TLS Decryption on Cisco Security Devices

Transcription

1

2 BRKSEC-3015 TLS Decryption on Cisco Security Devices Tobias Mayer, Technical Solutions Architect

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Abstract This advanced session will discuss the approach how we can decrypt TLS encrypted web traffic to be able to inspect it and what challenges we are facing in an enterprise environment. For this, we need to be able to understand how TLS is working and what is required to decrypt this traffic.the second section will then include some best practices for Cisco security products dealing with TLS decryption such as Firepower, WSA and Umbrella. The last part will give an introduction to encrypted protocols such as HTTP/2, TLS 1.3 and QUIC. Those protocols are making it harder to decrypt certain traffic flows and we need to think about complementing technologies that still enforce security in the network. As additional food for thought we will quickly also touch on OCSP Stapling and Google's Certificate Transparency, which are interesting additions to the TLS landscape.this session is intended for network and security architects that want to get a deeper understanding of decryption of web traffic in the enterprise. Attendees should be familiar with the overall concept of HTTP, HTTPS and TLS. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Me CCIE Security #14390, CISSP & Motorboat driving license Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at blogs.cisco.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Hey, I am going to present on Web Decryption for 2 hours! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Agenda Introduction Understanding TLS Configuring Decryption on the WSA Configuring Decryption on Cisco Firepower Configuring Decryption on Umbrella Thoughts about the future Certificate Transparency & OCSP Stapling HTTP/2, TLS 1.3 & QUIC

8 For Your Reference There are (many...) slides in your print-outs that will not be presented. They are there For your Reference For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Big push for encryption Microsoft pushing TLS with PFS Apple demanding transport security Browser Vendors aggressively pushing https Problems with older TLS versions leading to upgrade of servers to newer protocols and ciphers Poodle, Freak, Beast,. Google, FB, Twitter encrypting all traffic HTTPS usage influencing page ranking on google Deprecate SHA1, only SHA2+ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Google Search Engine Google ranking influenced by using HTTPS 03/03/https-vs-http-website-ssl-tlsencryption-ranking-seo-secureconnection/ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Understanding TLS

12 TLS Versions SSLv3, 1996 TLS 1.0, 1999, RFC2246 TLS 1.1, 2006, RFC4346 Improved security TLS 1.2, 2008, RFC5246 Removed IDEA and DES ciphers Stronger hashes Supports authenticated encryption ciphers (AES-GCM) TLS 1.3, currently Internet Draft BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Some Attacks POODLE SSLv3 Problems with Padding, turn of SSLv3 BEAST Know issues in CBC mode, use TLS 1.1/1.2 with non-cbc mode ciphers (GCM) CRIME/BREACH Compression Data Leak, disable compression in TLS (CRIME), HTTP Compression still there Lucky13 Problem with Padding still exists with CBC Ciphers, use TLS 1.2 with AEAD (GCM) Freak Downgrade to RSA_EXPORT, disable EXPORT CIPHERS, use TLS 1.2 Logjam Force client to downgrade to DHE_EXPORT Grade ciphers, disable DHE_EXPORT Ciphers, use TLS 1.2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 TLS Versions SSLv3, 1996, broken by Poodle TLS 1.0, 1999, RFC2246, weakend by BEAST & Lucky13 TLS 1.1, 2006, RFC4346, weakend by Lucky13 Improved security TLS 1.2, 2008, RFC5246 Removed IDEA and DES ciphers Stronger hashes Supports authenticated encryption ciphers (AEAD, i.e. AES-GCM) TLS 1.3, currently Internet Draft BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 How is the encryption of the target website? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Cipherstrings Protocol used Key Exchange Authentication TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Symmetric Encryption used Hash to verify integrity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Old and modern ciphers old modern Protocol SSL TLS Key exchange RSA EC(DHE) * Authentication RSA EC(DSA) Encryption algorithm 3DES, RC4 AES Encryption mode CBC GCM MAC SHA, MD5 SHA256,SHA368 * Ephemeral DH provides PFS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 PFS Perfect Forward Secrecy Using RSA key for authentication and key generation is putting our traffic vulnerable to offline attacks Someone might record out traffic and years later, compromise our Server, get the private key and decrypt all traffic. Diffie-Hellman (DH) is a method to prevent this, but: With static DH, the DH parameters are actually again the private key DHE is using unique keys for every session, this is called Perfect Forward Secrecy Dynamic parameters for the DH Session are never stored and never re-used BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 PFS - Example DHE Ciphers use PFS But are heavy to compute ECDHE Ciphers use Ecliptic Curves and provide PFS Much better performance Especially in Software BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 AEAD Authenticated Encryption Authenticated Encryption with associated data CBC (confidentiality) + HMAC(integrity) vs. AE(confidentiality & integrity) GCM is the most popular Algorithm No License and fast computing Implemented in OPENSSL BRKSEC-3005 Cryptographic Protocols and Algorithms - a review BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 AEAD Authenticated Encryption (2) AE (key, plaintext) -> Ciphertext Same plaintext letter results in same ciphertext letter ( hello -> &%$$ ) AE (key, plaintext, nonce) -> Ciphertext Nonce needs to be distinct! Need to send it along with the ciphertext Problem: order of the messages! AEAD (key, plaintext, nonce, ad) -> Ciphertext ad is the associated data, can be a counter. RULE: The combination of nonce and ad shall never be the same for all time! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Ciphers explained Name Prot Kx Au Enc Bits Mac TLS_RSA_WITH_RC4_128_MD5 TLS RSA RSA RC4_ MD5 TLS_DH_RSA_WITH_DES_CBC_SHA TLS DH RSA DES_CBC 56 SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS DHE RSA AES_128_CBC 128 SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS ECDH ECDSA AES_256_CBC 256 SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS ECDHE RSA AES_256_GCM 256 SHA384 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Ciphers explained (2) TLS_EMPTY_RENEGOTIATION_INFO_SCSV Cipher is sent to indicate that if the server wishes to renegotiate any parameters, this is only supported over the secure connection. Renegotiation over plaintext will not be accepted TLS_FALLBACK_SCSV Cipher is sent by the client when a previous connection with a higher protocol was not successful for whatever reason (TLS 1.2 -> TLS 1.0) Server who supports this cipher can now see that the session was downgraded BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 TLS Handshake Client Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 TLS Handshake Client ClientHello Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 TLS Handshake Client ClientHello ServerHello Server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 TLS Handshake Client ClientHello ServerHello Server ServerCertChain & (SrvKeyExchg) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) ClientKeyExch BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) ClientKeyExch ChangeCipherSpec ClientFinished BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) ClientKeyExch ChangeCipherSpec ClientFinished ChangeCipherSpec ServerFinished BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) ClientKeyExch ChangeCipherSpec ClientFinished ChangeCipherSpec ServerFinished Encrypted Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Breaking TLS 1. Generate pub/priv key and root cert 2. Install root cert on client device Client TLS Proxy Server ClientHello ClientHello (own or modified) ServerHello Validate Certificate ServerCertChain Spoofed cert. Generate spoofed certificate, signed by private key from proxy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Did we forget someone? The client needs to be able to support TLS versions & ciphers also Overview can be found here: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 We are trying to break into a protocol that was not meant to be broken. Things will sometimes fail.get used to it Tobias Mayer, CSE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Configuring Decryption on the WSA (and explaining the technology)

