NETASQ: SSL Proxy. Presentation. Antonino NAPOLI

Transcription

1 NETASQ: SSL Proxy Presentation Antonino NAPOLI

2 Content of this presentation : I. Reminders on SSL protocol II. SSL Proxy 1) How does it work? 2) Trust chain 3) Customizing the Proxy Authority 4) Examples of production configurations 5) Limits III. Trouble-shooting 1) Configuration files presentation 2) Logs 3) Verbose 4) Useful commands 5) Common error 6) Opening an incident

3 Reminders on SSL protocol What is a Secure Socket Layer connection? SSL is a ciphered tunnel between a client and a server able to carry anything in TCP. Thanks to the peer trust mechanism : - Using certificate - Trust of the issuer or peer - Revocation list Protection against replay attacks.

4 How does it work? When a new SSL connection is coming, ASQ looks at its filter rules, if there is an action Decrypt it redirects the connection to the SSL Proxy ( :8084). The proxy takes the connection and stalls it. A new SSL connection is established with the original server to retrieve its certificate so as to identify its CN (Common Name).

5 How does it work? Once the server's Common Name is retrieved, the proxy examines it and decides what to do depending on the SSL filtering policy : - let the connection pass without decrypting - block the connection without decrypting - decrypt the connection

6 How does it work? The cases where the connection can be automatically blocked are : - Server does not provide valid SSL/TLS information - Server uses SSLv1 or v2 (not secure anymore) - CA that signs server certificate is not trusted by the proxy - Server certificate is expired - Server certificate is revoked (only in case of custom CA) - Server asks for an authentication but the policy says decrypt Most of those parameters are configurable in Proxy tab of the menu APPLICATION PROTECTION / Protocols and applications / SSL / Proxy

7 How does it work? In case where the connection must not be decrypted (category sslproxy_bypass in the example below), then the first proxy-server connection is closed. A new SSL connection proxy-server is opened providing to the server the same informations provided by the client during the SSL handshake and forwarding the original server's certificate to the client.

8 How does it work? If the connection is granted and if the action is block or decrypt, then the SSL Proxy will spoof the server SSL identity creating a fake certificate issued from the Proxy CA with : - the Common Name of the original server's certificate - the Alternatives Names of the original server's certificate This fake certificate will then be presented to the client.

9 How does it work? Due to heavy cost for creating a SSL pair of keys, we have chosen to create only one pair on SSL Proxy start-up using OpenSSL, and to create dynamically the certificates shown to the client with this unique keys. By default, this key is an RSA 1024 bits type. Another point is the certificate creation date ( Not-Before date). If the clocks are not correctly synchronized, the newly created certificate may not be valid immediately. So we generate the certificate one week in the past.

10 How does it work? Optimizing the performances / servers cache When a new connection arrives to the SSL proxy, it first compares the destination IP and the destination port to a local cache. Only servers informations which action is Block or Do not decrypt are stored in the local Proxy SSL's servers cache. Servers with action Decrypt are not stored in this cache, because it always needs to do the negociation. This cache is purged when proxy refreshes its configuration (SIGHUP).

11 How does it work? Optimizing the performances In case the connection should be decrypted, we reuse the first connection to the server. https 443 https 443 SSL Proxy Initial connexion Reused connexion ASQ https 443 SSL Proxy HTTP Proxy Only one loop https 443

12 How does it work? Optimizing the performances / fake-certificates cache Fake-certificates creation take times, if the identity of the destination server has been already retrieved there is no need to re-create the certificate each time.

13 How does it work? Optimizing the performances / fake-certificates cache Fake-certificates life-time is configurable in the SSL proxy global configuration. Size of the cache depends on the UTM's model, and there is a rotation in case of saturation.

14 Trust chain : client-proxy A warning may be displayed in the browser because of the fact that the Proxy CA is not trusted by the client. Use a SSL authority that the client trusts or make the client trust the Proxy SSL Authority. To allow an easy deployment, authenticated users can download the CA from the captive portal.

