proxies

Best Practices for Controlling Skype within the Enterprise > White Paper

Safe internet: Getting Started Guide

Still Using Proxies for URL Filtering? There s a Better Way

Applications erode the secure network How can malware be stopped?

Installation and configuration guide

The Secure Web Access Solution Includes:

Chapter 3 Restricting Access From Your Network

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Outlook Express POP Instructions - Bloomsburg University Students

Preparing for GO!Enterprise MDM On-Demand Service

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Installation and configuration guide

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Secure Traffic Inspection

SSL Decryption Certificates

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Inspection of Encrypted HTTPS Traffic

Chapter 4 Restricting Access From Your Network

Secure Web Appliance. SSL Intercept

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Integrated SSL Scanning

INSTANT MESSAGING SECURITY

Lab Testing Summary Report

Click Studios. Passwordstate. Installation Instructions

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

Filter Avoidance and Anonymous Proxy Guard

Configuring Security for FTP Traffic

Network Security Topologies. Chapter 11

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Protect your internal users on the Internet with Secure Web Gateway. Richard Bible EMEA Security Solution Architect

GET IN NOW Step 2: Add Users

Owner of the content within this article is Written by Marc Grote

White Paper. Securing and Integrating File Transfers Over the Internet

Set Up a VM-Series Firewall on the Citrix SDX Server

HTTPS Inspection with Cisco CWS

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Deployment Guide for Microsoft Lync 2010

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

WildFire Cloud File Analysis

How to Pop to Outlook

Installing and Configuring vcenter Multi-Hypervisor Manager

StarterPlus Mailbox Software Setup Guide

The Benefits of SSL Content Inspection ABSTRACT

Windows Mail POP Instructions - Bloomsburg University Students

74% 96 Action Items. Compliance

The Application Usage and Threat Report

Next-Generation Firewall Overview

SonicWALL PCI 1.1 Implementation Guide

Using Palo Alto Networks to Protect the Datacenter

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Creating a User Profile for Outlook 2013

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Deployment Guide for Citrix XenDesktop

Deploying ACLs to Manage Network Security

Palo Alto Networks Gets Top Marks for Solving Bandwidth and Security Issues for School District

How to configure SSL proxying in Zorp 3 F5

How to set up popular firewalls to work with Web CEO

About the VM-Series Firewall

10 Cool Things Your Firewall Should Do. A firewall that blocks threats is only the beginning

Palo Alto Networks User-ID Services. Unified Visitor Management

Next-Generation Firewall Overview

Distributed Systems. 2. Application Layer

User-ID Configuration

Bentley CONNECT Dynamic Rights Management Service

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with the Zimbra Open Source and Collaboration Suite

Websense Web Security Gateway: What to do when a Web site does not load as expected

ResNet Guide. Information & Learning Services. Here to support your study and research

How To Protect A Web Application From Attack From A Trusted Environment

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Introduction to the AirWatch Browser Guide

How to Configure Captive Portal

Web Security Firewall Setup. Administrator Guide

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Application Note. Onsight Connect Network Requirements v6.3

Configuring Network Load Balancing with Cerberus FTP Server

WhatsUp Gold v16.3 Installation and Configuration Guide

Transcription:

Controlling Decryption Tech Note Overview Decryption is a key feature of the PA-4000 Series firewall. With it, -encrypted traffic is decrypted for visibility, control, and granular security. App-ID and the Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking Profiles are applied to decrypted traffic before being re-encrypted as traffic exits the device. End-to-end security between clients and servers is maintained while that PA-4000 Series acts as a trusted third party during the connection. No decrypted traffic leaves the device. A handful of networking vendors inspect encrypted HTTP traffic (HTTPS). Palo Alto Networks goes further by inspecting compliant traffic, no matter the protocol encapsulated by it. The figure below shows how encapsulates HTTP and IMAP traffic to give HTTPS and IMAP. Palo Alto Networks devices understand, and can unwrap the encapsulation to expose the underlying protocol and applications. HTTPS IMAP HTTP IMAP Variability Various applications and clients use encryption. When web servers communicate with web browsers via HTTPS, the highly conforms to the RFCs. Standardization is key to making sure services are available to anyone on the Internet with a web browser. Controlling Decryption Tech Note rev00c 1 2008 Palo Alto Networks