37 Activating the HTTPS proxy Upload an existing certificate with private key or generate a local certificate download CSR and upload signed certificate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Explicit Proxy Client requests a website Browser connects first to WSA WSA does DNS lookup - A record returned and/or AAAA record returned Depending on WSA setting, WSA builts outgoing connection either on IPv4 or IPv6 IPv6 IPv4 TCP_MISS_SSL/ CONNECT tunnel:// Web Security Appliance Internet Web server ASA NGFW Internet BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Transparent Proxy via WCCP Client requests a website using IPv4 or IPv6 DNS Resolution is done by the Client Browser tries to connect to Website TCP_MISS_SSL/200 0 TCP_CONNECT :443 Network Device redirects traffic to WSA using WCCP WSA proxies the request IPv6 Web Security Appliance Internet Web server IPv4 ASA NGFW Internet BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Flow for Decryption Identity Authentication HTTP Proxy Access Policy HTTPS Proxy Decryption Policy Block Monitor Warn Pass Decrypt Drop Monitor Block Page displayed Page blocked Cont Evaluation of Access Policies Warn Page displayed Page allowed Encrypted Page displayed Goto Access Policy Cont. Evaluation of Decryption Policies If Decrypt for EUN Selected (in 7.7+) Block Page displayed BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Flow for Decryption (2) Access Policy Decryption Policy Monitor Monitor Applications WBRS Check : has Score Granular Control (if availible) Block Block page displayed Monitor Continue Eval of Access Policies Passthrough Decrypt Block WBRS Check : has No Score Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Certificate installation and usage - recap The WSA needs a CA Certificate to be installed for TLS decryption Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for this! After receiving the HTTPS Request, the WSA will grab the server certificate from the destination It will create a new (spoofed) certificate with (nearly) all the fields and sign this with her own certificate CRL / OCSP is not replicated because it would not match the new certificate Client needs to trust the certificate from the WSA Use a trusted Enterprise subordinate CA certificate or roll out your self-signed cert to the clients via GPO Certificates on the WSA use PEM format BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Certificate installation and usage BASIC CONTRAINTS : Critical Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized. Basic Constraints defines if the Certificate is a CA, recommended to set to CRITICAL BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Certificate installation and usage Browser Companies & CA have phased out SHA-1: Moving to SHA-2 Set of algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 WSA 9.x+ Generating a self-signed certificate will use SHA-256 by default and 2048 bit RSA key CSR can be sent to a CA but CA needs also to use SHA-256 Importing externally generated certificate and key is possible DSA_SHA256 signed certificates are not supported BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Firefox and SHA-1 Signatures Firefox v43+ introduced a switch to block SHA-1 signed leaf certificates Set it to 1 to block and to 0 to allow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 General SSL Settings Fallback Client sends Client Hello and suggests a version to use If Server responds with a fatal error, client will fallback to another version Example: TLS 1.2 yes but there is no common cipher offered Not a fatal error : Client asks for TLS 1.2 but Server offers 1.0 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 WSA - General SSL Settings Fallback WSA has a feature that enables or disables Fallback WSA will fallback to the lowest Version supported Enabled / Disabled via CLI under sslsettings Recommendation: Enable, definitely enable. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Decryption Policy Policy can be based on Identification Profile (Identity) URL Category Web Reputation Additional Options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Decryption Policy Categories Pass Through will still check for certificate errors! Invalid certificate or expired certificate on the server will fail the Pass through BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Decryption Policy Custom URLs (best used for making an exception for decryption) Pass Through will bypass all certificate check -> true Pass Through Decrypt -> certificates will be checked and the user will get a prompt ( untrusted CA ) Custom categories take precedence over predefined categories! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Bypass Decryption Policy for O365 Domains Dynamic feed for automatically bypassing the Microsoft recommended domains Introduced in WSA 10.x URL from O365 Repository BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Decryption Policy Decrypt for Application Detection Will try to decrypt all categories that are put on monitor, incl. no categories AVC Engine checks the request header and decides if it needs decryption Will supersede the Pass Through Option in Decryption for WBRS AVC Engine will check if decryption is necessary Might dramatically increase the traffic that is being decrypted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Decryption Policy Decrypt for End User Notification Important for transparent requests, not so much for explicit Policy to Drop in the Decryption Policy will not display a notification to the End User unless you select this option Otherwise the End User will just get the standard Browser Error BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Decrypt for EUN If decrypt for EUN is enabled, and the action is "Drop", WSA will decrypt and produce an EUN page for the following certificate errors: Expired Certificates Mismatched Hostname Unrecognized root CA Other certificate errors - Invalid certificate OCSP - Revoked certificate OCSP - Unknown Certificate OCSP - Other OCSP errors Revoked certificates Black listed certificates BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Decryption Policy Decrypt for Authentication (=transparent requests with IP Surrogates) Authentication less of a problem in explicit deployments with IP Surrogates Authentication is a bigger problem in transparent deployments, especially with Cookie surrogates Cookie is inside the encrypted request Decryption based on User/Group is not possible BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Decryption Policy good to remember. If you need to DROP a category in the access policies, good to also drop it in the decryption Policies HTTPS request is otherwise decrypted first and then matched against access policies This will give a small performance gain BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Validating the Certificate Chain Certificate is very often in DER format Convert it to PEM to import to the WSA openssl x509 inform der in <yourdercert> -out <yourpemcert> Display the content of the PEM Certificate in readable format openssl x509 in <yourpemcert> -text -noout BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Validating the Certificate Chain Root CA Intermediate CA Server Certificate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Validating the Certificate Chain Some servers send the server cert only Browser checks the extension Authority Information Access (AIA) This tells him where to find the next certificate Browser downloads it and can now check if it is valid BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 AIA Chasing on WSA New Feature in WSA 10.x Release! Automatically downloads the missing intermediate certificate Log entry in https_logs in case a missing cert is downloaded: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Troubleshooting AIA Chasing AIA Chasing is using the OCSP daemon for verification 02 Jun :21:22 (GMT +0200) Info: 5154 : OCSP Result for the server : - (0, 2, 3600) 02 Jun :21:22 (GMT +0200) Info: 5154 : OCSP Result for the server : - (0, 2, 3600) OCSP Status OCSP daemon result code TTL of OCSP verdict BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Troubleshooting AIA Chasing OCSP Request Type 0 - OCSP request only 1 - Intermediate Certificates request only with ocsp disabled 2 - Both Intermediate Certificates and ocsp request OCSP daemon result code with only intermediate cert request 'inter cert chase_success' : 32, 'inter cert chase_cached': 64, 'inter cert chase_self_signed' : 128, 'inter cert chase_url_missing': 256, 'inter cert chase_max_depth' : 512, 'inter cert chase_parent_miss' : 1024, 'inter cert chase_parent_blacklisted' : 2048 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Troubleshooting OCSP OCSP daemon result code (OCSP only) no good info : 0 good cert : 2 revoked cert: 4 unknown cert : 8 other error : 16 In case OCSP Request type = 2, the daemon result values of OCSP only and intermediate certificate chase are combined: 28 May :12:45 (GMT +0200) Info: 4399 : OCSP Result for the server : library.netapp.com - (2, 34, 3600) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Validating the Certificate Chain Example: The link for certificates in is the SKID and the AKID (see hidden slide) instead of just using the CN (Name Chained Certificates) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Validating the Certificate Chain Example: The link for certificates in is the SKID and the AKID (see hidden slide) instead of just using the CN (Name Chained Certificates) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Validating the Certificate Chain SKID : SUBJECT KEY IDENTIFIER Hash of the public key AKID: AUTHORITY KEY IDENTIFIER Hash of the issuer s public key (building the cert chain) And / or The issuer and serial number of the CA (only used for identifying the right certificate) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Validating the Certificate Chain - Cross signed Cert DN Cert Public Key Issuer CA DN Issuer Signature SKID = 3d ff cb.. AKID = 2f 7c aa.. Root CA1 DN Issuer CA1 DN Root CA Public Key Root CA Signature SKID = 2f 7c aa.. Self Signed Root CA1DN Issuer CA3 DN Root CA Public Key Root CA Signature SKID = 2f 7c aa.. CA3 AKID = 12 3f bb.. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Validating the Certificate Chain WSA will always check the complete chain until the last certificate possible! So if you find two trusted paths, make sure you have all certificates in your trusted store BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Certificate Error Handling Settings on the WSA Default Values provide a good balance between Security and User Experience Remember: EUN in case of a Drop requires Decryption for EUN! Drop : log the certificate error in the access log, decrypt and display EUN Decrypt : log the certificate error in the access log, decrypt with a purposely invalid certificate and let the client decide if he accepts the connection. Monitor : don t do anything, it s all on the client to decide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Certificate Error Handling Should certificate Errors be handled by the browser or by the WSA showing a EUN to the user? In both ways the user is getting an error message Maybe better to have a customized error message to limit the famous DoS attack on the IT support department? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Certificate Revocation Certificates can be revoked OCSP is the standard protocol to check if a certificate is revoked (OCSP largely replacing CRL) TLS Client Hello TLS Client TLS Server Hello & Cert Web Server with TLS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Certificate Revocation OCSP Information is found in the Authority Information Access extension BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 Certificate Revocation Certificates can be revoked OCSP is the standard protocol to check if a certificate is revoked (OCSP largely replacing CRL) Drop requires Decrypt for EUN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Certificate Revocation OCSP Error Handling Result is added to the decission tag in the accesslogs OCSP_REVOKED_CERT OCSP_UNKNOWN_CERT OCSP_OTHER_ERROR malformedrequest responder does not understand request due to wrong syntax internalerror responder reached inconsistent state trylater responder reachable but not able to respond sigrequired client is required to sign his request unauthorized client is not authorized currenttime problem with the time the request was made Includes OCSP responder cannot be contacted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Certificate Revocation EUN for a revoked Certificate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 WSA and TLS In Explicit mode, a CONNECT request is made, giving the host URL to the WSA together with the CONNECT request WSA replies with 407 Proxy auth required At this time, WSA has the following information: - Destination host - User agent - User credentials verified WSA can decide whether to decrypt based on: - Destination Host (URL Category) - User Agent - Proxy Port - Subnets & Time Range BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Decrypting Web Category Search Engines Explicit mode TCP_MISS_SSL/ CONNECT tunnel:// DIRECT/ - DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,5.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","Encrypted","-",0.57,0,-,"-","-",-,"-",-,-,"-","-"> - BASIC DestIP: 2a00:1450:4013:c00::5e AUTH: 0 DNS: 19 REP: 24 SFBR: 0 CFBWR: 49 AMP: TCP_MISS_SSL/ GET "hsimpson@munsec" DIRECT/ text/html DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE- DefaultGroup <IW_srch,5.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","- ","Google","Search Engine","-","-", ,0,-,"Unknown","-",1,"-",-,-,"-","-"> - BASIC DestIP: 2a00:1450:4013:c00::5e AUTH: 0 DNS: 0 REP: 0 SFBR: 143 CFBWR: 51 AMP: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 WSA and TLS In Transparent mode, there is no CONNECT but a TCP_CONNECT with the destination IP Since Client is not aware of WSA it will start a TCP connection to remote server Connection is redirected to WSA, client start an HTTPS/SSL connection directly IP Surrogates: Check Client IP and authenticate Cookie surrogates: Bypass Authentication At this point WSA only knows destination IP and port WSA sends HTTPS probe (it s own Client Hello) to get the Server Hello and server certificate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Decrypting Web Category Search Engines Transparent mode TCP_MISS_SSL/200 0 TCP_CONNECT :443 "MUNSEC\administrator@munsec" DIRECT/ - DECRYPT_WEBCAT_7- DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,4.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Unknown","Unknown","-","-",0.00,0,Local,"-","-",-,"-",-,-,"-","-"> - NEGOTIATE DestIP: AUTH: 0 DNS: 0 REP: 0 SFBR: 0 CFBWR: 0 AMP: TCP_MISS_SSL/ GET "MUNSEC\administrator@munsec" DIRECT/ application/javascript DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-","Generic Search Engine Traffic","Search Engine","-","-",180.17,0,Local,"Unknown","-",1,"-",-,-,"-","-"> - NEGOTIATE DestIP: AUTH: 0 DNS: 0 REP: 0 SFBR: 20 CFBWR: 1 AMP: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Detecting the hostname in transparent mode With the server certificate, WSA has knowledge of: - Client IP - Destination IP - Server Certificate - Common Name (CN) from server certificate is used as the hostname Based on this information WSA can match Identity and Decryption Policy and determine whether to DECRYPT or PASS THROUGH the request All information normally send in the HTTP Header (Cookies, User Agent, Mime- Type etc) are encrypted in the tunnel and thus not available to the WSA at this point. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Decryption Policy Decrypting device needs to decide whether it should decrypt or not Criteria is usually the requested URL Category We need to discover the HOSTNAME of our destination There are also sometimes other criteria such as Subnet Port Web Reputation User Agents BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Detecting the hostname.. via certificate? Should we decrypt? Very often based on URL Category...(think of finance websites...) Its youtube.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Detecting the hostname... Situation: Hosting Provider with one external IP and several hosted domains internally Each Domain uses its own certificate If a client requests a connection to the IP (shared among the domains), which Server does he want to go to? Which certificate should the server send in his Server Hello? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Server Name Indication Finding out the correct destination hostname and mapping to URL Category... Solution: Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7+) Most Browser support it since many years CLIENT HELLO during TLS sends the Host URL: SNI = BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Server Name Indication - Test Connection without SNI TMAYER-M-T2AF:iitp tmayer$ openssl s_client -connect midmarketcioforum.pathable.com:443 CONNECTED( ) 62663:error: :SSL routines:ssl23_get_server_hello:sslv3 alert handshake failure:/sourcecache/openssl098/openssl /src/ssl/s23_clnt.c:585: but required by the server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Server Name Indication Test (2) TMAYER-M-T2AF:iitp tmayer$ openssl s_client -servername midmarketciofourm.pathable.com -connect midmarketcioforum.pathable.com:443 CONNECTED( ) depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain Connection with SNI 0 s:/serialnumber=yvv3g4-n4koxyxclfiddfs92bn4-lpum/ou=gt /ou=see (c)12/ou=domain Control Validated - RapidSSL(R)/CN=*.pathable.com i:/c=us/o=geotrust, Inc./CN=RapidSSL CA 1 s:/c=us/o=geotrust, Inc./CN=RapidSSL CA i:/c=us/o=geotrust Inc./CN=GeoTrust Global CA 2 s:/c=us/o=geotrust Inc./CN=GeoTrust Global CA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Server Name Indication Recommendation: SNI should always be enabled Especially in transparent deployments! When upgrading from very old releases (7.5), check if it is enabled! Done via CLI, advancedproxyconfig BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Detecting the requested Host The requested hostname is usually detected by one of several methods: Transparent Request (Transparent proxy, FW) 1. Check the SNI Name in the TLS Client hello 2. Check the CN Field in the Subject of the Server Certificate Explicit Proxy 1. Usually get the hostname from the CONNECT REQUEST 2. (Check SNI, then CN field) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 WSA settings for TLS Use AsyncOS 10.x Check that AIA Chasing is enabled Check that you have a Sub-CA Certificate signed with SHA-2 Enable TLS 1.2, 1.1 and, depending on your risk evaluation, TLS 1.0. Disable SSLv3 if not already done! Decryption policy of Drop requires Decrypt for EUN option to be enabled if you want to see the EUN Certificate Errors, Drop or Decrypt provide logging Check your logs for certificate errors regularly Check on CLI that you have Server Name Indication enabled Check on CLI that you have Fallback enabled BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 WSA settings for TLS (2) Make sure that OCSP checking is enabled (Drop Revoked) Check the clients & browser versions, verify what TLS Version they are able to support Drop predefined categories in access policies (AP) and decryption policies(dp) for better performance Create a custom URL Category for exception and reference them in AP and DP Check your Cipher String, disable RC4, Export & Keys lower than 128bit See next slide BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 WSA Cipher Default Strings ASYNC OS and lower DEFAULT:kEDH:!EXPORT:!LOW:!RC4 ASYNC OS and higher EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CA MELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256- SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES128-SHA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Checking certificates:

93 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Common SSL Troubleshooting Steps Check your Access Logs Look at ACL Decision tags regularly Check the destination url on Try to access the page directly without the WSA in the Path Using curl or OPENSSL Try to access the page with the WSA in the Path For certificate errors, set error handling to anything else but MONITOR Check the https_logs -> put at least into DEBUG mode, better: TRACE Check the PCAPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Common SSL Issues Server is sending all certificates but WSA does not recognize the intermediate cert Check with OPENSSL or what is sent, compare to the existing certificates Import the missing certificate if needed or upgrade to WSA 10.x for AIA Chasing Server and WSA cannot agree on common protocol or cipher Check with OPENSSL for support of TLS Version and cipher https logs should indicate a Fatal Error and Protocol Error Use AsyncOS 10.x + for better TLS Support Server is sending a expired/ screwed up/ wrong certificate Check with OPENSSL or website Can bypass decryption with CUSTOM URL BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Configuring Decryption on FirePower

97 Generate Certificate on FP Object -> Object Management -> PKI Generate an Internal CA Self-signed or a CSR to be sent to a PKI for signing Import an external CA with Key Format is PKCS12, use openssl to convert BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 Cipher Strings Object -> Object Management -> Cipher Suite List Cipher selection Default: all ciphers. Cipher string need to be selected separately to be more secure Select - Ciphers with TLS as protocol - Ciphers with *DHE for PFS - Ciphers with AES - Ciphers with HASH = SHA256 or higher - no ciphers with *anon*, sha, rc4, md5 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 FTD Policy decisions for traffic decryption SSL-Policy Decryption Access-Policy IPS, App, etc. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 SSL Policy Rules Rules are matched top-down BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 SSL Policy Rule Actions For internal Traffic going outside For external Traffic going to internal server (via passive interface) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 SSL Inspection on Passive Interface NGFW with copy of Server key and cert ABC ABC #$* #$* ABC Client TAP Server If the TLS connection uses PFS, traffic inspection is not possible BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 Inspect Outgoing Traffic Action: Decrypt and resign Certificate to be used It replaces the key ONLY in the Self-Signed Certificate, instead of the whole certificate. It causes the client browser does warn that the certificate is selfsigned. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 Rule matching criteria Multiple criteria for matching the rule Some predefined sites that are undecryptable DN of the destination certificate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 Settings per SSL Policy Rules Certificate Status: Revoked, self-signed, not yet valid, expired, invalid issuer, invalid signature, valid. Cipher suite SSL version If the certificate matches any of the selected statuses, the rule matches the traffic. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 Global SSL Rule Settings Action to be taken BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Block Page; End User Notification, EUN From 6.1 : The system now displays an HTTP response page for connections decrypted by the SSL policy, then blocked by access control rules. However, the system does not display a response page for encrypted connections blocked by access control rules (or any other configuration) FTD cannot support EUN for bad certs at the moment (6.2.1) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 Certificate Revocation No support for OCSP, only CRL CRL can only be added statically to a trusted CA Download CRL manually and upload manually Format is DER or PEM Upload CRL here... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 Example Rules for certificate checking Block Certificate Errors Certificate Errors Exclude Selfsigned BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Example Rules Checking Self-Signed BLOCK or whatever Action you want... Ignore all others Include Selfsigned BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 Further behavior of FTD with TLS Decryption SNI is always enabled No automatic download of missing intermediate certificates Manual upload required No action on certificate check for undecrypted HTTPS connection in the default settings Client is responsible for any error message Can not prompt the client in case you have an error SSL Policy needs to be attached to an access policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Configuring Decryption on Umbrella

113 Umbrella how does it work? HTTPS decrypt Umbrella feeds Intelligent proxy TALOS & partner feed AV DNS AMP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 113

114 Configuring Decryption BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Configuring Decryption Download and mark the Cisco certificate as trusted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 115

116 Umbrella decryption No insecure ciphers Preferring modern ciphers Good certificate error handling Dedicated error message displayed Usage of SNI, cert revocation, etc Fixed Cisco certificate for decryption List for to be decrypted websites handled by Cisco Umbrella Not yet a way to influence No automatic intermediate certificate download BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116

117 Missing intermediate cert If website is needed, bypass them with a Allow List BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

118 Thoughts about the future

119 Problem Statement How can we reliably detect if the certificate for the domain we are trying to access is the correct one? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119

120 HSTS & Certificate Pinning

121 HSTS HTTP Strict Transport Security - Protect secure HTTPS Websites against downgrade attacks Web Server can signal to the client that only HTTPS is allowed to interact This signal is transported using a HTTPS Response Header The client behaves as follows Automatically turn any links into links If the secure connection cannot be assured (ex: Self Signed Certificate is used), do not allow the user to override If you want to decrypt using a proxy, a valid CA Certificate is required! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 Certificate Pinning RFC 7469 Method to actually compare the Certificate presented from the Server to a stored CA Certificate on the Client. Requires a method to ensure the Client is running the latest Version of your Software Applies to centrally updated Applications that connect to predictable Servers Two ways to do it: Incorporate a static list in the application, which of the CA Certificates is expected to be used for signing the server certificate Send a new Header (HPKP) to signal within the TLS Handshake that the client should PIN a certain public key for a certain amount of time Chrome connecting to gmail.com, twitter, FF connecting to mozilla.org te_static.json BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 Demo: Certificate Pinning

124 Example: Firefox 0: Pinning disabled 1: Allow User MiTM (with a trusted CA) 2: Strict. Always enforced 3: Enforce Test Mode BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 Example: Firefox Strict Pinning BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125

126 Certificate Pinning Examples BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 Certificate Pinning Examples (2) Dropbox Client BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 127

128 Certificate Pinning Examples (3) Google Drive Google Drive uses Certificate Pinning by default 1. Define a exemption from encryption based on well-known destination IP Addresses 2. Restart Google Drive Client with unsafe option Exit Google Drive from the System Tray In the Command prompt, navigate to the Google Drive folder (32 bit - C:\Program Files\Google\Drive. 64 bit - C:\Program Files (x86)\google\drive) Enter googledrivesync.exe --unsafe_network BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Certificate Pinning Chrome will deprecate support for Certificate Pinning Goal is to use CT for all certificates, combined with OCSP Must-Staple BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 129

