Advanced Deployment of WSA in IPv4 & IPv6
NetworksTobias Mayer, Consulting Systems Engineer
BRKSEC-3771
• WSA in Dual Stack with IPv6 & IPv4
• Kerberos Authentication Deep Dive
• xBQcQ8HVFbUb8vjqQmx7fw== (all about decryption of TLS )
• Conclusion
Agenda
For Your Reference
• There are (many...) slides in your print-outs that will not be presented.
• They are there “For your Reference”
For YourReference
Angel “Aloisius”
• Some slides have this friendly guy in the right corner
• Those slides are meant to be non-standard advices or tips & tricks
WSA in Dual Stack
• IPv4 and IPv6 are two distinct protocols
• It is not possible to directly route between a IPv4 and a IPv6 host – its simply a different language
• We need someone to “translate” between the two parties so they understand each other
IPv4 and IPv6
Explicit Proxy
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
• Client requests a website
• Browser connects first to WSA
• WSA connects to website
• Firewall usually only allows webtraffic for proxy
• DNS Resolution is done by WSA
Explicit Proxy with IPv4 & IPv6
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
• Client requests a website
• Browser connects first to WSA using IPv4 or IPv6
• WSA does DNS lookup
- A record returned and/or AAAA record returned
• Depending on WSA setting, WSA builts outgoing connection either on IPv4 or IPv6
IPv6
IPv4
• Setting IPv6 Adresses on the Interfaces
Explicit Mode with IPv4 & IPv6
• Setting IPv6 Routes
Explicit Mode with IPv4 & IPv6
• Setting DNS Servers
Explicit Mode with IPv4 & IPv6
Which Protocol should be
prefered in case of A and
AAAA record returned?
Packet Capture with IPv6
• Filter can be applied to IPv6
addresses
• Display of packets done via
standard Wireshark
CLI• Neighbor Cache in IPv6 is equivalent to the arp cache in IPv4
Display the arp-cache
Display the neighbor table
Transparent Proxy via WCCP
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
• Client requests a website
• Browser tries to connect to Website
• Network Device redirects traffic to WSA using WCCP
• WSA proxies the request
• DNS Resolution is done by the Client
IPv6
IPv4
WCCP IPv6
VLAN10
Internetipv6 wccp 91 redirect-list wsav6
!
interface Vlan10
ip address 172.16.10.10
255.255.255.0
ipv6 address 2001:DB8:1:10::66/64
ipv6 nd ra suppress
ipv6 wccp 91 redirect in
ipv6 access-list wsav6
permit tcp 2001:DB8:1:10::/64 any
eq www
permit tcp 2001:DB8:1:10::/64 any
eq 443
VLAN40
WCCP IPv6 & IPv4
VLAN10
Internetip wccp 90 redirect-list wsav4
ipv6 wccp 91 redirect-list wsav6
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ipv6 address 2001:DB8:1:10::66/64
ipv6 nd ra suppress
ip wccp 90 redirect in
ipv6 wccp 91 redirect in
ipv6 access-list wsav6
permit tcp 2001:DB8:1:10::/64 any eq www
permit tcp 2001:DB8:1:10::/64 any eq 443
!
ip access-list extended wsav4
permit tcp any any eq 80
permit tcp any any eq 443
VLAN40
Different service groups for IPv4 & IPv6
WCCP IPv6 & IPv4 – WSA Side of things….
In Dual-Stack Environments, two WCCP Service Groups are required.
WCCP IPv6 & IPv4 – WSA Side of things….
IPv6 Address of the Switch / Router
WCCP with L3 Switch – IPV6Redirect - Verification
munlab-c6504#sh ipv6 wccp 90 det
WCCP Client information:
WCCP Client ID: 2001:420:44E6:2013::45
Protocol Version: 2.01
State: Usable
Redirection: L2
Packet Return: L2
Assignment: MASK
Connect Time: 00:13:25
Redirected Packets:
Process: 0
CEF: 0
GRE Bypassed Packets:
Process: 0
CEF: 0
Mask Allotment: 4 of 4 (100.00%)
Assigned masks/values: 1/4
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: :: 300:: 0x0000 0x0000
Assignment
Method
Version &
State
Redirect
Method
Mask Value
WCCP Dual-Stack with Router – ISRG2Lab Setup with ISR G2
Gi0
ip wccp source-interface GigabitEthernet0
ip wccp 91 redirect-list IPv4-WCCP
ipv6 unicast-routing
ipv6 cef
ipv6 wccp source-interface GigabitEthernet0
ipv6 wccp 90 redirect-list IPv6-WCCP
!
interface GigabitEthernet0
description WCCP-REDIR
ip address 172.16.201.1 255.255.255.0
duplex auto
speed auto
ipv6 address FD00:ABCD:1:2::1/64
ipv6 nd ra suppress all
!
Internet
P1
P2
Fa0
WCCP Dual-Stack with Router – ISRG2 (2)Lab Setup with ISR G2
Fa0
Gi0
interface Vlan200
description WCCP Inside
ip address 172.16.200.1 255.255.255.0
ip wccp 91 redirect in
ipv6 address FE80::1 link-local
ipv6 address FD00:ABCD:1:1::1/64
ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise
ipv6 wccp 90 redirect in
!
interface FastEthernet0
switchport mode trunk
no ip address
Internet
P1
P2
WCCP and IPv6 - PMTUD
• In IPv6, Fragmentation of Packets is only done by the END-Host.
