Understanding HTTPS to Decrypt it

Similar documents
This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Start Creating SSL Policies

Understanding Traffic Decryption

NXOS in the Real World Using NX-API REST

Cisco Firepower NGIPS Tuning and Best Practices

An Introduction to Monitoring Encrypted Network Traffic with "Joy"

Hands-On with IoT Standards & Protocols

Understanding Traffic Decryption

User Identity Sources

Managing SSL/TLS Traffic Flows

DEVNET Introduction to Git. Ashley Roach Principal Engineer Evangelist

Your API Toolbelt Tools and techniques for testing, monitoring, and troubleshooting REST API requests

Setup SSL Insight in a Single Partition with dynamic port & non-http intercept

Transport Layer Security

Getting Started with Access Control Policies

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Get Hands On With DNA Center APIs for Managing Intent

User Identity Sources

Cloud Mobility: Meraki Wireless & EMM

Serviceability of SD-WAN

PnP Deep Dive Hands-on with APIC-EM and Prime Infrastructure

BGP in the Enterprise for Fun and (fake) Profit: A Hands-On Lab

TRex Realistic Traffic Generator

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Realms and Identity Policies

VII. Corente Services SSL Client

Automation with Meraki Provisioning API

Configuring F5 for SSL Intercept

Realms and Identity Policies

ICE / TURN / STUN Tutorial

Create Decryption Policies to Control HTTPS Traffic

Agility2018-TCPdump Documentation

BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

Catalyst 9K High Availability Lab

How to Configure SSL Interception in the Firewall

Device Management Basics

Configuring SSL Security

Deploying Cloud-Agnostic Applications with Cisco CloudCenter

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Application Detection

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Cisco SD-Access Hands-on Lab

Magical Chatbots with Cisco Spark and IBM Watson

Configuring SSL. SSL Overview CHAPTER

How to Configure SSL Interception in the Firewall

Access Control Using Intrusion and File Policies

Configuring SSL CHAPTER

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DPI-SSL. DPI-SSL Overview

Using SourceTree on the Development Server

Cisco Firepower Troubleshoot File Generation Procedures

Tetration Hands-on Lab from Deployment to Operations Support

CNIT 121: Computer Forensics. 9 Network Evidence

Threat Centric Network Security

Install the ExtraHop session key forwarder on a Windows server

Configuring SSL. SSL Overview CHAPTER

Access Control Using Intrusion and File Policies

Realms and Identity Policies

Connection and Security Intelligence Events

There are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:

New Features and Functionality

Configuration and Operation of FTD Prefilter

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

DevOps CICD for VNF a NetOps Approach

CloudCenter for Developers

Routing Underlay and NFV Automation with DNA Center

SSL Custom Application

Hybrid Cloud Automation using Cisco CloudCenter API

Access Control. Access Control Overview. Access Control Rules and the Default Action

Troubleshoot. Locate chip.log File. Procedure

System Administration

Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

Access Control. Access Control Overview. Access Control Rules and the Default Action

File Reputation Filtering and File Analysis

SharkFest 17 Europe. 20 QUIC Dissection. Using Wireshark to Understand QUIC Quickly. Megumi Takeshita. ikeriri network service

DevNet Workshop-Hands-on with CloudCenter and Jenkins

Securing Connections with Digital Certificates in Router OS. By Ezugu Magnus PDS Nigeria

Automation and Programmability using Cisco Open NXOS and DevOps Tools

Monitoring the Device

Device Management Basics

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:

Data collected by Trend Micro is subject to the conditions stated in the Trend Micro Privacy Policy:

Using the Terminal Services Gateway Lesson 10

Cisco SD-Access Building the Routed Underlay

Connection Logging. Introduction to Connection Logging

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SonicOS Release Notes

U.S. E-Authentication Interoperability Lab Engineer

Device Management Basics

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 10 (Monday)

Install the ExtraHop session key forwarder on a Windows server

Demystifying Machine Learning

Connection Logging. About Connection Logging

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Transcription:

Understanding HTTPS to Decrypt it James Everett

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda Overview of HTTPS Understanding SSL handshake Working with SSL packet captures Building SSL Policy SSL Policy best practices Troubleshooting SSL in Firepower

Your Presenter James Everett Tech Lead for Firepower TAC 4+ Years of experience 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

This presentation will not cover Firepower Device Manager Firepower Configuration (excluding SSL) TCP stream (Handshakes ) Basic Wireshark usage Web server configurations 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Overview of HTTPS

