Understanding HTTPS to Decrypt it

Size: px

Start display at page:

Download "Understanding HTTPS to Decrypt it"

Moses Lang
5 years ago
Views:

2 Understanding HTTPS to Decrypt it James Everett

Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3.

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Overview of HTTPS Understanding SSL handshake Working with SSL packet captures Building SSL Policy SSL Policy best practices Troubleshooting SSL in Firepower

Your Presenter James Everett Tech Lead for Firepower TAC 4+ Years of

6 This presentation will not cover Firepower Device Manager Firepower Configuration (excluding SSL) TCP stream (Handshakes ) Basic Wireshark usage Web server configurations 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Overview of HTTPS

12 Public Key Infrastructure Man in the middle on employees Trusted Certificates Company Certificate Authority CERT CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Public Key Infrastructure Man in the middle on guests Trusted Certificates Company Certificate Authority CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

16 Understanding SSL Handshake

Certificate Verify the badge ID Ciscolive.com Badge ID C1sc02018 Directory Snort.

Server Hello and Certificate Thinking security asymmetrically

27 Working with SSL packet captures

28 Understanding HTTPS with packet captures High level overview Standard session/deep Dive Decrypt Re-sign

Certificate Showing their credentials 2018 Cisco

Client Key Exchange Here starts the encrypted messages 2018

Example 1 Wireshark tip for following a stream 2018 Cisco

Example 1 HTTP to HTTPS re-direct 2018 Cisco and/or

Example 1 HTTP to HTTPS Re-direct zoomed in 2018 Cisco

Example 1 HTTPS connection to www.ciscolive.

Client Hello Cipher Suites 2018 Cisco and/or its

Client Hello Extensions Server Name Indication (SNI) Issue prior to 6.

Client Hello Extensions continued 2018 Cisco and/or

Certificate Summarized view 2018 Cisco and/or

Certificate Looking into the presented server certificate 2018

Certificate Expanding the extensions 2018 Cisco

50 Example 2 Decrypt Re-sign Decrypt Re-sign traffic to Example2.pcap CiscoLiveConnectionEvent-Example2.pdf CiscoLiveConnectionEvent-Example2.csv 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Example 2 Overview of pcap 2018 Cisco and/or its

Example 2 Verify decryption 2018 Cisco and/or

Example 2 PDF of the connection event 2018 Cisco

Example 3 How did you find the serial number difference? FMC.crt Example3.

Example 3 What if we cannot get the certificate?

Example 3 Why is the issuer wrong 2018 Cisco and/or

Example 4 Open Chrome and wireshark 2018 Cisco

Example 4 QUIC is UDP 2018 Cisco and/or its

66 TAC skills you learned What the SSL Policy is doing How to follow an SSL session From FMC to the wire How to read in-depth: Client Hello Server Hello Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

68 Building SSL Policy

69 Lab 1: Building the SSL policy Open chrome and select the FMC bookmark Should be the home page Naviage to Object > Object Management Open Lab 1 on your desktop Ca.crt Ca.key.pem Open both files with Notepad++ Right click, edit with Notepad Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Importing Certificates 2018 Cisco and/or its

Importing Certificates Sourcefire 2018 Cisco and/or

signed certificate Root CA Generate CSR Sign as a Subordinate CA certificate Windows

72 Importing Certificates Internal CA Import CA Import an Internal CA If generated on Windows, use Certificate Template of Subordinate CA Generate CA Generate a self signed certificate Root CA Generate CSR Sign as a Subordinate CA certificate Windows use Subordinate CA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Importing Certificates Certificate Install Example If you were not given a password you can leave it blank This accepts Base64 or a certificate file.cer.crt.pem.der If you receive a.pkcs12 or.