15 Trust chain : proxy-server By default the firmware contains the list of most known public CA and trust them. This list can be edited into the menu APPLICATION PROTECTION / Protocols and applications / SSL and click on Go to global configuration button. This list is contained in the firmware, not in the configuration.

16 Trust chain : proxy-server However, the company can have one or more self-signed CA that the clients must trust. To make them trusted by the proxy you must import them into the tab CUSTOMIZED CERTIFICATE AUTHORITIES.

17 Customizing the Proxy Authority In default configuration there is already a Certificate Authority for the SSL proxy You can choose another one (imported or directly created on the UTM). This CA will be used to create the fake certificates. You can also choose the maximum validity of the fake certificates.

18 Limits - Only redirections toward HTTP, SMTP, POP3 proxies are supported. - Decrypting protocols which open child connections (FTPS, etc.) is not supported. - Authentication with the action Decrypt. SSL proxy cannot authenticate in itself, you will need to set the CN of the server certificate in the proxyssl_bypass. - Client side pre-selected certificate trust (windowsupdate.com for example). - Applying SSL proxy for incoming traffic is not supported. - The major limitation of the SSL filtering is the matching only by CN. One certificate can have multiple names. As in this example for Google Certificate. In this case we only match the first one : *.google.com Then, if you allow *.google.com to be decrypted, the access to *.youtube.com is also granted. The solution for this problem is to enable URL filtering via HTTP proxy (see after).

19 Limits In case that the server requests a SSL authentication or if the client waits for a pre-selected certificate (for example Windows Update) You will have to set the server CN into a group (proxyssl_bypass for example) And configure in the SSL filtering policy that this group should not be decrypted.

20 Limits How to allow Google but deny Youtube? You will need to decrypt the HTTPS traffic and redirect the plain one to the HTTP proxy. This will allow you to differenciate the two websites with URL filtering policy.

21 Examples of production configurations SSL Proxy can be used to : I. Make ASQ analysis on encrypted traffic II. Make ASQ + (HTTP/SMTP/POP3) proxy analysis on encrypted traffic III. Authenticate users using HTTPS request To easily create your SSL proxy rules, prefer to use the wizard from the filtering policy :

22 Examples of production configurations Most of the time, SSL analyzing rules consist in two rules. 1) On the first rule : - the action Decrypt redirects the SSL traffic to the proxy. - the SSL filtering slot says what to do with the SSL traffic ( Block, Pass without decrypt or Decrypt ). If no SSL filtering is set, action will be Decrypt 2) The second rule will say what to do with the decrypted traffic. In this example we make ASQ, HTTP proxy and antivirus analysis. Note that the destination port stays the real one used in the SSL connection.

23 Examples of production configurations I. ASQ analysis on encrypted traffic For this first example, we will just decrypt Jabber protocol over SSL. The decrypted traffic will then be analyzed by the ASQ plugin Jabber Google Talk (XMPP). The wizard will create two rules : - one rule to decrypt the traffic - the second which analyzes the decrypted traffic and which allow the original connection to pass through the UTM

24 Examples of production configurations This is the overall mechanism : Decipher rule Analysis rule ASQ Jabbers 5223 Ciphered data Plain data Proxy 8084 SSL Proxy Jabbers 5223 Ciphered data Kernel User

25 Examples of production configurations II. ASQ + proxy analysis Example with the SMTP proxy. The following rules will decrypt the SMTPS : The plain SMTP traffic will then be filtered by the SMTP proxy :

26 Examples of production configurations This is the overall mechanism : Decipher rule Analysis rule (with SMTP filtering) ASQ smtps 465 smtps 465 Proxy 8085 Ciphered data Plain data Proxy 8084 SSL Proxy Proxy 8081 SMTP Proxy Ciphered data Kernel User

27 Examples of production configurations Note that in case of redirection to another proxy, decrypted traffic can be seen on Loopback interface. This is not the case when no redirection to another proxy is done by the SSL proxy. For example in Jabbers decryption.

