Safely inspecting SSL transactions

by kshorrock on ‎03-20-2017 03:04 PM (4,773 Views)

Summary

CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received.

 

The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.

 

Details

The information below provides details for customers who may be concerned about the issues mentioned in the paper.

 

PAN-OS helps customers eliminate the concerns mentioned in the CERT/CC paper, we recommend customers review this document and the additional articles listed in the resources section.

 

PAN-OS preserves the integrity of the SSL/TLS session by using the cryptographic settings of the original SSL/TLS negotiation as mandated by the client and the server. It does not change the cryptographic parameters once the session has been negotiated, and if the cryptographic parameters do not meet policy requirements as defined by an administrator, PAN-OS can either block or not decrypt the session based on the policy. Further, PAN-OS allows administrators to specify the supported SSL/TLS protocol versions and cipher suites to reduce risk and eliminate the vulnerabilities mentioned in the paper.

 

In addition, as a suggested best-practice, see https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visi... for information on preventing the use of weak cryptography by clients and servers in the network.

 

Should you have any questions or need help configuring our products, please don’t hesitate to reach out to your support provider or Palo Alto Networks Support Team at https://support.paloaltonetworks.com.

 

Reference

[1] - https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

[2] - https://www.us-cert.gov/ncas/alerts/TA17-075A

[3] - https://www.us-cert.gov/ncas/alerts/TA15-120A

 

Resources

[4] - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/decrypt-traffic-for-full-visi...

[5] - https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/622...

[6] - https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-pro...

[7] - https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/decryption-features/perfec...

[8] - https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificat...

[9] - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption...

[10] -  https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Enable-CRL-and-OCSP-from-the-WebG...

 

Ask Questions Get Answers Join the Live Community
Contributors