HTTPS on the web HTTP inside SSL tunnel HTTPS starts as asymmetric encryption Public Key Infrastructure 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Public Key Infrastructure Security of the unknown CERT Cisco.com Cisco.com CERT CERT Cisco.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Public Key Infrastructure Building trust Trusted Certificates CERT CERT CERT CERT CERT Cisco.com CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Public Key Infrastructure Malicious Certificates Trusted Certificates CERT CERT CERT CERT Cisco.com CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Public Key Infrastructure Man in the middle on employees Trusted Certificates Company Certificate Authority CERT CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Public Key Infrastructure Man in the middle on guests Trusted Certificates Company Certificate Authority CERT CERT CERT CERT Cisco.com CERT Cisco.com CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Public Key Infrastructure Stolen private key CERT CERT CERT Cisco.com CERT CERT CERT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Understanding SSL Handshake

Client Hello Calling an office +192-168-2-1 Ext: www.ciscolive.com English, French, Spanish Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Server Hello Company answers www.ciscolive.com English Badge ID 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Certificate Verify the badge ID Ciscolive.com Badge ID C1sc02018 Directory Snort.org Badge ID IPS Snort.org Badge ID IPS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Handshake completed We feel safe talking to him 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Client Hello Let us think security this time 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Server Hello and Certificate Thinking security asymmetrically 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Client Key Exchange This is looking better 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Server Change Cipher Spec Now to complete the handshake 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

SSL Handshake Complete Now we are talking symmetrically 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Working with SSL packet captures

Understanding HTTPS with packet captures High level overview Standard session/deep Dive Decrypt Re-sign

Icon Key Stop and wait TAC Tip Reference Slide Platform specific 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Client Hello Unfiltered and full 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Server Hello Reduced in half 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Certificate Showing their credentials 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Client Key Exchange Here starts the encrypted messages 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Standard SSL Session Example 1 Standard non-decrypted SSL session to www.ciscolive.com Example1.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Example 1 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Example 1 Wireshark tip for following a stream 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Example 1 HTTP to HTTPS re-direct 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Example 1 HTTP to HTTPS Re-direct zoomed in 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Example 1 HTTPS connection to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Client Hello Starting at the top 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Client Hello Cipher Suites 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Client Hello Extensions Server Name Indication (SNI) Issue prior to 6.1 Potential new issue 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Client Hello Extensions continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Server Hello 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Certificate Summarized view 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Certificate Take a look before continuing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Certificate Looking into the presented server certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Certificate Manually checking the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Certificate Expanding the extensions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Example 2 Decrypt Re-sign Decrypt Re-sign traffic to www.ciscolive.com Example2.pcap CiscoLiveConnectionEvent-Example2.pdf CiscoLiveConnectionEvent-Example2.csv 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Example 2 Overview of pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Example 2 Verify decryption 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Example 2 Verify decryption continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Example 2 PDF of the connection event 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Example 3 Practice your skills (challenging) Example3.pcap FMC.crt (FMC s web certificate) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Example 3 Questions Was this traffic decrypted? How do you know? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Example 3 Answers Was this traffic decrypted? How do you know? Was this a fair question? Yes Serial numbers do not match No 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Example 3 How did you find the serial number difference? FMC.crt Example3.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Example 3 What if we cannot get the certificate? From another network Example3.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Example 3 Why is the issuer wrong 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Example 3 A simple checkbox 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Example 3 Reasons Let the client decide to trust this certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Example 4 QUIC A look at QUIC Example4.pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Example 4 Open Chrome and wireshark 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Example 4 QUIC is UDP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

TAC skills you learned What the SSL Policy is doing How to follow an SSL session From FMC to the wire How to read in-depth: Client Hello Server Hello Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Building SSL Policy