28 Examples of production configurations III. Authentication using a HTTPS request Non-authenticated users are redirected toward the authentication portal by the HTTP proxy. Then, only a HTTP request can redirect the client to the authentication portal. If you want to do so using a HTTPS request, you will have to decrypt it. Below the required configuration : - the first rule redirects the HTTPS traffic to the SSL proxy - the second rule allows the HTTP proxy to redirect the plain traffic to the authentication portal - the third rule allows the authenticated users to go on internet in HTTPS

29 Trouble-shooting / Configuration files /usr/firewall/configfiles/protocols/ssl/xx Those files contain the proxy configuration per profile (XX corresponding to the profile). [Proxy] BindAddr= # binding ip source OnFailedPolicy=block # Block NoDecrypt SSL policy for error cases OnInvalidName=block # Block Filter SSL policy for invalid name cases OnInvalidType=block # Block Filter SSL policy for invalid certificate type UntrustedCAPolicy=block # Block NoDecrypt SSL policy for untrusted CA SelfSignedCertifPolicy=block # Block Filter Auto signed certificate Policy ValidityDatePolicy=block # Block Filter Validity date Policy ContentInspection=1 # Enable 1 disable 0 : Content filtering, bypass ASQ on loopback FullTransparent=0 # disable/enable full transparent mode

30 Trouble-shooting / Configuration files /usr/firewall/configfiles/protocols/ssl/common This file contains the global configuration of the proxy (common to all profiles). [Proxy] MaxSession= # max number of connections Backlog= # maximum length the queue of pending connections may grow to SocketConnLimit= # pourcent of maxconn (threshold we dicrease socket buffer size) SocketRbufSize= # socket read bufsize in KB SocketWbufSize= # socket write bufsize in KB BufSizeLimit= # pourcent of maxconn (threshold we decrease internal buffer size) ClientBufSize= # client-side bufsize in KB ServerBufSize= # server-side bufsize in KB CipherLevelAlgorithm=28 # Low = 4 Medium = 8 High = 16 NbMaxFakeCertif= # Limit for the number of fake-certificate saved on the ramdrive CacheIpSize= # Nb of entries for the IP cache CaCustom=1 # Enable 1 Disable 0 CATrusted=All # All None exception Copy the Trusted CA to the verify directory CA="SSL proxy default authority" CAPassphrase=6hb91pt[elz9Ql4o%PeP$H$[C FakeCertifValidityDate=7 # Number of days for the fake certif validity ApplyNat=0 # 0 1 Allow outbound connections from proxies to match any NAT rule instead of just dst-only [ProxyCATrustedException] 3f2a05af.0 [ProxyCACustomUsed] CUSTOM_CA # list of trusted certificate that will be blocked/pass by OnFailedPolicy # list of custom certificate that will be used

31 Trouble-shooting / Configuration files /usr/firewall/configfiles/filter/xx [Filter]... decrypt inspection ips sslfiltering:0 from Network_internals to internet port https pass from Network_internals via sslproxy to internet port https /usr/firewall/configfiles/sslfiltering/xx [rules] state=on action=nodecrypt cngroup=proxyssl_bypass comment="don't decrypt some specific ssl servers" state=on action=block cngroup=employment comment="" state=on action=decrypt cngroup=any comment="default rule (decrypt all)" ~/ConfigFiles/Certificates/ The proxy authority is stored here /var/cert/sslproxy/ CA trusted + CA custom: /var/cert/sslproxy/trusted_ca/ Cache of fake certificates: /var/cert/sslproxy/servers/ Private key for fake certificates: /var/cert/sslproxy/server_privatekey/ Internal use: /var/cert/sslproxy/work/

32 Trouble-shooting / Error logs SSL proxy logs are stored in files /log/l_ssl on product with hard-disk. For product without hard-disk, the following NSRPC command allows to retrieve them : MONITOR LOG SSL Logs explanation - Self signed cert : the server presents a self-signed certificate. By default it is not allowed, the behavior can be customized. (Issuer = CN). - Untrusted CA : the server presents a certificate which has been signed by an unknown or untrusted CA. By default it is not allowed, behavior can be customized. But the best solution is to import the custom authority and to trust it. - Certificate expired or Certificate is not yet valid : Out of the validity period. Certificates providers (live Verisign) create certificates for a short period only (1-3 years). The server administrator had not updated the certificate. Another explanation is that the firewall clock is not up-to-date. The behavior can be configured by profile.

