09-18-2015 01:17 AM
Hi,
I´m trying out decrypting traffic to and from our Exchange server. When decrypting incomming traffic the application change from SSL to what ever is in there. ie ms-exchange, outlook-web, rpc-over-http etc. Now for clients to be able to connect I need to allow all theese applications instead of only SSL. Would this potentially present more of a risk than to not decrypt the traffic at all?
Please share youre thoughts on this.
//Mikael
09-18-2015 07:20 AM
Hi Mikael
yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.
The server should be configured to reject non-encrypted connections on these ports.
Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.
If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked.
regards
Tom
09-18-2015 02:50 AM - edited 09-18-2015 02:52 AM
Hi Mikael
Ideally you would create a security policy that not only allows the applications but also restricts the "tuples" eg. source and destination zones, ip's and ports
you could select to set a service to restrict all traffic to only the ssl ports used by your exchange (usually 443 and possibly 993 for imap ssl) which will limit the "cleartext" applications to connect to their ssl ports only. performing ssl decryption will allow you to detect attacks and infected traffic which will help protect your exchange far better than only allowing pure ssl
you'll want to manually create service objects instead of using "application default", as that would allow traffic on the default ports which you don't need in this scenario:
regards
Tom
09-18-2015 03:25 AM
Hi,
Yes, I did set the zones and public IP of Exchange server. I did notice that using application default in our environment didn´t work since web-browing is only allowed on port 80 by default and we do a redirect to HTTPS. So for the test I used 'any' for service which I would restrict if I decide on implementing this. But you would say that decrypting this traffic and allowing those applications is better(=safer) than just letting it pass through as SSL?
Thank you for you input on this.
//Mikael
09-18-2015 07:20 AM
Hi Mikael
yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.
The server should be configured to reject non-encrypted connections on these ports.
Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.
If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked.
regards
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
