HTTPS apps identified without decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HTTPS apps identified without decryption

L0 Member

Hi all,

in my configuration I have neither SSL Decryption implemented nor URL Filtering. I only have 1 policy: "trust to untrst accept all" in Vwire. PANOS 4.0.2

If, from my PC behind PAN device, I try to go to: _https://www.facebook.com_

PAN device shows me the app facebook-base in the Traffic Logs.

If I put a block policy for all facebook traffic and try to go to _https://www.facebook.com_

PAN device blocks my connection and I see the facebook-base app blocked in my Traffic Logs.

I analyzed my traffic with Wireshark and the only things I see are:

- DNS Request for facebook.com

- TLSv1 Negotation phase

- Change Chiper Spec exchange

- Application phase (where the application layer takes place) with the Application Data Protocol (HTTP) encrypted.

Eveything is encrypted, there is no HTTP GET in clear, no URL visible (obviously the URLs are encrypted)...

So, the question is: how is it possible that PAN device sees Facebook traffic in a HTTPS (TLSv1) connection?

Then, when I need to implement SSL Decryption? Only if I want "safe enablement"?

The same behavior with _https://secure.logmein.com_

Thanks...maybe I have been missing something...

9 REPLIES 9

L3 Networker

Interesting. I just watch this video of Nur's interview and he briefly mentioned something about this..

http://www.youtube.com/watch?v=kklH3QONErk&feature=player_embedded  he mentioned about heuristic approach.. at around 9:15 time.

Yes, Friento

I know about Heuristic engine but this should be apply to custom encrypted application, such as Tor, Bittorrent, etc. not to HTTPS traffic...

My guess would be that its possibly looking at the "common name" of the SSL certificate which should be viewable during the initial SSL negotiation.

Regarding using SSL decryption...

My previous experience had been that without SSL decrpytion the PA will block specified HTTPS sites but is unable to inject its custom "repsonse page" notifying the user that the URL has been blocked.. so it just looks like a page timeout.. which is not ideal as will likely generate support calls.

Are you sure you are being blocked because of application and not by URL filtering?  The initial certificate exchange is in the clear and the Paloalto can read the destination URL in the cert and still to a URL filtering evaluation.

SKrall

Hi Skrall,

I'm totally sure. I don't have URL Filtering ebabled, my Security Policy is just like I said (ANY ANY ALLOW)

No SSL Decryption.

So, you are saying that PAN read the certificate sent by server to the client, which will be used to generate session keys and to encrypt following sessions? For this activity PAN need URL Filtering enabled?  In my case there is no URL Filtering and it just block every https connection I decide to block (facebook, gmail, logmein, etc)!

If so, do you think this should be documented, don't you?

I appreciate any further information.

Thanks

I guess that in this case the application is simply recognised by the URL (or corresponding IP's)

URL should not be visible as TLS RFC says as well as my Wireshark.

The only possible way I think is a Reverse Lookup on the IP address (to identify the hostname) made by PAN device prior to apply the action.

Any "certified" answer by PAN support will be appreciated.

Thanks

In your sniffer trace, look for a packet with a summary description of  "Server Hello, Certificate".  It is usually the second TLS packet sent from the web site to the client. In the payload you can see the certificate details. One of those details is the fqdn for the webserver "www.facebook.com". If you are blocking the Facebook Base application then this cert is all we need to classify the traffic as Facebook and drop it even though it is considered SSL. Not all of the applications work this way but Facebook only has one product so they are easy to identify.

Steve Krall

Hi Steve.

This sounds good! 🙂

Unfortunatelly, this beaviour is not documented in any pdf/manuals/student guide I've ever read.

Are there other "obscure" mechanism that PAN uses to identify an App? As far as I know: protocol decoder, app signature, protocol decryption, heuristic

I ask you this because is important to know if I have to activate SSL Decryption (with heavy impacts in the organization, privacy, etc) to intercept apps inside TLS or not. I know that this is applied only to base apps (not sub-function)...

Thanks so much!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!