topic Re: HTTPS apps identified without decryption in General Topics

HTTPS apps identified without decryption

migration — Tue, 16 Aug 2011 13:59:33 GMT

Hi all,

in my configuration I have neither SSL Decryption implemented nor URL Filtering. I only have 1 policy: "trust to untrst accept all" in Vwire. PANOS 4.0.2

If, from my PC behind PAN device, I try to go to: _https://www.facebook.com_

PAN device shows me the app facebook-base in the Traffic Logs.

If I put a block policy for all facebook traffic and try to go to _https://www.facebook.com_

PAN device blocks my connection and I see the facebook-base app blocked in my Traffic Logs.

I analyzed my traffic with Wireshark and the only things I see are:

- DNS Request for facebook.com

- TLSv1 Negotation phase

- Change Chiper Spec exchange

- Application phase (where the application layer takes place) with the Application Data Protocol (HTTP) encrypted.

Eveything is encrypted, there is no HTTP GET in clear, no URL visible (obviously the URLs are encrypted)...

So, the question is: how is it possible that PAN device sees Facebook traffic in a HTTPS (TLSv1) connection?

Then, when I need to implement SSL Decryption? Only if I want "safe enablement"?

The same behavior with _https://secure.logmein.com_

Thanks...maybe I have been missing something...

Re: HTTPS apps identified without decryption

friento — Tue, 16 Aug 2011 17:08:14 GMT

Interesting. I just watch this video of Nur's interview and he briefly mentioned something about this..

http://www.youtube.com/watch?v=kklH3QONErk&feature=player_embedded he mentioned about heuristic approach.. at around 9:15 time.

Re: HTTPS apps identified without decryption

migration — Tue, 16 Aug 2011 18:57:50 GMT

Yes, Friento

I know about Heuristic engine but this should be apply to custom encrypted application, such as Tor, Bittorrent, etc. not to HTTPS traffic...

Re: HTTPS apps identified without decryption

ucteam — Wed, 17 Aug 2011 00:05:18 GMT

My guess would be that its possibly looking at the "common name" of the SSL certificate which should be viewable during the initial SSL negotiation.

Regarding using SSL decryption...

My previous experience had been that without SSL decrpytion the PA will block specified HTTPS sites but is unable to inject its custom "repsonse page" notifying the user that the URL has been blocked.. so it just looks like a page timeout.. which is not ideal as will likely generate support calls.

Re: HTTPS apps identified without decryption

skrall — Wed, 17 Aug 2011 05:08:58 GMT

Are you sure you are being blocked because of application and not by URL filtering? The initial certificate exchange is in the clear and the Paloalto can read the destination URL in the cert and still to a URL filtering evaluation.

SKrall

Re: HTTPS apps identified without decryption

migration — Wed, 17 Aug 2011 10:56:56 GMT

Hi Skrall,

I'm totally sure. I don't have URL Filtering ebabled, my Security Policy is just like I said (ANY ANY ALLOW)

No SSL Decryption.

So, you are saying that PAN read the certificate sent by server to the client, which will be used to generate session keys and to encrypt following sessions? For this activity PAN need URL Filtering enabled? In my case there is no URL Filtering and it just block every https connection I decide to block (facebook, gmail, logmein, etc)!

If so, do you think this should be documented, don't you?

I appreciate any further information.

Thanks

Re: HTTPS apps identified without decryption

Bart_Jocque — Wed, 17 Aug 2011 11:07:45 GMT

I guess that in this case the application is simply recognised by the URL (or corresponding IP's)

Re: HTTPS apps identified without decryption

migration — Wed, 17 Aug 2011 11:17:04 GMT

URL should not be visible as TLS RFC says as well as my Wireshark.

The only possible way I think is a Reverse Lookup on the IP address (to identify the hostname) made by PAN device prior to apply the action.

Any "certified" answer by PAN support will be appreciated.

Thanks

Re: HTTPS apps identified without decryption

skrall — Wed, 17 Aug 2011 18:58:15 GMT

In your sniffer trace, look for a packet with a summary description of "Server Hello, Certificate". It is usually the second TLS packet sent from the web site to the client. In the payload you can see the certificate details. One of those details is the fqdn for the webserver "www.facebook.com". If you are blocking the Facebook Base application then this cert is all we need to classify the traffic as Facebook and drop it even though it is considered SSL. Not all of the applications work this way but Facebook only has one product so they are easy to identify.

Steve Krall

Re: HTTPS apps identified without decryption

migration — Thu, 18 Aug 2011 16:55:50 GMT

Hi Steve.

This sounds good! 🙂

Unfortunatelly, this beaviour is not documented in any pdf/manuals/student guide I've ever read.

Are there other "obscure" mechanism that PAN uses to identify an App? As far as I know: protocol decoder, app signature, protocol decryption, heuristic

I ask you this because is important to know if I have to activate SSL Decryption (with heavy impacts in the organization, privacy, etc) to intercept apps inside TLS or not. I know that this is applied only to base apps (not sub-function)...

Thanks so much!