Friday, May 19, 2017

Configuring SSL Decryption Policy on a Palo Alto Networks Firewall

Decryption

Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for visibility, control, and granular security. Decryption on a Palo Alto Networks firewall includes the capability to enforce Security policies on encrypted traffic, where otherwise the encrypted traffic might not be blocked and shaped according to your configured security settings. Use decryption on a firewall to prevent malicious content from entering your network or sensitive content from leaving your network concealed as encrypted traffic. Enabling decryption on a Palo Alto Networks firewall can include preparing the keys and certificates required for decryption, creating a decryption policy, and configuring decryption port mirroring.

Traffic that has been encrypted using the protocols SSL and SSH can be decrypted to ensure that these protocols are being used for the intended purposes only, and not to conceal unwanted activity or malicious content.


SSL Forward Proxy

Decryption of outbound SSL traffic is commonly implemented and takes the form of SSL Forward Proxy, which features the firewall as an intermediate communication node. This deployment commonly referred to as a "Man in the Middle."

Note that SSL Forward Proxy replaces the original certificate from the final destination with ne signed by a different key that is then delivered to the client.

A developer of a solution using SSL decryption can take extra programmatic steps to interrogate the certificate received at the client for specific characteristics present in the original certificate. When these characteristics aren't fund the author often assumes that a Decryption process is in the middle of the conversation and may take action to prevent full functionality considering this presence of a security risk. These products typically are not fully functional in a decrypting environment and must be added as exceptions to Decryption policies.

More information can be found on this link.


The PAN firewall can acts as a proxy between a client (TRUST zone) and an HTTPS website (UNTRUST zone or Internet) and decrypt inbound/outbound SSL traffic in order to apply inspection policies. To configure Outbound SSL Decryption, you need to generate first a self-signed certificate from the PAN firewall by going to Device > Certificate Management > Certificates > Generate.


Type a name under Certificate Name (PAN-SSL-CERT) > type a name under Common Name (Lagura) > check Certificate Authority > leave the default settings under Cryptographic Settings.


Under Certificate Attributes > click Add >Country > type and search for your country (SG in my case) > add and fill other Certificate Attributes as needed >click Generate.




You need to modify the certificate by clicking on the Name of the certificate (PAN-SSL-CERT) > check Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA > click OK.



You can export the PAN certificate and install it on the PC web browser by clicking on the Name of the certificate and click Export. Leave the File Format of Base64 Encoded Certificate (PEM) > check Export private key > type a passphrase twice to confirm > click OK.



Go to the folder where the PEM certificate got downloaded (Downloads folder on my Windows 7). Manually install the certificate (can also automate via GPO) on the web browser (Mozilla Firefox) by going to Tools > Options


Go to Advanced > Certificates > View Certificates.


Under Authorities > click Import.


Go to Downloads folder and choose the created PEM certificate > click Open > click Trust the CA to identify websites > click OK.


You can view the certificate under Authorities tab > click on the installed PEM certificate > View.



Just like in creating a Security or NAT policy, configure a Decryption policy from left to right. Under General > type the Name of the Decryption rule.


Under Source tab > choose TRUST-L3 under Source Zone > choose TRUST-ZONE-USERS (which is 172.17.101.0/24) under Source Address.


Under Destination tab > choose UNTRUST-L3 under Destination Zone > leave Any under Destination Address (which is Any address on the UNTRUST zone/Internet).


Under URL Category > click Add > type and search: social-networking (click social-networking) > type and search: web-based-email (click web-based-email)


Under Options tab > select Decrypt under Action > leave the default of SSL Forward Proxy under Type and None under Decryption Profile > click OK.




You also need a Security rule to decrypt and allow the HTTPS application. You can create An Application object or use the pre-defined Application objects by going to Objects > Applications.


In this example, the Security rule will decrypt and inspect Facebook and Outlook Web Access which are both HTTPS websites. You can type and search for a specific Application such as facebook > click facebook-base which is the general web browsing on Facebook. You can click on a specific Application to view more details such as the Description, Standard Ports, etc. This feature truly makes the PAN firewall a “next-generation” firewall, which means it doesn’t only filter traditional TCP and UDP ports (Layer 4) but on the Application layer (Layer 7) as well.


You can also add another Security rule to decrypt and inspect webmail such as Outlook Web Access (OWA).



To create a new Security rule, go to Policies > Security > Add.


Under General tab > type the Name of the Security rule (OUTBOUND-SSL-DECRYPT) > optionally type the Description.


Under Source tab > choose TRUST-L3 under Source Zone > choose TRUST-ZONE-USERS under Source Address.



Under Destination tab > choose UNTRUST-L3 under Destination Zone > leave the default of Any under Destination Address.


Under Application tab > type and search: facebook > click facebook-base (only decrypt and inspect general Facebook web browsing).



Add web-browsing, ssl and dns Application to ensure HTTPS web browsing will work.





Leave the default settings of Allow and Log at Session End under Actions.


Click OK and Commit.


I've made some tests by going to my Facebook page and opening Outlook. To verify the Decryption and Security rules are working, go to Monitor > Logs > Traffic. Notice there's an Application log for facebook-base and ssl for Outlook web (public IP 111.221.29.254).




No comments:

Post a Comment