33 Trouble-shooting / Error logs - Negocation with server : error : An unmanaged SSL error ocurs during the connection to the server. Three cases to check : 1. Server closes the connection unexpectedly. 2. Server looks for a particular SSL session (like authentication) and drops others. 3. Is the server really a SSL one? - Get certificate info error : 1. The SSL handshake begins correctly but the server does not provide its certificate. 2. The proxy has no more memory (improbable error, certainly an attack). - Invalid CN in certificate : the server presents a valid certificate from OpenSSL point of view, but the Common Name is not valid. An invalid Common Name is : 1. More than 64 characters length 2. Not a valid FQDN (example : netasq-com ). - Rules matches: block : server is blocked in the policy. Check the configuration. - Connection interrupted : not really an error, just to report to the administrator that the TCP connection was not correctly closed [FINACK-ACK-FINACK-ACK]

34 Trouble-shooting / Verbose To enable it, edit the file ~/ConfigFiles/proxy as below and enter the command tproxyd -d [Config] Verbose=ssl Verbosefile="/tmp/tproxyd.debug" VerboseAtStart=0 # 0 or 1, indicates if verbose must be activated at the start Stat= # in seconds StatFile="/tmp/tproxyd.stat" URLFiltering=NETASQ # <Vendor> <Netasq> RlimitNoFile=1 # enable/disable descriptors limit HttpState= # for debug purpose only FtpState= # for debug purpose only SmtpState= # for debug purpose only Pop3State= # for debug purpose only SslState= # for debug purpose only Enable the verbose mode entering the commands (recommanded) : setconf ~/ConfigFiles/proxy Config Verbose ssl tproxyd -d A file named /tmp/tproxyd.debug should be created. Stop it entering again the command tproxyd -d

35 Trouble-shooting / Verbose [ :32:09] ssl : sslproxy_handle_newconnect [ :32:09] ssl : [fwproxy_nat_lookup] src= :47393 [ :32:09] ssl : [fwproxy_nat_lookup] dst= :8084 [ :32:09] ssl : [fwproxy_nat_lookup] slotlevel=2 ruleid=1 conf_index=1 [ :32:09] ssl : [fwproxy_nat_lookup] srcifname=eth1 dstifname=eth0 daddr= dport=443 Informations on the new connection [ :32:09] ssl : fd=12 ip= [sslproxy_handle_newconnect] profile=1 [ :32:09] ssl : fd=12 ip= [sslproxy_get_infodefaultport] Connect with plugin : HTTP to the loopback :8085 [ :32:09] ssl : fd=12 ip= new connection dstport = 443 [ :32:09] ssl : fd=12 ip= [set_sslfiltering] Use SSLFiltering:00 for this connection SSL filtering slot which will be used [ :32:09] ssl : fd=12 ip= [sslproxy_is_in_cache] Server :443 not found in cache Server was not found in the Server cache [...] [ :32:09] ssl : fd=12 ip= [tproxyd_connect_to_server_type] new connection to server (srv_fd=13 srv_addr= :443) [ :32:09] ssl : fd=12 ip= [sslproxy_print_cipher] TLSv1, cipher AES128-SHA (128 bits) [ :32:09] ssl : fd=12 ip= [tproxyd_handle_proxy_negotiation] Server side negotiation OK (NEW cipher) [ :32:09] ssl : fd=12 ip= [get_name_and_action_from_peer] CN = *.netasq.com Server identity is retrieved [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] Search pass 0/1 group proxyssl_bypass [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] Search pass 0/1 group any [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] match: 3 any => Decrypt [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] Rule 'any' has matched: make another pass [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] Search pass 1/1 group proxyssl_bypass [ :32:09] ssl : fd=12 ip= [proxy_is_url_valid] No other match with previous rules after url decomposition [ :32:09] ssl : fd=12 ip= [tproxyd_handle_proxy_negotiation] rule matches, action=decipher : decipher the connection Matching of the SSL filtering policy, what to do for this server? [ :32:09] ssl : fd=12 ip= [sslproxy_create_fakecertif] Fake certif already exist : *.netasq.com [ :32:09] ssl : fd=12 ip= [sslproxy_create_fakecertif] Fake server certificate *.netasq.com expires after : :54:34 [ :32:09] ssl : fd=12 ip= [sslproxy_create_fakecertif] Use fake server certificate : *.netasq.com Fake certificate already exists, proxy will send it to the client [ :32:09] ssl : fd=12 ip= [sslproxy_print_cipher] TLSv1, cipher AES128-SHA (128 bits) [ :32:09] ssl : fd=12 ip= [tproxyd_handle_negotiation] client side negotiation OK (REUSED cipher) CI=1 Re-use of the initial connection