Lab 1: Building the SSL policy Open chrome and select the FMC bookmark Should be the home page Naviage to Object > Object Management Open Lab 1 on your desktop Ca.crt Ca.key.pem Open both files with Notepad++ Right click, edit with Notepad++ 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Importing Certificates 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Importing Certificates Sourcefire 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Importing Certificates Internal CA Import CA Import an Internal CA If generated on Windows, use Certificate Template of Subordinate CA Generate CA Generate a self signed certificate Root CA Generate CSR Sign as a Subordinate CA certificate Windows use Subordinate CA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Importing Certificates Certificate Install Example If you were not given a password you can leave it blank This accepts Base64 or a certificate file.cer.crt.pem.der If you receive a.pkcs12 or.pkcs7 you need to convert it to a.pem Copy the entire Base64 test in the CSR box to a note pad and save it as a.csr It should look similar to below, the important parts are be sure to include the entire text. -----BEGIN CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST----- Do not add character returns or correct spacing, it could cause issues Use Notepad or something similar, wordpad or Microsoft Word add hidden characters that could cause issues. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Importing Certificates Certificate Example -----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMQ8wDQYDVQQH DAZGdWx0b24xDDAKBgNVBAoMA1RBQzEMMAoGA1UECwwDVEFDMRwwGgYDVQQDDBNG axjlcg93zxiuy2lzy28uy29tmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkc AQEA3P8Q6Kp/LRa+uGqmiHBzyxux63NNRjMfuiRZjAUPWpUPJkooKQs5SwCjuecG BU+aOKe7n6oxmYgNStBCLn0pBHeYYOR4ycTjNs0cyGzLRhkFdvMHfYMSd2oeRN2u X2ZegisTMee0h1+BtmpfuQnCzqTcl3MpfxP8UtjMEixtIr+c5CQdi4WIona8+UQ0 mnodvsgzbtwsaqelmbthfwy/1mfds4zg1ohtobibom6yefu86yuzjaywlilupevl 3iVFCAcjvu02fvGZuPyws+6TsW/+7YVHh2WSXiiIxSU3PuOMyRvQnfiK95JQBChU W1aZ920PKBZMzAIAknFf5nrTvwIDAQABoEEwPwYJKoZIhvcNAQkOMTIwMDAdBgNV HQ4EFgQULVRSd/wf9+EvpfB9DcXMRyglUAswDwYDVR0TAQH/BAUwAwEB/zANBgkq hkig9w0baqsfaaocaqeavncjebpzf2odf7j5ek6dhwkf+lrfnu/dy9xiwmhfaxwb 1p1iS1q93Sekq1uRO+hUGaVEfWr08tCVTrZ69Lo4t8PUHctcspUANCd9bRko1aV3 +4pD2mVudckjHcYmI/kr39BnOSxH0QxkFCGYHhG5nF4Hl4FYcmmhm1QPpkEPadIe J7kUntGJ6QxCIlUZsMMmQIvXVnMc1F2C/QTi20scvEhnX/txJ8GfKqFEsNdjSuk1 dhujvw6nqucyo7mwbbcitxgyszaaw8m2shg4cwdsrbqjuhalegvkogqsxujbgylr 3OMOao+JJMNgKFLKWSuif02Z+bcTHDxB55O1KcG6Aw== 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Importing Certificates 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Undecryptable Actions Compressed Session The SSL session applies a data compression method SSLv2 Session The session is encrypted with SSL version 2 Note that traffic is decryptable if the ClientHello message is SSL 2.0, and the remainder of the transmitted traffic is SSL 3.0. Unknown Cipher Suite The system does not recognize the cipher suite Software update may be required Unsupported Cipher Suite The system does not support decryption based on the detected cipher suite 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Undecryptable Actions Session not cached The SSL session has session reuse Mid-stream pickup (SSL handshake not seen) Snort restart (SSL session tables) Handshake Errors An error occurred during SSL handshake negotiation Unsupported extension in SSL Handshake Extended Master Secret prior to 6.1 would cause this. Decryption Errors An error occurred during traffic decryption Not possible to allow this traffic, if this error occurs the session is blocked. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Using the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Using the SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Using the SSL Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Deploy our changes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Lab 2 Decrypting Traffic RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Navigate to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Decrypting traffic Untrusted Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

Decrypting traffic Bypassing the untrust warning 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Find the connection event Easy Search 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Find the connection event 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Challenge Navigate to https://www.bankofamerica.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Challenge Why is this happening? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

Challenge Answer Images, CSS, other page data is pulled from other sites. Fail because the certificate is untrusted. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

Lab 3 Installing the certificate RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Open Lab 1 Double click the CA certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

Lab 3 Installing the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108

Lab 3 Testing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Challenge Why did I put Chrome/IE in the top right and not include Firefox? Safari is the same as IE in this example 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

Challenge Answer Firefox uses it s own Certificate Authority repository. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111

Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113

Challenge You just installed the SSL Policy You just installed the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114

Challenge 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Challenge Answer HSTS is comparing a cached certificate to the newly received Clear cache 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117

SSL Policy Best Practices

Typical deployment: Decrypt Resign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119

Typical deployment: Decrypt Known-key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120

Required before you begin Best Practices Internal root Certificate Authority (CA) Import all CAs in Trusted CA* 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121

Typical basic policy Decrypt Resign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122

Typical basic policy Decrypt Known Key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123

Typical basic policy Decrypt Combo 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124

Good practice policy Aware of government laws 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125

Good practice policy For general purposes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126

Good practice Notice 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127

What to expect Currently an 80% performance hit May required webserver modifications Perfect Forward Secrecy (ECDHE) does not work in Decrypt Known-key 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129

Troubleshooting SSL in Firepower

Interpreting the connection events Enable the column Success Error 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131

Interpreting the connection event Certificate deep dive 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132

Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133

Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134

Check the SSL policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135

Packet capture on Firepower Threat Defense (firepower) >capture-traffic SHELL Please chose domain to capture traffic from: 0 br1 1 Router Selection? 1 Please specify tcpdump options desired. (or enter? for a list of supported options) Options: ^C Caught interrupt signal Exiting. Ctrl+C to end Always write to a file!!! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136

