SSL Visibility and Troubleshooting

Similar documents
SSL/TLS Server Test of

Install the ExtraHop session key forwarder on a Windows server

TLS1.2 IS DEAD BE READY FOR TLS1.3

SSL/TLS Security Assessment of e-vo.ru

Comodo Certificate Manager Software Version 5.0

Coming of Age: A Longitudinal Study of TLS Deployment

SSL Report: ( )

Comodo Certificate Manager Software Version 5.6

SSL Report: bourdiol.xyz ( )

SSL Report: printware.co.uk ( )

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

SSL Report: cartridgeworld.co.uk ( )

Secure Socket Layer Health Assessment

SSL Report: sharplesgroup.com ( )

CPSC 467: Cryptography and Computer Security

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

SSL Server Rating Guide

Information Security CS 526

TLS 1.1 Security fixes and TLS extensions RFC4346

But where'd that extra "s" come from, and what does it mean?

Scan Report Executive Summary

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Install the ExtraHop session key forwarder on a Windows server

The State of TLS in httpd 2.4. William A. Rowe Jr.

Install the ExtraHop session key forwarder on a Windows server

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Transport Level Security

Install the ExtraHop session key forwarder on a Windows server

SSL/TLS Server Test of grupoconsultorefe.com

Findings for

Internet security and privacy

Most Common Security Threats (cont.)

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Scan Report Executive Summary

Exposing The Misuse of The Foundation of Online Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

UCS Manager Communication Services

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Chapter 4: Securing TCP connections

2015 Online Trust Audit & Honor Roll Methodology

Proving who you are. Passwords and TLS

State of TLS usage current and future. Dave Thompson

SSL/TLS Vulnerability Detection Using Black Box Approach

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

CIS 5373 Systems Security

Overview. SSL Cryptography Overview CHAPTER 1

Transport Layer Security

Service Managed Gateway TM. Configuring IPSec VPN

Sample excerpt. Virtual Private Networks. Contents

One Year of SSL Internet Measurement ACSAC 2012

1.264 Lecture 28. Cryptography: Asymmetric keys

CPSC 467b: Cryptography and Computer Security

Genesys Security Pack on UNIX. Release Notes 8.5.x

Configuring SSL Security

Overview of TLS v1.3 What s new, what s removed and what s changed?

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

UNIT - IV Cryptographic Hash Function 31.1

SSL/TLS Deployment Best Practices

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Crypto meets Web Security: Certificates and SSL/TLS

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

WAP Security. Helsinki University of Technology S Security of Communication Protocols

How to Configure SSL Interception in the Firewall

MTAT Applied Cryptography

SSL/TLS. Pehr Söderman Natsak08/DD2495

HP JETADVANTAGE SECURITY MANAGER. Certificate Management

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Table of Contents 1 IKE 1-1

Introduction and Overview. Why CSCI 454/554?

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Defeating All Man-in-the-Middle Attacks

Randomness Extractors. Secure Communication in Practice. Lecture 17

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

A Technology Brief on SSL/TLS Traffic

SHA-1 to SHA-2. Migration Guide

How to Configure SSL Interception in the Firewall

Network Security Platform 8.1

BIG-IP System: SSL Administration. Version

CSCE 715: Network Systems Security

Securing Internet Communication: TLS

Overview of TLS v1.3. What s new, what s removed and what s changed?

Practical Issues with TLS Client Certificate Authentication

BIG-IP System: SSL Administration. Version

Encryption. INST 346, Section 0201 April 3, 2018

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Cryptographic Protocols 1

WHITE PAPER. Authentication and Encryption Design

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Recommendations for Device Provisioning Security

Nayanamana Samarasinghe and Mohammad Mannan. Concordia University, Montreal, Canada

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

White Paper for Wacom: Cryptography in the STU-541 Tablet

Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise

Scan Report Executive Summary

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 10 (Monday)

CSE484 Final Study Guide

Transcription:

Page 1 of 6

view online Avi Vantage provides a number of features to help understand the utilization of SSL traffic and troubleshoot SSL-related issues. Visibility Every virtual service provides a number of useful data points and metrics. Several features in particular are valuable for digging deeper into the SSL-termination process. Security Insights Navigate to a Virtual Service > Security page to view the SSL and DDoS insights for the VS. SSL misconfigurations or issues, such as an expiring SSL certificate, will be highlighted on this page. It will also be shown in the health score of the virtual service, incurring a security penalty. Ideally, the security penalty should be zero, which means it is not detracting from the health or risk of a virtual service. A nonzero security penalty should be investigated and remediated. Security Insights specific to SSL are shown on the left tiles: SSL Distribution SSL Score Copyright 2018 Avi Networks, Inc. Page 2 of 6