130 OCSP Stapling

131 Recap: Certificate Revocation Certificates can be revoked OCSP is the standard protocol to check if a certificate is revoked (OCSP largely replacing CRL) TLS Client Hello TLS Client TLS Server Hello & Cert Web Server with TLS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 131

132 Revocation Problems CRLs Too big Does not scale for 100s of CAs OCSP What if OCSP Server is not responding? Soft-fail? Hard-fail? What if OCSP Server is slow? How long to wait for an answer? Privacy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 OCSP Stapling Web server queries the certificate vendor Vendor responds with the status of the certificate and a signed time-stamp When a client connects to the server, the server bundles the status from the vendor with the SSL certificate he is sending to the client The client browser verifies the signed time-stamp and knows, he can trust the status OCSP Server of the CA TLS Client Hello Web Server with TLS TLS Client TLS Server Hello & Cert & stapled OCSP response BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133

134 OCSP Stapling DNS TCP handshake SSL handshake Verify certificate chain DNS to CA TCP to CA #1 DNS TCP handshake SSL handshake Verify certificate chain Process OCSP Data Finish SSL Handshake OCSP to CA #1 TCP to CA #2 OCSP to CA #2 Finish SSL Handshake BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 134

135 OCSP Must-Staple OCSP Must-Staple Cert includes extension muststaple Certificate without OCSP stapled response must be rejected Cashing time for the OCSP response can be adjusted to shorter lifespan BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 135

136 OCSP Stapling challenges on proxy/ngfw/<insert nw-device here > Not much direct impact on the decryption but: For verification of certificate revocation, vendors should adopt the support of OCSP stapling on the decrypting device. Ignoring the OCSP Stapled Response is lowering the security Ignoring the must-staple extension is against rfc7633 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 136

137 CT

138 Certificate Transparency Log Server CA submission Log Response (SCT) Certificate Authority Example.com Client (Browser) Cert issued TLS Handshake Certificate Authority Example.com Client (Browser) Cert issued TLS Handshake BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 138

139 Certificate Transparency RFC Certificate Logs Appends-only, cryptographically ensured Log Server Auditors Lightweight Component, usually part of the browser. Check individual certificates. Monitors Periodically contact all Log Servers, Check if Log is behaving correctly, identify suspicious certificates, usually run by large organisations as Governments, banks or CAs. Everyone can run a monitor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 139

140 Delivery of the SCT X509v3 Extension TLS Extension OCSP Stapling SCT as part of the certificate, attached through the CA No Server modification necessary Server receives the SCT from the CA and sends it to the client through a TLS Extensions called signed-certificate-timestamp Server needs to accommodate the new extension Server is receiving the SCT and adds it to the OCSP stapled response Client needs to understand OCSP Stapling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 140

141 Criterias to be considered as CT Qualified A certificate is CT qualified if it meets one of the following criteria: 1. An SCT from a log qualified at the time of check is presented via the TLS extension OR is embedded within a stapled OCSP response; AND there is at least one SCT from a Google Log, qualified at the time of check, presented via any method; AND there is at least one SCT from a nongoogle Log, qualified at time of check, presented via any method. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 141

142 Criterias to be considered as CT Qualified (2) 2. An Embedded SCT from a log qualified at the time of check is presented; AND there is at least one Embedded SCT from a Google Log, once or currently qualified; AND there is at least one Embedded SCT from a nongoogle Log, once or currently qualified; AND there are Embedded SCTs from AT LEAST the number of logs once or currently qualified shown in Table 1. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 142

143 SCT as x509v3 Extension SCT Extension Name of the log Digital Signature BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 143

144 SCT Checking with Chrome BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 144

145 Monitoring the logs Example using crt.sh Automatic monitoring as a service: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 145

146 Changes coming Google with Chrome plans to REQUIRE a CT validation for all Certificates issued after October 2017, starting April Chrome already requires CT Validation for EV Certificates issued after Jan New Header defined: expect-ct Report and / or enforce CT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 146

147 CT challenges on proxy/ngfw/<insert nw-device here > Header and SCT not copied over, but certificate is EV or issued after October > Client will loose the green bar as an indicator in Chrome Browser for EV Certificates or display warning. Workaround for specific URLs: 3#CertificateTransparencyEnforcementDisabledForUrls Very likely: Same exception being made as for HPKP, ignore the CT requirement in case the cert is signed by a trusted corporate CA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 147

148 HTTP 1.0 Hello Hello Can I have a picture of a cat? Here is a picture of a cat Thanks, bye! Thanks, bye! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 148

149 HTTP 1.1 Hello Hello Can I have a picture of a cat? Here is a picture of a cat Can I have a picture of a dog? Here is a picture of a dog Thanks, bye! Thanks, bye! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 149

150 HTTP/2

151 SPDY & HTTP2 HTTP/2 Specification is strongly based on input from SPDY & TLS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 151

152 HTTP/2 Features & Characteristics Header compression True multiplexing Re-Use of TCP connections Important with domain sharding (same ip, different domains) Browser limits connection per domain -> use subdomains: i.ytimg.com for icons, s.ytimg.com for stylesheets Server pushing content to the client Prioritization of streams Binary Format BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 152

153 HTTP2 Binary Format Application (HTTP2) Binary Frame Session (TLS) optional HTTP/1.1 GET /index.html HTTP/1.1 Host: Content-Type: text/html Content-Length: 42 Transport (TCP) { msg : CiscoLive 2016 } Network (IP) HEADER FRAME DATA FRAME Pro: Easier to parse, more efficient use of data transfer Con: Server, Client & Gateways need to understand the new format BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 153

154 HTTP2 Frame Format FLAGS (8 bit) LENGTH (24 bit) TYPE (8 bit) R (1bit) FRAME PAYLOAD Stream Identifier (31 bit) Stream ID: Odd Numbers = initiated from client, even numbers= initiated from server TYPE of the Header Flags: END_STREAM, END_HEADERS, PRIORITY, BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 154