36 Trouble-shooting / Verbose [ :52:30] ssl : sslproxy_handle_newconnect [ :52:30] ssl : [fwproxy_nat_lookup] src= :54511 [ :52:30] ssl : [fwproxy_nat_lookup] dst= :8084 [ :52:30] ssl : [fwproxy_nat_lookup] slotlevel=2 ruleid=1 conf_index=1 [ :52:30] ssl : [fwproxy_nat_lookup] srcifname=eth1 dstifname=eth0 daddr= dport=443 [ :52:30] ssl : fd=12 ip= [sslproxy_handle_newconnect] profile=1 [ :52:30] ssl : fd=12 ip= [sslproxy_get_infodefaultport] Connect with plugin : HTTP to the loopback :8085 [ :52:30] ssl : fd=12 ip= new connection dstport = 443 [ :52:30] ssl : fd=12 ip= [set_sslfiltering] Use SSLFiltering:00 for this connection [ :52:30] ssl : fd=12 ip= [sslproxy_is_in_cache] Server :443 not found in cache [ :52:30] ssl : fd=12 ip= [tproxyd_connect_to_server_type] new connection to server (srv_fd=13 srv_addr= :443) [ :52:30] ssl : fd=12 ip= [sslproxy_print_cipher] TLSv1, cipher AES128-SHA (128 bits) [ :52:30] ssl : fd=12 ip= [tproxyd_handle_proxy_negotiation] Server side negotiation OK (NEW cipher) [ :52:30] ssl : fd=12 ip= [get_name_and_action_from_peer] CN = toto.netasq.com [ :52:30] ssl : fd=12 ip= [get_name_and_action_from_peer] Subject="C=FR/ST=Nord/L=Villeneuve d'ascq/o=netasq Secure Internet Connectivity/OU=NETASQ Certification Authority/CN=toto.netasq.com" Issuer="C=FR/ST=Nord/L=Villeneuve d'ascq/o=netasq - Secure Internet Connectivity/OU=NETASQ Certification Authority" Untrusted CA, policy block : connection close [ :52:30] ssl : fd=12 ip= [tproxyd_handle_proxy_negotiation] Connection blocked from policy [ :52:30] ssl : fd=12 ip= [sslproxy_create_fakecertif] Fake certif already exist : toto.netasq.com [ :52:30] ssl : fd=12 ip= [sslproxy_create_fakecertif] Fake server certificate toto.netasq.com expires after : :51:10 [ :52:30] ssl : fd=12 ip= [sslproxy_create_fakecertif] Use fake server certificate : toto.netasq.com [ :52:30] ssl : fd=12 ip= [sslproxy_print_cipher] TLSv1, cipher AES128-SHA (128 bits) [ :52:30] ssl : fd=12 ip= [tproxyd_handle_block_page] client negotiation OK (REUSED cipher). Send block page [ :52:30] ssl : fd=12 ip= [sslproxy_event_write_client] connection close server side is close and no more data is to send

