Our custom-app has impacted all SSL traffic

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
bambox
L1 Bithead

Our custom-app has impacted all SSL traffic

Hi Team,

 

We have a client who do not have SSL decryption and has many third-party applications working over SSL on different ports other than 443. 

 

The client has a security requirement that all applications need to be categorized by Palo alto firewall, so they do not wish to use any service ports in the Service column field. Also, they do not wish to use the Parent App field where a security rule must exist to allow the Parent App for the custom app to be working. So, we have decided to go through that route and create a custom application for their app working over SSL port 8443. And added this signature 

http/1.1 in hex \x 68 74 74 70 2f 31 2e 31 \x. And this is where everything went downside, all SSL traffic stopped working and all traffic started being recognized as the custom app. Since the amount of information SSL hello is limited, we couldn't find any additional information to add to the custom app. What do you guys suggest to use for custom apps running SSL traffic when you do not have decryption. 

 


Accepted Solutions
BPry
Cyber Elite

@bambox,

Ya, as you saw you definitely don't want to make such a simple signature in a custom app-id without additional conditional statements. When you're looking at the traffic what actually stays the same? While it's true that you're going to be limited if they aren't decrypting traffic, you still have a good amount of data to work with. When possible I try to get ssl-req-client-hello and match the server name. Keep in mind that the more data you can identify to create additional criteria with the better, it's only going to make your app-id more reliable if you do things correctly. 

View solution in original post


All Replies
BPry
Cyber Elite

@bambox,

Ya, as you saw you definitely don't want to make such a simple signature in a custom app-id without additional conditional statements. When you're looking at the traffic what actually stays the same? While it's true that you're going to be limited if they aren't decrypting traffic, you still have a good amount of data to work with. When possible I try to get ssl-req-client-hello and match the server name. Keep in mind that the more data you can identify to create additional criteria with the better, it's only going to make your app-id more reliable if you do things correctly. 

View solution in original post

bambox
L1 Bithead

Thank you so much. I had asked the client to telnet to a hostname instead of an IP for us to create the signature based on the SNI field and it worked! 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!