155 HTTP2 Frame Format (2) DATA HEADERS PRIORITY RST_STREAM SETTINGS PUSH_PROMISE PING GOAWAY WINDOW_UPDATE CONTINUATION Transport of http body messages Transport of http header information Signal of the priority of a stream coming from the server Signal the termination of a stream Configuration Parameters for the connection Signal a promise to server the referenced resource Alive check and RTT messurement Stop creating new stream for the current connection Flow stream and connection flow control Continue a sequence of header block fragments BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 155

156 HTTP/2 Streams & Connections Connection Stream #1 Request Message DATA HEADERS Response Message HEADERS DATA Stream #2 Request Message DATA HEADERS Response Message HEADERS DATA DATA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 156

157 HTTP 2.0 Hello Hello Can I have a picture of a house? And a car? And a dog? And a cat Thanks, bye! Here is a picture of a house Here is a picture of a car Here is a picture of a dog Here is a picture of a cat I think you need a picture of kittens Bye! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 157

158 HTTP, HTTPS, and HTTP2 Layering TCP connections per site Fewer TCP connections BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 158

159 Upgrade to HTTP/2 No Change in URL Structure ( ) Browser and server need to agree which protocol to use Non-Secure Client: send Upgrade Header, requesting Upgrade to H2C Server: respond either with HTTP/1.1 OK (=upgrade not accepted) or HTTP 101 SWITCHING PROTOCOLS (=upgrade accepted) Secure Leveraging ALPN Extension in TLS Client Hello BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 159

160 HTTP/2 Negotiation over TLS Application Layer Protocol Negotiation ( ALPN) Client will offer its supported protocols and server will pick one of them TLS Extension called ALPN as part of the TLS Client Hello First, HTTP/2 Second, SPDY Third, HTTP/1.1 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 160

161 HTTP/2 Negotiation over TLS (2) Application Layer Protocol Negotiation ( ALPN) Server Hello: Server decided to choose H2 (HTTP2) H2 is the choosen protocol BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 161

162 HTTP2 and TLS Multiplex requests and responses over single TCP connection More efficient object retrieval One TCP connection to each server (avoids TCP & TLS setup delays) All browsers only attempt HTTP2 over TLS Chrome, Firefox, Safari Avoids difficult fallback code (like was necessary with HTTP 1.1 and middleboxes) Upgrades to HTTP2 using TLS extension Saves round trip of using HTTP s Upgrade: header Page load time: HTTP2-over-TLS is equivalent to (plaintext) HTTP Eliminates TLS page load time penalty BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 162

163 HTTP/2 Facts Pages loading faster More usage of TLS Less TCP connections but longer lifetime HTTP/2 growing fast, websites change from SPDY to HTTP/2 SPDY has proven that a new protocol can grow fast BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 163

164 HTTP/2 Uptake BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 164

165 HTTP/2 challenges on proxy/ngfw/<insert nw-device here> HTTP/2 encrypted with TLS Binary Format & Header Compressions need to be parsed (no more cleartext) Single TCP connection reuse BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 165

166 HTTP/2 challenges on proxy/ngfw/<insert nw-device here > Single TCP connection reuse Domain must be in certificate and resolve to same IP news.yahoo.com sports.yahoo.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 166

167 TLS 1.3

168 TLS 1.3 draft Remove of static RSA authentication mode Using DHE / ECDHE instead for PFS Reducing overhead by using a 1-RTT handshake Fallback to legacy handshake if client cannot handle it 0-RTT Session resumption -> Tickets + PSK Remove non-aead Ciphers (CBC), compression, RC4, MD5, SHA224 Encrypting more values in the handshake Certificate Extensions such as CN & SAN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 168

169 TLS Handshake Client ClientHello ServerHello Server Verify Server Certificate & Check Crypto Parameters ServerCertChain & (SrvKeyExchg) ClientKeyExch ChangeCipherSpec ClientFinished ChangeCipherSpec ServerFinished Encrypted Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 169

170 TLS 1.3 Handshake Client ClientHello + KeyShare ServerHello + KeyShare Server Verify Server Certificate & Check Crypto Parameters EncryptedExtensions & Certificate Finished Finished + Data Encrypted Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 170

171 Modification in TLS 1.3 Client Hello TLS 1.3 was breaking some Security Gateways due to unsupported extensions and ciphers Decission of IETF: - Signal TLS 1.2 in the Version field - Signal TLS 1.3 in an additional extension Server who don t understand extension will negotiate TLS 1.2 Server who understand TLS 1.3, will ignore the version field and negotiate TLS 1.3 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 171

172 Partial TLS Handshake (TLS ) TLS Client Desired server TLS Server TLS ClientHello SNI= TLS ServerHello Certificate for Session key (encrypted with private key) Actual server Server certificate can avoid decrypting if entire site is blacklisted or whitelisted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 172

173 Partial TLS Handshake (TLS 1.3) TLS Client Desired server TLS Server TLS ClientHello SNI= Client s Diffie-Hellman key TLS ServerHello Server s Diffie-Hellman key { Certificate for } { Session key (encrypted with private key) } {Encrypted by DH} Actual server BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 173

174 Detecting the requested Host (recap) The requested hostname is usually detected by one of several methods: Transparent Request (Transparent proxy, FW) 1. Check the SNI Name in the TLS Client hello 2. Check the CN Field in the Subject of the Server Certificate Explicit Proxy 1. Usually get the hostname from the CONNECT REQUEST 2. Check SNI, then CN field BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 174

175 TLS 1.3 challenges on proxy/ngfw/<insert nw-device here > CN & SAN extensions are encrypted by DH We can only rely on SNI to know if we should decrypt or not SNI can be spoofed BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 175

176 Bypassing the decrypting device What if we send a Fake SNI name? Example: Request sent to Website A but indicating a request to Website B? Reason: Browse to forbidden websites (boring ) Malware connects C&C through decrypting device (better reason...) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 176