SSL Distribution Insights The SSL section on the top left of the Security page shows the most relevant SSL data about client connections terminated on Avi Vantage within the selected period of time. If SSL termination is not being performed on the virtual service, this section will have no data. Certificate: Breaks down the certificate types used by clients during the negotiation phase of SSL session setup. A virtual service can be configured to accept both RSA and EC certificates. Avi Vantage will negotiate whichever type the client supports, with EC as the preference for clients that support both. Depending on the cipher negotiated by the client, RSA and EC may be negotiated with or without perfect forward secrecy. TLS Version: Displays the TLS versions negotiated by clients. Avi Vantage supports TLS, but not the older and less secure SSLv2 or SSLv3. Transactions: The average transactions per second (TPS) for new connections negotiated within the time period. This metric includes both new and reused transactions. This metric is further broken down via the Transactions metric tile from the SSL section of the sidebar tiles, which further breaks down this number. Failed Transactions: Number of unsuccessful transactions. Typically, transactions may fail either due to clients terminating the negotiation midstream, or because the client and Avi Vantage could not agree on a mutually supported cipher or TLS version. To view individual failed transactions, access the logs page of the virtual service. Copyright 2018 Avi Networks, Inc. Page 3 of 6

SSL Score The SSL Score section on the bottom left of the security page shows the major factors affecting the SSL Score penalty. Any penalty here will be multiplied by 5 when viewed in the virtual service health score. For instance, the site is not using a trusted certificate, which has a local penalty of 4. This incurs a Security Penalty of 20 against the virtual service health score. PFS Support: Negatively impacts the virtual service?s security score by reducing it if PFS-capable ciphers are not enabled in the SSL profile for the virtual service. SSL Protocol Strength: Reduces the score if an insecure SSL/TLS version is enabled. Weakest Encryption Algorithm: Reduces the score if a weak encryption algorithm is enabled in the SSL profile. See the SSL Profile?s security score for more on this. Symmetric Encryption Cipher Strength: Reduces the score if the cipher suite uses an encryption algorithm Avi Vantage considers insecure. Certificate Expiration Time: Reduces the score if the certificate is about to expire or has already expired. Signature Algorithm: Reduces the score if weak hashing algorithms (such as md5 or SHA1) are enabled in the virtual service?s SSL profile. Disable Client Renegotiation: As a best practice, Avi Vantage turns off client SSL renegotiation. This field is nonconfigurable and therefore does not impact the security score. Trusted CA Certificate: Reduces the score if the virtual service is using a self-signed certificate. Application Logs Navigating to the Logs tab of an individual VS' Virtual Service page enables viewing of individual connections and requests. Vantage captures a number of metrics, including several that are not shown in the UI, such as ciphers. Export the logs or filter for additional metrics if desired. Version Certificate type Cipher PFS SSL session ID / TLS ticket Copyright 2018 Avi Networks, Inc. Page 4 of 6

In the Log Analytics tile on the right, select the SSL tile to see a summary of the SSL data for the selected logs. SSL Ciphers Within Templates > Security > SSL Profile, Avi Vantage provides a basic rating system to indicate the performance, compatibility, and security of the ciphers and their order. The rating is a quick and easy way to assess the results of the cipher settings. SSL Certificates Within Templates > Security > SSL Certificates, Avi Vantage displays all the certs that are available. This view breaks down the type of cert and provides a simple color code to indicate the status. For instance, a certificate will turn yellow if the cert is going to expire soon, and red when it has expired. Certificate chain issues can also be viewed. Troubleshooting The tools mentioned above can prove valuable for troubleshooting common SSL-related issues. Below are common issues. Certificate Expiration When a certificate expires, the virtual service will incur a Security Penalty. This is visible in the VS > Security page, as well as the SSL certificates page. Consider enabling proactive certificate expiration notifications SSL Version Related Threats Periodically new vulnerabilities to SSL and TLS are announced, such as Heartbleed and Drown attacks. Many of these vulnerabilities target older versions of SSL, which are not enabled on Avi Vantage. To disable additional versions, such as TLS 1.0, navigate to the SSL profile to make the change. Equally important though, is to understand the impact such as change will Copyright 2018 Avi Networks, Inc. Page 5 of 6

have on existing users. Take a look at the Security Insights or the Logs page to quantify how many users are negotiating via TLS 1.0, what versions of browsers they are using, and if those browsers support newer versions of SSL/TLS. Incompatible Ciphers A number of variations of issues could cause this error. The virtual service will capture logs for any SSL incompatibilities. A common cause is an SSL profile that only enables EC ciphers that is applied to a virtual service that has been configured with an RSA certificate. Copyright 2018 Avi Networks, Inc. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback