Safely Inspecting SSL Transactions Using SSL Decryption

Safely Inspecting SSL Transactions Using SSL Decryption

10791
Created On 09/26/18 13:39 PM - Last Modified 07/30/20 18:08 PM


Symptom

CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received.

The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.



Environment
  • PAN-OS


Resolution

The information below provides details for customers who may be concerned about the issues mentioned in the paper.

PAN-OS helps customers eliminate the concerns mentioned in the CERT/CC paper, we recommend customers review this document and the additional articles listed in the resources section.

PAN-OS preserves the integrity of the SSL/TLS session by using the cryptographic settings of the original SSL/TLS negotiation as mandated by the client and the server. It does not change the cryptographic parameters once the session has been negotiated, and if the cryptographic parameters do not meet policy requirements as defined by an administrator, PAN-OS can either block or not decrypt the session based on the policy. Further, PAN-OS allows administrators to specify the supported SSL/TLS protocol versions and cipher suites to reduce risk and eliminate the vulnerabilities mentioned in the paper.

In addition, as a suggested best-practice, see Decrypt Traffic for Full Visibility and Threat Inspection for information on preventing the use of weak cryptography by clients and servers in the network.

Should you have any questions or need help configuring our products, please don’t hesitate to reach out to your support provider or Palo Alto Networks Support Team at https://support.paloaltonetworks.com.



Additional Information

Reference

  1. https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
  2. https://www.us-cert.gov/ncas/alerts/TA17-075A
  3. https://www.us-cert.gov/ncas/alerts/TA15-120A

 

Resources

  1. Internet Gateway Best Practice Security Policy, Decrypt Traffic for Full Visibility and Threat Inspection
  2. How to Configure an OCSP Responder
  3. PAN-OS® Administrator’s Guide, Configure SSL Forward Proxy
  4. PAN-OS® New Features Guide, Perfect Forward Secrecy (PFS) Support
  5. PAN-OS Web Interface Reference, Device > Certificate Management > Certificates
  6. How to Implement and Test SSL Decryption
  7. How to Enable CRL and OCSP from the WebGUI and CLI


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllKCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language