73 Importing Certificates Certificate Install Example If you were not given a password you can leave it blank This accepts Base64 or a certificate file.cer.crt.pem.der If you receive a.pkcs12 or.pkcs7 you need to convert it to a.pem Copy the entire Base64 test in the CSR box to a note pad and save it as a.csr It should look similar to below, the important parts are be sure to include the entire text BEGIN CERTIFICATE REQUEST END CERTIFICATE REQUEST----- Do not add character returns or correct spacing, it could cause issues Use Notepad or something similar, wordpad or Microsoft Word add hidden characters that could cause issues Cisco and/or its affiliates. All rights reserved. Cisco Public 74

74 Importing Certificates Certificate Example -----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMQ8wDQYDVQQH DAZGdWx0b24xDDAKBgNVBAoMA1RBQzEMMAoGA1UECwwDVEFDMRwwGgYDVQQDDBNG axjlcg93zxiuy2lzy28uy29tmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkc AQEA3P8Q6Kp/LRa+uGqmiHBzyxux63NNRjMfuiRZjAUPWpUPJkooKQs5SwCjuecG BU+aOKe7n6oxmYgNStBCLn0pBHeYYOR4ycTjNs0cyGzLRhkFdvMHfYMSd2oeRN2u X2ZegisTMee0h1+BtmpfuQnCzqTcl3MpfxP8UtjMEixtIr+c5CQdi4WIona8+UQ0 mnodvsgzbtwsaqelmbthfwy/1mfds4zg1ohtobibom6yefu86yuzjaywlilupevl 3iVFCAcjvu02fvGZuPyws+6TsW/+7YVHh2WSXiiIxSU3PuOMyRvQnfiK95JQBChU W1aZ920PKBZMzAIAknFf5nrTvwIDAQABoEEwPwYJKoZIhvcNAQkOMTIwMDAdBgNV HQ4EFgQULVRSd/wf9+EvpfB9DcXMRyglUAswDwYDVR0TAQH/BAUwAwEB/zANBgkq hkig9w0baqsfaaocaqeavncjebpzf2odf7j5ek6dhwkf+lrfnu/dy9xiwmhfaxwb 1p1iS1q93Sekq1uRO+hUGaVEfWr08tCVTrZ69Lo4t8PUHctcspUANCd9bRko1aV3 +4pD2mVudckjHcYmI/kr39BnOSxH0QxkFCGYHhG5nF4Hl4FYcmmhm1QPpkEPadIe J7kUntGJ6QxCIlUZsMMmQIvXVnMc1F2C/QTi20scvEhnX/txJ8GfKqFEsNdjSuk1 dhujvw6nqucyo7mwbbcitxgyszaaw8m2shg4cwdsrbqjuhalegvkogqsxujbgylr 3OMOao+JJMNgKFLKWSuif02Z+bcTHDxB55O1KcG6Aw== 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

83 Undecryptable Actions Compressed Session The SSL session applies a data compression method SSLv2 Session The session is encrypted with SSL version 2 Note that traffic is decryptable if the ClientHello message is SSL 2.0, and the remainder of the transmitted traffic is SSL 3.0. Unknown Cipher Suite The system does not recognize the cipher suite Software update may be required Unsupported Cipher Suite The system does not support decryption based on the detected cipher suite 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

84 Undecryptable Actions Session not cached The SSL session has session reuse Mid-stream pickup (SSL handshake not seen) Snort restart (SSL session tables) Handshake Errors An error occurred during SSL handshake negotiation Unsupported extension in SSL Handshake Extended Master Secret prior to 6.1 would cause this. Decryption Errors An error occurred during traffic decryption Not possible to allow this traffic, if this error occurs the session is blocked Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Using the SSL policy 2018 Cisco and/or its

Deploy our changes 2018 Cisco and/or its

Decrypting traffic Bypassing the untrust warning 2018 Cisco

102 Lab 3 Installing the certificate RDP into Should be a link on your desktop Administrator/C1sco12345 Open Lab 1 Double click the CA certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Lab 3 Installing the certificate 2018 Cisco and/or

Install the certificate 2018 Cisco and/or its

117 SSL Policy Best Practices

Typical basic policy Decrypt Resign 2018 Cisco and/or

Typical basic policy Decrypt Combo 2018 Cisco and/or

127 What to expect Currently an 80% performance hit May required webserver modifications Perfect Forward Secrecy (ECDHE) does not work in Decrypt Known-key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Troubleshooting SSL in Firepower

Interpreting the connection events Enable the column Success Error

Interpreting the connection event Certificate deep dive 2018

Check the SSL policy 2018 Cisco and/or its

135 Packet capture on Firepower Threat Defense (firepower) >capture-traffic SHELL Please chose domain to capture traffic from: 0 br1 1 Router Selection? 1 Please specify tcpdump options desired. (or enter? for a list of supported options) Options: ^C Caught interrupt signal Exiting. Ctrl+C to end Always write to a file!!! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136

