Friday, October 4, 2019

Palo Alto Networks Firewall SSL (TLS) Decryption

Transport Layer Security (TLS) is the updated and more secure version of Secure Sockets Layer (SSL). TLS is not backward compatible with SSL's cipher suite or algorithm. SSL has been around for more two decades and it's still used as a common term when deploying Certificate Authority (CA) in a Public Key Infrastructure (PKI).

From my previous post, I created URL Filtering and Antivirus Security Profiles. Users can bypass the Palo Alto Networks (PAN) Firewall Security Profiles by using VPN or a web proxy.

The URL Filtering for Social Networking and Streaming Media and Antivirus Security Profiles were configured and correctly blocked by the PAN Firewall.



Most websites are now using HTTPS (SSL/TLS) and the PAN Firewall wouldn't be able to enforce its next-generation features (URL Filtering, Antivirus and Antimalware) since traffic is encrypted.

I tried to download eicar.com and eicar.com.txt under the protocol https but the Windows personal firewall blocked it. This is a good example of a defense-in-depth security strategy wherein endpoints have a personal firewall (Antivirus and Antimalware) installed.
 

I was able to download eicar_com.zip since the PAN Firewall is unable to decrypt HTTPS traffic and enforce its Antivirus Security Profile.


To verify, go to Monitor > Logs > URL Filtering.


It's best practice to identify which traffic to exclude in a Decryption Policy as this might involve some privacy or legal implications. Some good examples of traffic to exclude are banking/finance (PCI DSS) and health (PHI) records.

For my lab, I created three SSL Decryption rules: the first rule is to exclude Financial and Health traffic or categories for SSL Decryption source from the inside Zone going to the outside Zone. The second rule is to Decrypt Any traffic source from the inside Zone going to the outside Zone. The third rule is to Decrypt SSH only traffic source from the inside Zone going to the dmz Zone.


To configure a Decryption policy for Rule #1, go to Policies > Decryption > Add (at the bottom).


Under General tab > type a Name (NO-SSL-DECYRPT).


Under Source tab > Source Zone > Add > select inside.


Under Destination tab > Destination Zone > Add > select outside.


Under Service/URL Category > URL Category > Add > type/search for financial-services. 


Also add health-and-medicine.


Under Options tab > select Action: No Decrypt (default) > click OK.


For Decryption Policy Rule #2, click Add or Clone NO-SSL-DECRYPT and then just edit.


Under Service/URL Category tab > leave Any under both Service and URL Category.


Under Options tab > Action: Decrypt > Leave the other options in default > click OK.


Configure Decryption Policy Rule #3 to decrypt SSH traffic between the inside client (192.168.1.20) and DMZ server (192.168.50.10).


Under General tab > type a Name (DECRYPT-SSH-DMZ).


Under Source tab > Source Zone > Add > inside.


Under Destination tab > Destination Zone > Add > dmz.


Under Options tab > select Action: Decrypt > select Type: SSH Proxy > click OK.



Click Commit. An error will show the Commit Result: Failed. This is due to a forward decrypt trust cert isn't configured yet.


To configure and generate an SSL Decryption (Outbound) certificate on a PAN Firewall, go to Device > Certificate Management > Certificates > Generate.


Select Certificate Type: Local (default) > type the Certificate Name (PAN-CERT-DECRYPT) > type the Common Name (192.168.1.1) > tick Certificate Authority.

You can further add Certificate Attributes on the CA Certificate.


I added Country: SG(Singapore) for the Certificate Attribute.


Click Generate.



Click on the CA Certificate (PAN-CERT-DECRYPT) > tick both the Forward Trust Certificate and Forward Untrust Certificate > click OK.

This will enable the PAN Firewall to act as a man-in-the-middle (MITM) or a proxy server between a client in the inside Zone to a host on the outside Zone.
 

You'll need to export the PAN Firewall CA Certificate to a client machine under Device > Certificate Management > Certificates > tick the PAN-CERT-DECRYPT > Export.


Select File Format: Encrypted Privacy Key and Certificate (PKCS12).


Type a passphrase (minimum length is 6 characters).


Re-type passphrase in Confirm Passphrase > click OK.


Notice the web browser downloaded the PKCS Certificate (at the bottom).


To install the CA cert, click on the Windows icon (bottom left) > type/search for Certificate Manager > click certmgr.msc


Right-click on Trusted Root Certification Authorities (folder on the right) > All Tasks > Import.


A Welcome message for the Certificate Import Wizard will open > click Next.


Click Browse.


Go to Downloads folder > select File Type: Personal Information Exchange (*.pfx; *.p12) > select the cert_PAN-CERT-DECRYPT.p12 created earlier > click Open.


Click Next.


Type the password (same password for creating the CA Certificate) > click Next.


Leave the default Certificate store: Trusted Root Certification Authorities > click Next.


Click Finish.


Click OK.


Notice a new CA cert is added (192.168.1.1).


To view the installed CA cert in Internet Explorer web browser, go to Settings (gear icon) > Internet Options.


Go to Content tab > click Certificates.


Click View.



Notice the PAN Firewall CA cert attributes which are the inside IP address of 192.168.1.1 and Country: SG.


I visited a popular US banking website via HTTPS.


You can add a new column by doing a right-click (on any column) > tick Decrypted.


Notice the traffic between the inside Source 192.168.1.20 to the Destination banking website 171.161.203.100.

The columns for Decrypted: no, To Port: 443 and Application: SSL which means SSL Decryption (Rule #1) is not applied for this traffic (bypassed).


Click the magnifying glass icon to get a Detailed Log View.


I visited again some popular Social Networking sites such as Facebook and Instagram and this time using HTTPS. I got a Web Page Blocked error.



I also got the same error when I visited a popular Streaming Media website such as Youtube.


Notice the columns for Decrypted: yes, To Port: 443 and Application: SSL which means SSL Decryption (Rule #2) is applied for this traffic.

The PAN Firewall performed a deep packet inspection and enforced the URL Filtering policy.


Click the magnifying glass icon to get a Detailed Log View. Notice under Flags: Decrypted.





I tried to download again the eicar files via protocol https. This time the connection was blocked or reset by the PAN Firewall.



The PAN Firewall Antivirus policy kicked in.



To monitor Threat logs, go to Monitor > Logs > Threat. Notice the Action: reset-both.


Click the magnifying glass icon to get a Detailed Log View. Notice under Flags: Decrypted and the File Name was identified.

You can also view the packet capture (PCAP) file by clicking on the download icon (green arrow pointing downward).





I tried to SSH and open a web (HTTP) session on the inside client 192.168.1.20 to the DMZ server 192.168.50.10



Notice Port 80 web-browsing traffic is NOT decrypted (Decrypted: no) while SSH Port 22 is decrypted (Decrypted:yes).


Click the magnifying glass icon to get a Detailed Log View. Notice the web-browsing Application Port 80 has no Flags ticked. This is due to Decryption Policy Rule #3 is only applicable for SSH traffic (TCP port 22).



Notice the SSH Application Port 22 has the Flags: Decrypted


No comments:

Post a Comment