topic Re: Inbound SSL decryption in vWire and Tap mode in General Topics

Inbound SSL decryption in vWire and Tap mode

AndreasB — Sat, 18 Feb 2012 00:28:51 GMT

Short question:

Is inbound SSL decryption possible in vWire and/or Tap mode?

Regards,

Andreas

Re: Inbound SSL decryption in vWire and Tap mode

James — Sat, 18 Feb 2012 00:32:08 GMT

Hi Andreas,

SSL Decryption is indeed possible in VWire, in both directions.

SSL Decryption is possible in TAP - but only for inbound, where you have the server certs.

Thanks

James

Re: Inbound SSL decryption in vWire and Tap mode

AndreasB — Sat, 18 Feb 2012 00:39:36 GMT

Hi James,

thanks for the quick reply.

I have outbound decryption working fine in vWire.

I didn't expect to get outbound decryption working in tap mode but I was hoping that it should work for inbound.

Need to debug then a bit more to get it working.

Regards,

Andreas

Re: Inbound SSL decryption in vWire and Tap mode

James — Sat, 18 Feb 2012 23:20:50 GMT

Good Luck!

Let us know if you need any further help

Best Regards

James

Re: Inbound SSL decryption in vWire and Tap mode

AndreasB — Mon, 20 Feb 2012 02:19:29 GMT

Looks like I need some additional help:

Let me first briefly describe my setup:

Internet - PAN vWire - SSG5 - SA2000

There is an incoming NAT rule forwarding traffic to port 443 directed to the SSG5 to the SA2000

I'd like to control the incoming traffic to the SA2000.

The SA 2000 is used for SSL VPN (Network Connect) and Activesync from mobile devices.

I loaded the certificate of the SA2000 to the PAN and started to decrypt inbound SSL traffic.

Originally I allowed only ssl and activesync to the SSG5. This didn't work.

When I checked the logs I saw that there was incoming web-browsing blocked to port 443

Looks like PAN first detects incoming SSL, next it sees the traffic as web-browsing and next as activesync.

My policy on the PAN has application default for the incoming services.

web-browsing on port 443 is blocked in this case.

I ended up adding an additional rule allowing web-browsing to port 443

After that activesync and network connect worked

But this is not what I want.

I'd like to allow only activesync and network connect (looks like there is no appID for Juniper Network Connect BTW)

Allowing web-browsing to port 443 leaves the door wide open for any sort of attacks.

Second question concerning outbound SSL decryption:

When I commit my config I get a warning that there is no untrust cert configured and therefore the trust cert will be used.

Any hint how to generate and load an untrusted cert to be used for outbound SSL decryption?

Regards,

Andreas

PS: I know that I probably could replace the SSG5 and SA2000 with the PAN but curently I'm missing the support for dynamic DNS.

Re: Inbound SSL decryption in vWire and Tap mode

gafrol — Mon, 20 Feb 2012 07:54:34 GMT

Hello Andreas,

regarding the outbound SSL decr. cert. Optionally you can generate an untrust-cert like below

For the inbound SSL part I always recommend not to use APP-ID exclusively. From a security perspective this can be a bit problematic, because PA needs to pass a certain amount of traffic before it can decide on an APP-ID. This leaves a kind of an exposure.Therefore it is adviseable to use at least a service port together with an APP-ID for inbound traffic.

But this is not what I want.

I'd like to allow only activesync and network connect (looks like there is no appID for Juniper Network Connect BTW)

Allowing web-browsing to port 443 leaves the door wide open for any sort of attacks.

Since you terminate SSL on the PA Firewall you can use Threat Prevention to further protect your environment for inbound traffic.

rgds Roland