Welcome to our presentation on capturing TCP/IP Payload for Prisma Defender, to validate that it uses TLS encryption and a stable WebSocket Connection. We'll explore the fundamentals of TCP/IP Stack, TCP/TLS Handshake and Wireshark, their importance in maintaining security for the Data is in motion.
Ubuntu Linux Host, with sniffing utility tcpdump
Prisma Defender Version 33
Prisma Self Hosted Compute Version 33.
Wireshark
Figure01: TCP_IP_Stack_Layers_
The TCP/IP Protocol Stack is a set of communication protocols used to interconnect network devices on the internet. It operates as a simplified model for network communication, based on the OSI Model. It is composed of four layers, each corresponding to specific functionalities in the data communication process. Here’s an overview:
Function: Provides high-level communication services and interfaces for user applications to interact with the network.
Key Responsibilities:
Enabling network access for software applications.
Providing services such as file transfer, email, and web browsing.
Protocols:
HTTP/HTTPS: For web browsing.
FTP/SFTP: For file transfers.
SMTP, IMAP, POP3: For email.
DNS: For domain name resolution.
Telnet/SSH: For remote terminal access.
Comparison to OSI Model: Combines the Application, Presentation, and Session layers.
Function: Ensures reliable and efficient data transfer between devices.
Key Responsibilities:
Segmenting and reassembling data.
Flow control and error handling.
Managing end-to-end communication.
Protocols:
TCP (Transmission Control Protocol): Reliable, connection-oriented communication (e.g., for emails, web browsing).
UDP (User Datagram Protocol): Fast, connectionless communication (e.g., for streaming, gaming).
Comparison to OSI Model: Equivalent to the Transport layer.
Function: Handles the logical addressing and routing of data packets across networks.
Key Responsibilities:
Assigning logical addresses (IP addresses).
Determining the best path for data transmission.
Fragmenting and reassembling packets.
Protocols:
IP (Internet Protocol): For addressing and routing.
IPv4: 32-bit addressing.
IPv6: 128-bit addressing (expanded address space).
ICMP (Internet Control Message Protocol): For error reporting and diagnostics.
ARP (Address Resolution Protocol): Maps IP addresses to MAC addresses.
NAT (Network Address Translation): Translates private addresses to public ones.
Comparison to OSI Model: Similar to the Network layer.
Function: Handles the physical transmission of data across a network.
Key Responsibilities:
Managing hardware addressing (e.g., MAC addresses).
Defining how data is transmitted over various physical media (e.g., Ethernet, Wi-Fi).
Protocols and Standards:
Ethernet, Wi-Fi (IEEE 802.11).
PPP (Point-to-Point Protocol).
Frame Relay, ATM (Asynchronous Transfer Mode).
Comparison to OSI Model: Combines the Data Link and Physical layers.
Prisma Cloud Defender is a component of Prisma Cloud, a comprehensive cloud-native security platform by. Defender is deployed within a customer’s environment to provide runtime protection and security monitoring for cloud workloads, containers, hosts, and serverless functions.
Install Defender:
Installed directly on hosts or as a container within orchestrated environments (e.g., Kubernetes, Docker).
Uses a lightweight footprint to minimize performance impact.
Protect Workloads:
Monitors file systems, processes, network activity, and system configurations.
Implements policies defined in the Prisma Cloud Console for runtime protection and compliance.
Send Insights to Console:
Defender continuously sends security data to the Prisma Cloud Console.
Provides detailed insights into runtime behavior, vulnerabilities, and policy violations.
Respond to Threats:
Alerts are generated for anomalous activities.
Based on predefined policies, Defender can take proactive measures to mitigate threats.
The Prisma Cloud Defender TCP handshake process involves establishing a secure and reliable connection between the Prisma Cloud Defender and the Prisma Cloud Console. It follows the standard TCP three-way handshake process, ensuring a robust communication channel. Here’s how it works:
SYN (Synchronize):
Prisma Cloud Defender sends a SYN packet to the Prisma Cloud Console to initiate a connection.
The SYN packet contains the Defender’s Initial Sequence Number (ISN) and indicates the intent to establish communication.
SYN-ACK (Synchronize-Acknowledge):
Prisma Cloud Console responds with a SYN-ACK packet to acknowledge the SYN request from the Defender.
The SYN-ACK packet includes the Console's ISN and acknowledges the Defender’s ISN.
ACK (Acknowledge):
Prisma Cloud Defender sends an ACK packet to confirm the SYN-ACK from the Console.
This finalizes the handshake, and the connection is established.
Post-Handshake:
After the handshake, the communication transitions to a secure TLS (HTTPS) connection.
Prisma Cloud Defender begins sending telemetry data and logs, while receiving policies and configurations from the Console.
Prisma Cloud Defender typically uses port 8084 for communication with the Prisma Cloud Console. This port is used for secure communication between Defender and the Console to send telemetry data, alerts, and receive configuration updates.
Key Points to Note:
Default Port:
Defender communicates with the Prisma Cloud Console over port 8084 by default.
Ensure that this port is open between the Defender and the Console in your network.
Custom Configuration:
The port can be customized during deployment or configuration based on your network policies.
Check the deployment script or configuration settings for specific port usage.
Communication Protocol:
Defender uses HTTPS (secure) to communicate with the Console, ensuring encrypted data transmission.
Firewall Rules:
Update firewall rules to allow traffic over the configured port between Defenders and the Prisma Cloud Console.
TCP Handshake:
The client initiates the connection with a SYN.
The server responds with SYN-ACK.
The client acknowledges with ACK, establishing the connection.
TLS Handshake:
The client sends a ClientHello to begin the secure handshake.
The server responds with a ServerHello.
The server sends its Certificate for authentication.
Both parties exchange a Finished message to confirm secure communication.
Steps:
Installed Host Defender on an Ubuntu Host.
Figure02: Ubuntu_Host_Running Defender_PaloAltoNetworks
Execute the tcpdump utility to capture the Defender Traffic, preferably in verbose mode (-vv option).
The tcpdump command is a powerful network packet analyzer used to capture and inspect network traffic in real-time.
It operates at the command-line level, displaying packets transmitted over a network.
Users can filter packets by criteria such as IP addresses, protocols, ports, and more, making it ideal for troubleshooting, security analysis, and network monitoring.
For example, tcpdump -i eth0 port 80 captures HTTP traffic on the eth0 interface. Captured data can also be saved to files for later analysis. Since it requires root privileges, it's typically run with administrative access, ensuring efficient access to network interfaces.
Figure03: Packet_Capture_TCP_Dump_
You can Analyze the Capture packets via tcpdump as well, however importing it in Wireshark would make the Analysis easier.
Wireshark is a popular graphical network protocol analyzer that captures and displays network traffic in detail for real-time or offline analysis. It supports a wide range of protocols, making it invaluable for troubleshooting, security investigations, and learning about network communications.
Users can apply filters to focus on specific traffic types, such as HTTP or DNS. Its user-friendly interface provides in-depth insights into packet data, including headers and payloads.
Wireshark also allows exporting captures for further analysis. It's widely used by network administrators, developers, and security professionals, offering robust features.
You can see the TCP Handshake Process followed by TLS 1.3 Negotiation and Handshake.
Figure04: Packet_Capture_TCP_Dump_
You can also set preferences in Wireshark to show you the Packets at different TCP/IP Layers.
Figure05: IP_Header_Defender_Console_
Figure06: Transport_Header_Defender_
You can further refer to the ACK, SEQ, FIN, RST Flags to understand the communication flow in more detail.
Secure Communication: Users can validate that Prisma Defender and Compute communicate via secure communication channel.
Troubleshooting: Users can use these steps to investigate or troubleshoot any underlying communication issue.
