topic When doing inbound SSL decrypt via a Palo Alto firewall, how are the private keys that you load into the FW protected? in General Topics

When doing inbound SSL decrypt via a Palo Alto firewall, how are the private keys that you load into the FW protected?

ericgearhart — Fri, 31 May 2013 19:20:44 GMT

I had this question come up from a security minded colleague at work, and it was a good question that I didn't know the answer to.

In order to do SSL decryption for inbound SSL connections to servers that sit "behind" the Palo Alto, the procedure involves loading the SSL private keys onto the PA. Under "normal common sense security best practices," this is inherently a security risk, because the SSL private key of web servers should be protected as much as possible and definitely shouldn't be loaded onto a device that is inherently put on the edge of trusted networks (and usually is on the outer edge of a DMZ even in fact!).

So this begs the question: How are the private keys on a PA protected from tampering or from being stolen? If I steal a passive Palo Alto, can I break into it or remove the hard drives and pull the private keys off? What's to stop me from doing that?

Re: When doing inbound SSL decrypt via a Palo Alto firewall, how are the private keys that you load into the FW protected?

UhMayYeah — Fri, 31 May 2013 22:28:12 GMT

You can specify a master key (Device > Master Key and Diagnostics) to encrypt private keys on the firewall.

Private keys are stored in encrypted form by default,even if a new master key is not specified.

The keys can be transported and they can be imported on a different box if the master key matches.

Without a master key match, the import will fail.

HTH,

AMeya

Re: When doing inbound SSL decrypt via a Palo Alto firewall, how are the private keys that you load into the FW protected?

mikand — Sun, 02 Jun 2013 17:52:38 GMT

Is there a doc describing this including which algos/methods are being used etc?

But as a sidenote to egearhert: If somebody breaks in and steal your PA gear, you should replace the private keys on your servers because they will most likely be affected anyway (somebody untrusted has been inside your datacenter).

Also if Im not mistaken the private key thingy doesnt work if the servers are using DH (Diffie Hellman) for keyexchange.

Another setup might be to use ssl-offloading. For example a setup such as Internet <-> F5 <-> PA <-> server(s) (I exclude routers/switches in this example).

This way the F5 can terminate the ssl-session and in cleartext forward the traffic towards your servers through the PA. Of course the problem of "what if somebody steals the gear" is moved from PA to F5 (or similar device) but still.