37 Trouble-shooting / Useful commands Retrieve proxy rules : tproxyd -s rules OEM groups loaded CN groups loaded -- Rules: Rule n 1: - slotlevel = 02 ruleid = 01 - config = -1 - dst = "" - dstservice = "" - dstlb = noloadbalancing - antivirus = off - antispam = off - urlfiltering = -1 - mailfiltering = -1 - ftpfiltering = off - sslfiltering = 00 - serviceauth = off Enabled proxies: - ssl

38 Trouble-shooting / Useful commands Retrieve SSL proxy configuration : tproxyd -s ssl -- Ssl proxy : enabled SSL Filtering part ----(Default action = Block) : /usr/firewall/configfiles/sslfiltering/00 1: proxyssl_bypass ==> Nodecrypt 3: any ==> Decrypt Profile part ----/usr/firewall/configfiles/protocols/ssl/00. BindAddr=none. FullTransparent=1 On failed policy = Block On invalid cert name = Block On invalid cert type = Block UnTrusted CA policy = Block Self signed certificate = Block Validity Date Policy = Block Enable inspection through Loopback /usr/firewall/configfiles/protocols/ssl/01. BindAddr=none. FullTransparent=0 On failed policy = Block On invalid cert name = Block On invalid cert type = Block UnTrusted CA policy = Nodecrypt Self signed certificate = Block Validity Date Policy = Block Enable inspection through Loopback Common part ----SSL default port plugin:http ssdefaultport=443 SSL default port plugin:ftp ssdefaultport=990 SSL default port plugin:telnet ssdefaultport=992 SSL default port plugin:smtp ssdefaultport=465 SSL default port plugin:pop3 ssdefaultport=995 SSL default port plugin:imap4 ssdefaultport=993 SSL default port plugin:nntp ssdefaultport=563 SSL default port plugin:sip_tcp ssdefaultport=5061 SSL default port plugin:xmpp ssdefaultport=5223 SSL default port plugin:irc ssdefaultport=994. Max nb of connections=2070. Max nb of connections from one ip=1863. Backlog=207. Sockets rbufsize=57344 wbufsize= If nb connections > 1035 then --> Sockets rbufsize=8192 wbufsize=8192. Proxy buffers: clientbufsize=2048 serverbufsize=2048. Apply NAT is Disabled Use ALL the embedded CA trusted Use the embedded CA custom : Cipher Level = Low Medium HighCA used to sign the fake certificats = SSL proxy default authority Max nb of IP in cache = 40 Limit of validity for the fake-certifs = 7 days Max number of fake certificats = 128 Fake certificates currently used :

39 Trouble-shooting / Common error The question that raises from the administrators most of the time is : I enabled SSL proxy and some websites (like Facebook) are not correctly displayed. Why?

40 Trouble-shooting / Common error How to explain this bad display and how to solve it? This problem comes from the fact that inside SSL webpage, there could be elements available on other SSL servers, which are different from the one you initially wanted to connect. There is no warning messages reported by your browser to let you choose to download those foreign elements or not. So they are not displayed. The solution is to import the SSL proxy authority into users' web browsers. Keep in mind that in any case, you must deploy the proxy authority in the users' browsers.

41 Trouble-shooting / Opening an incident If you encounter an issue with SSL proxy, and if you are not able to find the issue by yourself, you will certainly need to open an incident upon the NETASQ TAC. Here are the informations that you will need to provide : - a full configuration backup of the product - a technical report - traffic dumps on the incoming and outgoing interfaces - SSL log file - proxy verbose Of course those elements have to be generated simultaneously.

42 Questions? Thank you for your attention! Do not hesitate if you have any questions!