136 Packet capture on Firepower Threat Defense (Lina) SHELL >capture capin interface Inside match tcp host any eq 443 >show capture capture capin type raw-data interface Inside [Capturing - 0 bytes] match tcp host any eq https > > >copy /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs > 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137

Client Hello Tuning SHELL >system support ssl-client-hello-tuning SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow, extensions_remove, curves_allow, curves_remove

137 Client Hello Tuning SHELL >system support ssl-client-hello-tuning SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow, extensions_remove, curves_allow, curves_remove handshake attribute > system support ssl-client-hello-tuning extensions_remove 16,13172 Using tuning file: /etc/sf/ssl_client_hello.conf Parameter and value successfully added to configuration file. Configuration file contents (defaults added automatically): extensions_remove=16, = Application Layer Protocol Negotiation = Next protocol negotiation You must restart snort before this change will take affect This can be done via the CLI command 'pmtool restartbytype DetectionEngine'. > system support ssl-client-hello-reset Using tuning file: /etc/sf/ssl_client_hello.conf Are you certain that you wish to delete the current SSL tuning configuration file? (y/n) [n]: y This example is used to fix block pages in HTTPS traffic. Configuration file successfully deleted Cisco and/or its affiliates. All rights reserved. Cisco Public 138

138 Lab 4 Seeing Decryption at a packet level RDP into Should be a link on your desktop Administrator/C1sco12345 Put in place the SSL Policy from Lab 1 Should already be installed SSH into FTD Open putty, should be a saved session (NGFW) admin/c1sco12345 Capture packets Download and inspect 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139

139 Lab 4 SHELL >capture capin interface inside buffer match tcp host any eq 443 >capture capout interface outside buffer match tcp any any eq 443 >show capture capture capin type raw-data interface inside [Capturing - 0 bytes] match tcp host <ip> any eq https capture capin type raw-data interface outside [Capturing - 0 bytes] match tcp host <ip> any eq https --> Now navigate to Cisco and/or its affiliates. All rights reserved. Cisco Public 140

141 Lab 4 SHELL >copy /noconfirm /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs >copy /noconfirm /pcap capture:capout disk0: Source capture name [capout]? Destination filename [capout]?!!!!!!!!!! 364 packets copied in 0.40 secs >expert #sudo cp /mnt/disk0/capin /ngfw/var/common/capin.pcap Password: #sudo cp /mnt/disk0/capout /ngfw/var/common/capout.pcap Password: 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142

Lab 4 Retrieve pcap 2018 Cisco and/or its

Lab 5 Importing Internal Certificate 2018 Cisco

Lab 5 Internal Certificate 2018 Cisco and/or its

154 Scenarios Based on TAC cases

Scenario 1 Answers Continued 2018 Cisco and/or

159 Scenario 2 Your company has a wildcard certificate (Outside.cer) Import Outside.cer and Outside.key as an Internal CA This simulates a Public CA Certificate(DigiCert/RapidSSL) Use it to Decrypt Re-sign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

162 Scenario 2 Answer You must use a Subordinate or Root Certificate Authority Certificate When getting CSR signed, Windows in particular requires the Subordinate Certificate Template 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

167 Scenario 4 Certificate pinning can happen with phone app Having the certificate stored in the application to prevent MitM Check SSL Flow Errors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

168 Common Tac cases That you have learned to avoid Certificate not installed on clients Active Directory gives an option to push certificates to domain joined machines. Wrong certificate type Block rule/default action in SSL Policy URL filtering rules 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177

169 TAC Case open template For questions about SSL errors or unexpected actions to speed up the TAC case please open with the following: CSV report output of Connection Events matching this traffic Packet capture Client Sensor Server side Explanation of the applications and errors seen Include any recent changes you are aware of Troubleshoot from the sensor 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178

171 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All

172 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

173 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182

174 Thank you

175

176

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management). Contents Introduction Prerequisites Requirements Components Used Background Information Outbound SSL Decryption Inbound SSL Decryption Configuration for SSL Decryption Outbound SSL decryption (Decrypt