Decryption
Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for visibility, control, and granular security. Decryption on a Palo Alto Networks firewall includes the capability to enforce Security policies on encrypted traffic, where otherwise the encrypted traffic might not be blocked and shaped according to your configured security settings. Use decryption on a firewall to prevent malicious content from entering your network or sensitive content from leaving your network concealed as encrypted traffic. Enabling decryption on a Palo Alto Networks firewall can include preparing the keys and certificates required for decryption, creating a decryption policy, and configuring decryption port mirroring.
Traffic that has been encrypted using the protocols SSL and SSH can be decrypted to ensure that these protocols are being used for the intended purposes only, and not to conceal unwanted activity or malicious content.
SSL Forward Proxy
Decryption of outbound SSL traffic is commonly implemented and takes the form of SSL Forward Proxy, which features the firewall as an intermediate communication node. This deployment commonly referred to as a "Man in the Middle."
Note that SSL Forward Proxy replaces the original certificate from the final destination with ne signed by a different key that is then delivered to the client.
A developer of a solution using SSL decryption can take extra programmatic steps to interrogate the certificate received at the client for specific characteristics present in the original certificate. When these characteristics aren't fund the author often assumes that a Decryption process is in the middle of the conversation and may take action to prevent full functionality considering this presence of a security risk. These products typically are not fully functional in a decrypting environment and must be added as exceptions to Decryption policies.
More information can be found on this link.
Type a name under
Certificate Name (PAN-SSL-CERT) > type a name under Common Name (Lagura)
> check Certificate Authority > leave the default settings under
Cryptographic Settings.
Under Certificate
Attributes > click Add >Country > type and search for your country
(SG in my case) > add and fill other Certificate Attributes as needed >click
Generate.
You need to modify the certificate by clicking on the Name of the certificate
(PAN-SSL-CERT) > check Forward Trust Certificate, Forward Untrust
Certificate and Trusted Root CA > click OK.
You can export the PAN certificate and install it on the PC
web browser by clicking on the Name of the certificate and click Export. Leave the File Format of Base64 Encoded Certificate (PEM) > check
Export private key > type a passphrase twice to confirm > click OK.
Go to the folder where the PEM certificate got downloaded
(Downloads folder on my Windows 7). Manually install the certificate (can also automate via GPO) on
the web browser (Mozilla Firefox) by going to Tools > Options.
Go to Advanced >
Certificates > View Certificates.
Under Authorities >
click Import.
Go to Downloads folder
and choose the created PEM certificate > click Open > click Trust the CA
to identify websites > click OK.
You can view the certificate under Authorities tab > click on the installed PEM certificate > View.
Just like in creating a Security or NAT policy, configure a
Decryption policy from left to right. Under General
> type the Name of the Decryption rule.
Under Source tab > choose
TRUST-L3 under Source Zone > choose TRUST-ZONE-USERS (which is
172.17.101.0/24) under Source Address.
Under Destination tab
> choose UNTRUST-L3 under Destination Zone > leave Any under Destination
Address (which is Any address on the UNTRUST zone/Internet).
Under URL Category > click Add > type and search: social-networking (click social-networking) > type and search: web-based-email (click web-based-email)
Under Options tab >
select Decrypt under Action > leave the default of SSL Forward Proxy under
Type and None under Decryption Profile > click OK.
You also need a Security rule to decrypt and
allow the HTTPS application. You can create An Application object or use the
pre-defined Application objects by going to Objects > Applications.
In this example, the Security rule will decrypt and inspect Facebook
and Outlook Web Access which are both HTTPS websites. You can type and search
for a specific Application such as facebook
> click facebook-base which is the general web browsing on Facebook. You can click on a specific Application to view more details such as
the Description, Standard Ports, etc. This feature truly makes the PAN firewall a
“next-generation” firewall, which means it doesn’t only filter traditional
TCP and UDP ports (Layer 4) but on the Application layer (Layer 7) as well.
You can also add another Security rule to decrypt and
inspect webmail such as Outlook Web Access (OWA).
To create a new Security rule, go to Policies > Security > Add.
Under General tab >
type the Name of the Security rule (OUTBOUND-SSL-DECRYPT) > optionally type
the Description.
Under Source tab >
choose TRUST-L3 under Source Zone > choose TRUST-ZONE-USERS under Source
Address.
Under Destination tab > choose UNTRUST-L3 under Destination Zone > leave the default of Any under
Destination Address.
Under Application tab
> type and search: facebook > click facebook-base (only decrypt and
inspect general Facebook web browsing).
Add web-browsing, ssl
and dns Application to ensure HTTPS
web browsing will work.
Leave the default settings of Allow and Log at Session End under Actions.
Click OK and Commit.
I've made some tests by going to my Facebook page and opening Outlook. To verify the Decryption and Security rules are working, go to Monitor > Logs > Traffic. Notice there's an Application log for facebook-base and ssl for Outlook web (public IP 111.221.29.254).
No comments:
Post a Comment