Safely Inspecting SSL Transactions Using SSL Decryption
CERT/CC has recently published a paper "The Security Impact of HTTPS Interception" discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts highlighting the CERT/CC paper, that customers may have received.
The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.
- Internet Gateway Best Practice Security Policy, Decrypt Traffic for Full Visibility and Threat Inspection
- How to Configure an OCSP Responder
- PAN-OS® Administrator’s Guide, Configure SSL Forward Proxy
- PAN-OS® New Features Guide, Perfect Forward Secrecy (PFS) Support
- PAN-OS Web Interface Reference, Device > Certificate Management > Certificates
- How to Implement and Test SSL Decryption
- How to Enable CRL and OCSP from the WebGUI and CLI