177 Testing Usage of Firefox plugin called Escape Works in UBUNTU Linux Can override certain websites with a fake SNI name Overriding requests for playboy.com with mail.google.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 177

178 Result of spoofed SNI strings Logging shows wrong URL Category Application detection shows wrong application Selection of correct policy (decrypt/pass through) is impacted Possible Countermeasures (thoughts ) Check for incorrect hostname (WSA, Firepower) Compare detected host to real host (using logging tools) Enforce policies over DNS (reduce attack surface) Use native IPv6 without any IP address sharing BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 178

179 QUIC

180 UDP vs TCP Connection setup in TCP plus connection setup with TLS Big latency until Data is flowing Move to UDP for faster Session Setup BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 180

181 QUIC Thanks to Catherine Pearce for excellent material about understanding QUIC! Google championed protocol to reduce latency UDP 80 & 443 Encryption, congestion control and some HTTP/2 things (stream handling) move to QUIC HTTP/2 HTTP/2 TLS TCP IP QUIC UDP IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 181

182 QUIC Features 1-RTT connection handshake (Connection & Encryption negotiation) 0-RTT re-established connections Connections survive IP address change Connection Identified through a unique CONNECTION UUID Packets can arrive in any order Always encrypted and authenticated Mostly fixes head of line blocking FEC (Forward Error Correction) data recovery Additional Data is transferred to eventually recreate missing packets (RAID for the network) Removed from IETF Specification Work as it had minimal positive effect BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 182

183 HTTP/2 Features in QUIC Multiplexed streams Sharing connection across domains HPACK header compression Stream prioritization Flow Control Server initiated streams BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 183

184 Establishing a QUIC Connection If using TLS, the HTTP response header will be encrypted HTTP response header Alternate-Protocol: 443:quic Client establishes QUIC connection in the background Fully supported in Chrome browser Client s can cache if server supports QUIC QUIC Connetion Client Server HTTP Alternate-Protocol: QUIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 184

185 Wireshark with QUIC Encrypted... UDP/443 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 185

186 Firepower detecting QUIC traffic BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 186

187 Recap: Multipath TCP DATA [0] Network A DATA [1] DATA [2] Network B N TCP Streams contributing to ONE logical flow Connections can be added and brought down dynamically BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 187

188 mtcp - IPS, NGFW challenges DATA [3] Network C DATA [0] DATA [1] DATA [2] Network A Network B Proxy? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 188

189 mtcp - IPS, NGFW challenges (2) please contact me on IP#2 DATA, ADD_ADDR #IP2 Network A Is this now incoming or outgoing? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 189

190 mtcp - IPS, NGFW challenges (3) please contact me on IP#2 DATA, ADD_ADDR #IP2 Network A BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 190

191 QUIC Multipath Google QUIC does not yet use Multipath....but IETF Working Group is discussing it: Flows can be distributed among several UDP connections Can be established or torn down dynamically Can go different paths in the network Can use IPv4 and IPv6 on different connections BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 191

192 QUIC Performance 5% latency reduction on average 30% reduction in rebuffers (video pauses) on YouTube 1 second faster at the 99th percentile for Google web search Helps more for higher latency networks Working group within IETF has been created BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 192

193 QUIC working group Map HTTP cleanly to QUIC, make non-http apps work with QUIC Use TLS 1.3 within QUIC 00.pdf HTTP/2 TLS HTTP/2 QUIC TCP IP UDP IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 193

194 QUIC working group Map HTTP cleanly to QUIC, make non-http apps work with QUIC Use TLS 1.3 within QUIC 00.pdf HTTP/2 TLS TCP IP HTTP/2 QUIC QUIC Crypto UDP IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 194

195 QUIC working group Map HTTP cleanly to QUIC, make non-http apps work with QUIC Use TLS 1.3 within QUIC 00.pdf HTTP/2 TLS HTTP/2 QUIC TCP IP UDP IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 195

196 QUIC working group Map HTTP cleanly to QUIC, make non-http apps work with QUIC Use TLS 1.3 within QUIC 00.pdf HTTP/2 TLS TCP IP HTTP/2 QUIC TLS 1.3 UDP IP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 196

197 QUIC challenges on proxy/ngfw/<insert nw-device here > QUIC is always encrypted QUIC is using multiplexed streams and most likely soon also accross multiple paths Will happily use IPv4 and IPv6 concurrently If QUIC is not understood, connections look like unrelated UDP connections QUIC can be initiated from client and from server Where is now inbound and where is outbound? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 197

198 We are nearly done

199 Conclusion Decryption of TLS is still possible in many cases...but technologies like certificate pinning or new protocols prevent decryption New Protocols like HTTP/2, TLS 1.3 and QUIC make it hard or even impossible for network devices to scan & detect threats in the network with deep packet inspection (DPI) We need to change our strategy away from pure DPI and think about: What can we do if we cannot decrypt encrypted traffic? How can we still provide security and detect upcoming threats? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 199

200 Conclusion (2) WSA has good TLS decryption capabilities in Version 10.x+ FTD and Umbrella can do decryption but you need to know the limitations Transparent proxies & NGFW will have a big challenge in the future to be able to provide security by decrypting all traffic and not compromising on security Alternative methods need to be considered in a layered approach CTA, Stealthwatch, AMP4E Cisco Technologies in related Sessions: BRKSEC-2809 Applied Advanced Network Telemetry: ETA and Beyond BRKSEC_3014 Security Monitoring with Stealthwatch BRKSEC-2047 Behind the Perimeter: Fighting Advanced Attackers BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 200

201 Links for further information For reading in those nights where you cannot sleep RFC for specifying a Public Key Pinning in HTTP OWASP Explanation of Certificate Pinning HSTS HTTP Strict Transport Security Public Key Pinning Extension for HTTP Internet Advisory Board Statement on Confidentiality TLS 1.3 draft CT Explained BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 201

202 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

203 Complete your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 203

204 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public