Best Candidates RFC...no RFC HTTP, FTP, IMAP, POP...Proprietary/Custom Protocol Web Browser, FTP Client, Email Client...Proprietary/Custom Client Instances to Avoid Decrypting That is not the case with other uses of or encryption, such as: Encrypted communications between a proprietary client/server application management consoles for networking equipment non-browser-based clients used for proprietary applications Evasive Applications Skype bittorrent VPNs Application that are not required to interoperate with off-the-shelf clients may deviate enough from the standard or typically available options such that they no longer works when decrypted with a PA-4000 Series firewall. Examples of deviations from the standards or common configurations options are: use of proprietary or nonstandard encryption methods client software coded to accept traffic from specific certificates (Windows Update) client software unable to add new trusted certificate authorities Applications use various degrees of for tunneling, privacy, and authentication. Unfortunately, some are not implemented to standards or use capabilities in the standards that are not compatible with Palo Alto Networks decryption capability. In addition, decryption cannot be used when servers require client certificates. When first implementing decryption we recommend a targeted approach to avoid breaking applications that do not successfully decrypted. Please note that the below recommendations are the starting point. More aggressive policies can be implemented once the base policy is in place and the full range of applications on the network known. When Decryption Is Not a Good Choice Server requires client certificates Non-standard implementations of used New certificate authorities can t be added to the client application Client software requires specific server certificates Controlling Decryption Tech Note rev00c 2 2008 Palo Alto Networks

URL Filtering and Decryption URLs are not visible unless traffic is decrypted. The Decryption Policy uses URL filtering to decide which traffic to decrypt or not decrypt. User or destination address can also be used for the decryption decision, but in practice the decision is made on the URL filtering category of the destination address. The destination IP address is compared since the URL is not visible. The graphic to the right depicts this relationship. Decrypted traffic can take full advantage of App-ID along with the Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking Profiles. The Security Policy uses the actual URLs * compare Destination IP address with URL filtering list within decrypted HTTPS requests against the URL Filtering Profile. URL filtering is an action in the Security Policy, instead of a match criteria as in the Decryption Policy. In the table below, note how URL filtering is used in a different capacity depending on the Rulebase. Rulebase Match By Action Profile Enforced Security IP Address/User/ URL filtering category of IP Destination Address IP address/user/app-id/service Decide to Decrypt* Decrypt No-Decrypt Allow Deny n/a URL Filtering Allows & Blocks As mentioned previously, some traffic may not decrypt successfully and should be avoided. Also, organizations may chose not to decrypt specific applications because they feel those destinations are trusted and pose less of a risk. traffic that is not decrypted renders the URL unreadable. In this case, the Security Policy checks the destination IP address against the URL filtering list to determine the correct Security Rulebase action. Setup App-ID Enforces Security Policy webbrowsing and other Allowed Time HTTP apps URL Filtering Profile Enforced n/a visit to Gambling websites blocked Controlling Decryption Tech Note rev00c 3 2008 Palo Alto Networks

Deciding Your Decryption Policy To determine your initial Rulebase, focus on the applications you want to control and the URL filtering categories those might be classified under. Answer the following: What applications to block? What URL filtering categories will those applications most likely be categorized in? Do not decrypt the URL categories unknown or infrastructure when first deploying your PA-4000 Series firewall. unknown includes many non-http applications, some of which will not correctly decrypt. infrastructure includes the Windows Update service, which requires specific server certificates from Microsoft. For an example, perhaps we want to control webmail, instant messages, and file transfers even when encrypted. To decrypt nearly all HTTPS traffic that contains these applications, the following categories should be set to decrypt in your Rulebase: 1. web-based-e-mail and chat Covers point-web-based applications like Meebo 2. search-engines Covers applications run by the big search engine companies like Google, Yahoo, Microsoft, and AOL 3. peer-to-peer Covers peer-to-peer sites as well as some of the file sharing sites like foldershare 4. downloads Includes many of the file sharing applications not captured by peer-to-peer, such as megaupload 5. personals-and-dating and games Covers many of the web 2.0 mashups like myspace and facebook that have mail, im, and file transfer capabilities 6. proxies-and-translators Covers many of the sites that are designed to tunnel other applications inside 7. computing-and-internet Covers several miscellaneous applications Controlling Decryption Tech Note rev00c 4 2008 Palo Alto Networks

Initial Decryption Policy Now that we have a list of URL filtering categories to target, we are ready to create our Decryption rulebase. To decrypt just the needed traffic, do the following: In the Policies Tab, select the Decryption option from the left hand menu Add in a rule from your Trust to your Untrust network In the rule just added, select any in the category column of the rule Select the previously determined categories from the left hand side of the list, then click Add Change the action of the rule to decrypt. Commit your policy At this point, the decrypted traffic will be checked against the Security Policy. The traffic can be controlled by App-ID or checked with the Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking Profiles with rules in the Security Policy. Advanced Decryption Policies The previous policy provides very good decryption coverage while minimizing tuning and customization of the decryption policy. To slowly make this policy more aggressive, start by monitoring the traffic logs for port 443. Create exception (do-not-decrypt) policies for trusted company applications that are running over. These would include applications like Salesforce.com, accounting software, or web conferencing tools. Once in place, add more categories to the decrypt list. Controlling Decryption Tech Note rev00c 5 2008 Palo Alto Networks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information