Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to allow only X.509 related cert validation traffic from trust to Untrust

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to allow only X.509 related cert validation traffic from trust to Untrust

L1 Bithead
 
5 REPLIES 5

Cyber Elite
Cyber Elite

Please provide additional detail/context.  Thank you.

Help the community: Like helpful comments and mark solutions

Hi Steve, 

We like to block as much as outbound traffic. we noted that most of windows servers are reaching to Internet to validate the certificate and digital signature.  my question is that At PAN level, is there any way to identify such traffic and block or allow it. 

It you are able to take a wireshark trace and capture the data that is transmitted by the servers, it is possible for customers to create a custom application that will parse your traffic and if you deny the traffic, then yes, it can be done... It is all up to you, as the end customer, to put the work into determining what that traffic signature would look like. 
Share with us what you find out, as you are probably not the only one who would want to do this.


BTW, does the traffic show up in the Traffic Logs as ssl on port 443, or some other way to identify it.  You seemed to know exactly what you are looking for, so I am curious did you do previous packet captures in the past.  I have not seen anyone get to this level of granularity, as cert validation is very important, as someone could attempt to spoof a trusted root CA. 

 

Have you attempted to contact  MS to see if they have any mechanism in place to reduce the amount of "check-in" traffic that their OS is configured to use? May be another way to do it.

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@Ismail2017,

Maybe I'm missing something, but all of this should just be straightforward OCSP traffic that happens over tcp/80. The firewall should be identifying all of that traffic properly, so you should be able to just allow OCSP traffic under application-default and that would allow for revocation checks to complete without issue. 

Hi SteveCantwell and Bpry, 

I  performed the below test but no conclusion yet.  At server , I initiated traffic using IE ( proxy disabled status)  to https://www.verizon.com ( example) , I checked the Firewall log i do not see any traffic related to OCSP.  In fact i saw the below info the Verizon cert, But I do not see any traffic to *.digicert.com @ PAN.    

 

My goal is to only allow X.509 related traffic from trust to Untrust, the problem is unable to identify these traffic in PAN. can you share your suggestion

 

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://crl3.digicert.com/sha2-ev-server-g3.crl
[2]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://crl4.digicert.com/sha2-ev-server-g3.crl

 

 

  • 2358 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!