srx – ngfw ssl proxyapps.cce.csus.edu/sites/cyberseced/18/speakers/uploads/1d...10/4/2018 5 ngfw...
TRANSCRIPT
10/4/2018
1
SRX – NGFW SSL ProxyJeff Bird, Senior Security Specialist
Aug 2018
Today’s discussion
•Market Trends – Business Need…•TLS Proxy on NGFW •TLS Proxy Deployment Modes•Best Practices•Summary
Market Trend – Business Need…
Gartner predicts more than 50% of network attacks, both inbound and outbound, will use encrypted TLS flows
Google to label websites unsafe that are not TLS encrypted in July 20181
PCI Compliance mandates use of TLS1.1 or higher with preference for TLS1.2. June 2018 will sunset all pre‐TLS1.2 specs
Takeaway: Within the next 2‐3 years almost all traffic will be encrypted. However this includes hackers as well!
10/4/2018
2
ENCRYPTED ATTACKS ASCENDTO RECORD HIGHS
Without the ability to inspect encrypted traffic during 2017, the average organization would have missed more than 900 file-based attacks hidden by TLS/SSL encryption. (2018 SONICWALL CYBER THREAT REPORT)
Logically, the use of encrypted cyberattacks also is increasing dramatically. There were 1.4 million encrypted attacks globally in 2018, a 275% year-to-date increase over 2017. (2018 SONICWALL CYBER THREAT REPORT)
HTTPS is everywhere.. Source: https://letsencrypt.org/stats/
HTTPS is everywhere… Source - https://transparencyreport.google.com/https/overview
10/4/2018
3
SSL/TLS Goals: Securing Internet Communication
• Confidentiality: Encryption of data
• Authentication: Validate that your are talking to the right service
• Integrity: Data has not been altered (Secure PII)
All this goodness now widely used on Internet!
10/4/2018
4
HTTP is Dead…1991 - 2018
What uses SSL-TLS? EVERYTHING!
• HTTPS – Hypertext Transfer Protocol Secure (port 443)
• FTPS – File Transfer Protocol Secure (port 21, 990, 989)
• LDAPS – Lightweight Directory Access Protocol Secure (port 636)
• SMTPS - Simple Mail Transfer Protocol Secure (port 465)
• POPS – Post Office Protocol Seure (port 995)
• IMAPS - Internet Message Access Protocol Secure (port 993)
• NNTPS – Network News Transfer Protocol Secure (port 563)
• TelnetS – Telnet Secure (port 992)
• IRCS – Internet Relay Chat Secure (port 6697)
SSL Working at application layer
• Analyze Layer 7 payload– No matter what ports are used
• Detect protocols:– HTTP, SSL, FTP, SMTP..
• Detect extended Applications:– Youtube, linkedin, facebook-chat..
• Detect evasive applications– Skype, Bittorent..
Layers 1 to 7
10/4/2018
5
NGFW & HTTPS Traffic – Just a TLS session…
Stateful Firewall
Application Visibility and Control
IPS
URL Filtering
Anti‐Malware
TRUST UNTRUST
ATP Sandbox
Clear
Encrypt
Don’t make your endpoint protection = The Alamo
• ~200 Texan militia defenders
• ~2000 Mexican Army invaders
• 13 day siege
• Did not end well for defenders…
• What other state was a country?
Decrypt & Inspect Encrypted TrafficClient initiates SSL/TLS handshake with server
1
NGFW intercepts request and establishes session using its own certificate in place of server2
NGFW initiates SSL/TLS handshake with server on behalf of client using admin defined SSL/TLS certificate
Server completes handshake and builds a secure tunnel between itself and NGFW
NGFW decrypts and inspects all traffic coming from or going to client for encrypted threats
NGFW re‐encrypts safe traffic and sends along to client and blocks encrypted threats
3
4
5
6
10/4/2018
6
Digital Certificate
• Common fields:• Subject (Common Name..)• User Identifier• Public key • Expiry Date • Issuer: CA identifier• Digital signature• Key Usage• Extension(s)
• Digital certificate = Certificate signed by the Certificate Authority• ITU X.509 Standard
The Art & Science of CAIt’s Your Job…
• Deploy free Certs from firewall
• Deploy Via AD• Landing Page – BYOD
• Buy Certs• MDM for mobile devices
• Use MDM Certs
BYOD CLICK HERE
BYOD CLICK HERE
10/4/2018
7
Topology Overview - Man in the Middle (MitM) $$
• A https (TLS-SSL) Session with a NGFW with Decryption enabled
• Data in clear can have NGFW services applied
NGFW SRX Security Features – http/https - See All Traffic!
Internal Threats
ExternalThreatsINTERNET
AppSecure Application level visibility and classificationApplication security policies tied to user roles
IPS IDP detects/stops Worms, Trojans, exploits, shellcode, Scans
SSL Proxy Inspect Encrypted Traffic
Stops known and unknown viruses, file-based trojans or spread of spyware, adware, keyloggers
Enhanced Web Filtering Block access to unapproved sitesReal time threat score for each URL
Anti-Malware
User Role FW UserID tied to FW policiesAllows UserID to apply to all L7 Security
Selective SSL Proxy Based on URL Category
Use Case: For Legal Compliance or to achieve optimal Corporate Policy.
Configure whitelist to bypass certain Domain Names, IP addresses, or SSL URLCategories.
For example Banks, Medical, Legal, Gov’t…
15.1X49 D80
10/4/2018
8
Think before doing – With great power…
• Banking and Financial• PCI and other federal financial compliances will apply to the firewall in
ways that most are not used too: SOX, GLBA & now GDPR as of 6/1/18 for European Union
• HealthCare• HIPAA, HITECH, Meaningful Use. These are all regulations that will be
a requirement of that firewall if you are decrypting ALL data
• The Big Question:• If you are inspecting it… Are you ready to be questioned in a legal
forum about what you are scanning and why?
Compliance – the fun never ends… GLBA HIPAA SOX GDPR Industry specific…
In 2018 all asking YOUR plan for inspecting SSL traffic!
BTW, HTTPS renders ATP less useful too…
• Files & Web links coming in via https connections are NOT inspected by Sandbox solutions either – Advanced Threat Protection?
• 70% of all Internet traffic is https today 2018
• According to NIST 99%+ of all Internet traffic will https by 2024
10/4/2018
9
Offload TLS Proxy to another device (Out of Band)
TRUST UNTRUST
Redirect Traffic based on policy
TLS Proxy
For heavy TLS traffic, consider a design where TLS Proxy is offloaded to another device acting exclusively as TLS Proxy
Scrubbing Encrypted Traffic via ICAP service
TRUST UNTRUST
ICAP Server
DLP Service
DRM Service
ICAP Request ICAP Response
Threat Prevent
TLS Proxy
ICAP or Internet Content Address Protocol ServersWith Proper design, your NGFW can also act as TLS Proxy to interwork with other security
appliances, eliminating need for a dedicated TLS Proxy
Comparison of TLS PROXY Deployment MODES
NGFW Proxy
No extra Hardware required
No extra management
required(KISS)
ICAP Server
ICAP servers can allow multiple services to be run on the flow
Out of Band Proxy
Visibility of the flow without
disrupting the flow itself
10/4/2018
10
Stop Tor – what bad guys use
• Tor is an encrypted browser for anonymous communication
• Tor is the gateway to the Dark Web
• Bounce Internet signal all over the world. Consisting of more than 7000 relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis.
• Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.
• Used to drop CA for ransomware…
Flow management
Load balancers
Perimeter firewalls
Aggregation firewall
SSL
PAC File
1
2
3
28
27
26 10
15, 16Client - side SSL tunnel
SSLSandboxWeb Filter
11
Log files
Email Inspection
DLP
Size matters
10/4/2018
11
How to size a NGFW for SSL FP?
• Number of users? What kind of users – power users or office workers?• How many SSL sessions can different SRX’s process/second? Lightbeam…• WAN Bandwidth? Today and tomorrow?• WAN interfaces, firewall interfaces, HA & growth? 1G/10G/40G/100G ports• What Other NGFW features turned on?
Application Aware
IDS/IPS
URL/Web Filtering
AV Gateway
• VPN’s SSL & IPSec?• Routing features running? NAT, BGP, OSPF… Use Firewall as router…• Error on side of larger NGFW model – an up tic or two in firewall line…
Always Be Prepared… • Ensure you size the appliance for doing decryption of SSL-TLS traffic! Right
tool for the job… Look up a few models… F-150, F-250, F-350
• SSL-TLS Certificates – It’s your job… Pushing Certificates to end points (don’t be afraid of third-party) BYOD Devices? Do not use a build in certificate unless it is last resort
• Certificate Pinning Is a security mechanism which allows HTTPS websites to resist impersonation by attackers
using miss‐issued or otherwise fraudulent certificates. Certificate pinning allows the client to decide whether or not to send traffic based on
whether it trusts the server certificate. Apps such as: DropBox
SSL Proxy Implementation – Final Thoughts
• SSL Proxy is “Deep Packet Inspection”, where payload in packets are scanned against signatures which are referenced by security services such as IPS/IDS, AV-Gateway, URL/Web Filtering, Anti-Spyware, Application Awareness, Bot prevention, ATP…
• In order for the SSL inspection appliance to decrypt and re-encrypt the content before it’s sent back to the end users, it must be able to issue SSL Certificates on the fly.
• SSL Forward Proxy is an administratively-sanctioned MitM (Man in the Middle) attack, which allows the firewall to inspect traffic payload, regardless of the SSL/TLS characteristics of the traffic in question.
• SSL Proxy is not protocol-specific. It can be used to allow JunOS security services to inspect several encrypted protocols such as SMTPS, LDAPS, HTTPS, FTPS, etc. SSL FP works independently of port numbers used. Everything uses SSL…
10/4/2018
12
Thank youThank you
SRX5000 w/SPC3: campus & secure router use cases
SRX5000 w/SPC3 easily meets the needs of diverse deployments
NGFW/ATP
Branch Office Devices
Wireless APs L2 Switch
Multi Services Gateway
Internet
Secure Router /SD-WAN
VPN - Hub
Campus Edge Firewall
HQ or Campus
Internet
Branch Offices
Branch Firewall
• 1G/10G/40G/100G interfaces• Upgradeable performance
Multi-services Gateway:*• Integrated security• IPsec = 80-800Gbps• Tunnels = 15K-70K
Feature rich services*• SDSN – Intent based policy,
Sky ATP & E2E Policy• SSL Proxy = 18-180Gbps
* high number: SRX5800 with 10 SPC3 cards; low number: SRX5000 w/1 SPC3 card
SRX5K-SPC3 performance projections (1/2)Performance metric Per card Per SRX 5800 chassis (10 SPC3 + 2 IOC4)* Improvement over SPC2
IMIX Firewall 160Gbps 1.4Tbps (9 SPC3 + 3 IOC4) 11X
IMIX CGNAT 160Gbps 1.4Tbps (9 SPC3 + 3 IOC4) 11X
IMIX IPsec 80Gbps 800Gbps 16X
Max IPsec tunnel size 6.8Gbps / tunnel 1X
Session count 50M 500M 2X
FW CPS 1M 10M 5X
IPsec tunnels 15K 70K 3x / card; 25% / system
IPsec TPS (mutual 2K certs) 40 150 4X
IPS HTTP / enterprise mix 80/60Gbps 800/600Gbps 6X
L4‐L7 app FW 80Gbps 800Gbps 3X*Unless otherwise noted