Packet capture on Firepower Threat Defense (Lina) SHELL >capture capin interface Inside match tcp host 192.168.10.10 any eq 443 >show capture capture capin type raw-data interface Inside [Capturing - 0 bytes] match tcp host 192.168.10.10 any eq https > > >copy /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs > 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137

Client Hello Tuning SHELL >system support ssl-client-hello-tuning SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow, extensions_remove, curves_allow, curves_remove handshake attribute > system support ssl-client-hello-tuning extensions_remove 16,13172 Using tuning file: /etc/sf/ssl_client_hello.conf Parameter and value successfully added to configuration file. Configuration file contents (defaults added automatically): extensions_remove=16,13172 16 = Application Layer Protocol Negotiation 13172 = Next protocol negotiation You must restart snort before this change will take affect This can be done via the CLI command 'pmtool restartbytype DetectionEngine'. > system support ssl-client-hello-reset Using tuning file: /etc/sf/ssl_client_hello.conf Are you certain that you wish to delete the current SSL tuning configuration file? (y/n) [n]: y This example is used to fix block pages in HTTPS traffic. Configuration file successfully deleted. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138

Lab 4 Seeing Decryption at a packet level RDP into 198.19.10.21 Should be a link on your desktop Administrator/C1sco12345 Put in place the SSL Policy from Lab 1 Should already be installed SSH into FTD Open putty, should be a saved session (NGFW) admin/c1sco12345 Capture packets Download and inspect 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139

Lab 4 SHELL >capture capin interface inside buffer 6123456 match tcp host 198.19.10.21 any eq 443 >capture capout interface outside buffer 6123456 match tcp any any eq 443 >show capture capture capin type raw-data interface inside [Capturing - 0 bytes] match tcp host <ip> any eq https capture capin type raw-data interface outside [Capturing - 0 bytes] match tcp host <ip> any eq https --> Now navigate to www.ciscolive.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140

Lab 4 Testing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141

Lab 4 SHELL >copy /noconfirm /pcap capture:capin disk0: Source capture name [capin]? Destination filename [capin]?!!!!!!!!!! 353 packets copied in 0.40 secs >copy /noconfirm /pcap capture:capout disk0: Source capture name [capout]? Destination filename [capout]?!!!!!!!!!! 364 packets copied in 0.40 secs >expert #sudo cp /mnt/disk0/capin /ngfw/var/common/capin.pcap Password: #sudo cp /mnt/disk0/capout /ngfw/var/common/capout.pcap Password: 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142

Lab 4 Retrieve pcap 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143

Lab 4 Retrieve pcap continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144

Lab 4 Compare the Client Hellos 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145

Lab 5 Decrypt Known Key Find Outside.cer and outside.key in Certificates Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146

Lab 5 Importing Internal Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147

Lab 5 Internal Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148

Lab 5 Rule 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149

Lab 5 Navigate to 198.18.133.200 from RDP session 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150

Challenge Why are you getting certificate errors? Is the certificate installed? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151

Challenge Hint 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152

Challenge Answer Answer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162

Scenarios Based on TAC cases

Scenario 1 Put a block social media URL rule at the top of the SSL policy Navigate to facebook.com, ciscolive.com, cisco.com 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 1 Questions Is traffic decrypted as expected? Why? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 1 Answers SSL Policy will default to the default action if URL filtering fails lookup. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 1 Answers Continued 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 2 Your company has a wildcard certificate (Outside.cer) Import Outside.cer and Outside.key as an Internal CA This simulates a Public CA Certificate(DigiCert/RapidSSL) Use it to Decrypt Re-sign 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 2 common questions Why can I not use our company s wildcard certificate? This certificate was not meant for this 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 2 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 2 Answer You must use a Subordinate or Root Certificate Authority Certificate When getting CSR signed, Windows in particular requires the Subordinate Certificate Template 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 3 We have a ticket from an end user who cannot get to Facebook.com from their computer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 3 Domain joined machine Using Active Directory to push out the Root Certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 3 Answer Firefox Install the certificate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 4 (Challenging) We have a ticket from an end user who cannot use the Facebook app on their phone. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scenario 4 Certificate pinning can happen with phone app Having the certificate stored in the application to prevent MitM Check SSL Flow Errors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Common Tac cases That you have learned to avoid Certificate not installed on clients Active Directory gives an option to push certificates to domain joined machines. Wrong certificate type Block rule/default action in SSL Policy URL filtering rules 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177

TAC Case open template For questions about SSL errors or unexpected actions to speed up the TAC case please open with the following: CSV report output of Connection Events matching this traffic Packet capture Client Sensor Server side Explanation of the applications and errors seen Include any recent changes you are aware of Troubleshoot from the sensor 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178

Questions? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback