The Scenario
Network Security Systems, including firewalls, can be configured to control (permit or deny) encrypted traffic, but cannot decipher the contents of the encrypted communication. The Secure Socket Layer (SSL) protocol and its predecessor, Transport Layer Security (TLS) protocol have become extremely popular choices for encrypting network communication, especially Internet web server traffic. The Palo Alto firewall features options to decrypt SSL/TLS traffic, providing increased visibility and threat protection. With the Palo Alto Networks Operating System (PAN-OS), firewalls can:
- Decrypt Internet-bound web sessions – Palo Alto Networks firewalls use the “man-in-the-middle” technique to perform Internet-bound decryption, also known as “Forward Proxy Decryption.”
- Apply Application and Content Inspection – After traffic is decrypted, Palo Alto Networks firewalls can apply App-ID, and Content Inspection features to the decrypted or “Plaintext” traffic in real-time.
- Perform Decryption Mirroring – Decrypted traffic can be forwarded to out-of-band security devices for further inspection and storage using port mirroring.
The Objective
In this lab, we will learn how to implement SSL/TLS Forward Proxy Decryption using Palo Alto Networks Next-Generation Firewalls in a Layer 3 deployment mode. We will also take advantage of the Decryption Port Mirror feature to allow for further analysis of decrypted data.
The Tools
Accomplishing your objective will require the configuration of several objects and elements:
- SSL/TLS Forward Proxy Certificates
- Client Certificate Store(s)
- Decryption Profile
- Decryption Policy Rules
- Decryption Port Mirror License (free)
- Decryption Port Mirror Interface
The Setup
Our lab setup consists of a Palo Alto firewall running PANOS 8.0 and configured in Layer 3 mode with two network interfaces attached to separate security zones (Trust and Untrust), and one interface dedicated to decryption port mirroring. Internet-bound web traffic sourced by clients behind the Trust zone is decrypted, inspected, re-encrypted and forwarded to the ultimate destination web servers. Decrypted traffic is copied and forwarded to out-of-band security systems using the Decryption Mirror interface.
The Lab Configuration Steps
Certificate Management
In order to perform SSL/TLS decryption, the network firewalls must issue certificates on the fly to clients on behalf of the web servers they are connecting to. These newly minted certificates must be signed by a Certificate Authority (CA) Public Key Infrastructure (PKI) certificate, where the firewall controls the public and private key pair. These PKI “signing” certificates can be self-signed or Intermediate CA certificates signed by an Enterprise Root CA.
Make Clients Trust the Certificate
After generating a Forward Trust certificate and private key to be used in signing trusted SSL/TLS connection certificates, you must ensure that the clients subject to decryption have the Forward Trust certificate installed and trusted by the OS, browser, and/or application certificate store.
Create a Decryption Profile
A Decryption Profile allows you to perform checks and verification on sessions, certificates, and protocol versions, giving you granular access to control many scenarios the firewall could encounter when processing SSL/TLS traffic.
Create Decryption Policy Rules
Decryption Policy Rules allow the firewall to granularly match specific network traffic and apply SSL/TLS decryption. In addition, exclusion or override rules can be configured to exempt certain traffic from decryption. Decryption rules operate in a similar fashion to Security and NAT rules where the policy is evaluated from the top down and the action associated with the first rule matched is taken.
Test Decryption from the Client
The initial configuration is done and the firewall is now configured to decrypt SSL/TLS traffic. Next step is to test to see if things are working as expected.
Verify Traffic Logs on the Firewall
When it appears that the client browser is receiving the correct certificates from the firewall, next you’ll verify the firewall is decrypting the traffic. Once sessions are decrypted, the firewall will have visibility into each session and will be able to apply App-ID and Threat Protection.
Configuring Decryption Exemptions
When implementing SSL/TLS Decryption in any network, there are always cases in which certain traffic needs to be exempt from decryption. Some examples include:
- Organization policy or privacy rules (e.g. Exempt Medical and Financial sites)
- Applications with their own certificate stores that cannot be modified
- Client certificate “mutual” authentication in which a client certificate is required by the server (e.g. SmartCard or CAC)
- Certificate Pinning in which the application expects a specific set of certificates from certain web servers
Test the Exemption from the Client
Once a decryption exemption rule is in place, test to make sure Financial sites are exempt from SSL/TLS decryption.
Set up Decryption Port Mirroring
Decryption Port Mirroring allows the firewall to make a copy of the Plaintext traffic and forward it to external security and logging systems. You need to activate a free license from the Palo Alto Networks Support Portal to enable this feature.
Configure the Decryption Mirror Interface
Decryption Port Mirroring requires a dedicated an interface on the firewall. Once the Decryption Port Mirroring license is installed in the firewall you will have the option to configure interfaces with type Decrypt Mirror.
Verify Forwarding of Decrypted Traffic
Once you have Decryption Port Mirroring configured and enabled on the firewall, you can verify that the external systems are receiving the out-of-band, Plaintext network traffic.
Next Steps
To read the full 18-page lab, use this link.
If you want to test this on your own and do not have access to a lab environment to do so, contact your Sun Management Account Rep to get pricing on a lab bundle. The newly released PA-220 and VM-50 appliances are excellent platforms for testing things such as this and there are specific part numbers for lab equipment that are more heavily discounted than the same appliance for use in production.
Sun Management
Sun Management is a Value Added Reseller (VAR) who focuses on Network and Internetwork Security Requirements. We focus in the Mid Atlantic area: Maryland (MD), Virginia (VA), District of Columbia (DC), West Virginia (WV), Delaware (DE) and and Pennsylvania (PA). Our credentials include Palo Alto Networks Services Provider, Palo Alto Networks Certified Training Partner, and Palo Alto Networks Certified Managed Security Service Provider (MSSP) using CORTEX XSOAR in a multi-tenant environment.
We address requirements concerning Network Detection and Response (NDR); internal and external TLS and SSL requirements for complete data visibility; End Point Detection and Response (EDR); Gramm Leach Bliley Act, HIPPA, Sarbanes Oaxley and PCI DSS; penetration testing and firewall optimization; and Data Protection by tracking all Data Flows within the network, across applications, between users/servers and in the cloud. Contact us at (888) 773-9422 to setup a POC or if you just want more information.