• Network Devices on the Path are NOT allowed to do any Fragmentation
• Path MTU Discovery is used to determine the MTU on the Path from the Host to the Destination
• Explicit Mode:
• Works straight forward as the Client (End-Host) talks to the Proxy (End-Host)
• Proxy establishes a new Connection to the Destination Server (Separate Session)
WCCP and IPv6 - PMTUD
VLAN10
Internet
VLAN40
(WCCP)
• Client sends HTTP GET to Destination IP
• Request is intercepted by Switch and redirected to the WSA
• WSA forwards the request to the Destination Server on the Internet. Source IP is now either WSA or Client (with IP Spoofing)
• Traffic sent back to WSA from Server
• WSA forwards traffic to the client, spoofing the source of the Destination Server
R1
R2
WCCP and IPv6 – PMTUD (2)
Internet
VLAN40
(WCCP)
• If a device on the path from WSA to the Client (R1) has a lower MTU, it will send a ICMP Type 3 Code 1 (Packet-too-Big).
• Because the SOURCE IP of the Packet is the DESTINATION Server (WSA is spoofing it…) the ICMP packet too big will not reach the WSA.
• Solution:Take care about the MTU Size in your internal network
R1
R2
VLAN10
Redundancy using CARPCommon Address Redundancy Protocol
Internet
L2 Network
Virtual IP
• CARP provides virtual IP
• Works with IPv4 and IPv6
• Requires L2 connectivity
• Communication done via
multicast
• One master, multiple slaves
Redundancy using CARP (2)
Redundancy Group for IPv4 &
IPv6
Redundancy using CARP (3)
Higher Value = Master
Redundancy using CARP (4)Testing via CLI – “TESTFAILOVERCONFIG”
Redundancy using CARP (5)Testing via CLI – “TESTFAILOVERCONFIG”
CARP using mcast for keepalive
IPv6 Links to try
• http://www.ripe.net
• Displays your incoming IPv6 Address
• http://test-ipv6.com/
• Check if your Computer is IPv6 capable
• http://sixy.ch
• Search Engine for IPv6 Enabled Websites
• http://loopsofzen.co.uk/
• Game only reachable over IPv6
• http://6only.6now.net/
• Print a T-Shirt with the IPv6 Address you used to reach the Website
• http://6lab.cisco.com
• Check IPv6 Adoption
• http://www.kame.net/
• The dancing turtle…
CARP on Virtual Appliances
• vSwitch will by default drop all requests to any MAC address that is
not bound to a physical interface
• Requires to set the Security on ESX to “Promiscous Mode = Accept”
CARP – Log FilesLogging to be found in the “system_logs”
SPLUNK for WSA with v6 Leveraging field extractions from the Advanced Reporting App for WSA
Customizing the Access LogExtremely useful in Dual-Stack
Environments to find out
whether WSA makes the
outgoing connection on IPv4 or
IPv6!
Source IP from Client = IPv6Destination IP = v4
SPLUNK for WSA with v6
• Extract the Destination IP (previously added to the access_logs)
• Calculate a new field to determine if the address is v4 or v6
SPLUNK for WSA with v6
• Define your searches using the previously defined fields:
Destination IP Version Source IP Version
SPLUNK for WSA with v6
• Display the V6 to V6 Connections from the last 24 hours
Example Report #1
SPLUNK for WSA with v6 (2)
• Display the top Domains that are IPv6 enabled together with the Web Category
Example Report #2
SPLUNK for WSA with v6 (2)
• Display the top Domains that are IPv6 enabled together with the Web Category
Example Report #2
SPLUNK for WSA with v6
Take source-ip and resolve DNS
Name
DNS Resolution is very helpful
with IPv6
Example Report #3
Summary of IPv6 Deployment
• WSA can use IPv4 and IPv6 concurrently
• Setup is done with just a few steps
• If only outgoing is IPv6 enabled, IPv4 clients require zero change
• Easy to make your first step towards IPv6 with the use of WSA!
• Authentication and Decryption work the same with IPv6 as with IPv4
• Transparent redirection via IPv6 requires support of WCCP v2.01
• Take care of MTU size in your network
• Modification of the access log with additional parameters enables good visibility into IPv6 network traffic using tools like SPLUNK
• WSA can use CDA for usernames and IP Mapping
• But:
• Using clients with dual-stack you have maybe a lot of ip addresses
• Clients use one ip address to log on to the AD -> this ip gets mapped in CDA.
• If the client traverses the proxy using another ip address, the firewall has no info about this ip and cannot map the user
• Conclusion: Identity based on IP <-> User mapping does notwork well with dual-stack clients
• Need alternative solutions: active authentication like Kerberos
Identity with WSA
Kerberos Authentication
Kerberos – A Quick Refresher
Authentication
Service
Ticket Granting
Service
Key Distribution Center
KRB Enabled
Web Service
1. Auth &
Request TGT
2. Get TGT
3. Request
Service Ticket
4. Get Service
Ticket
5. Send Service
Ticket to
Service
6. Use Service
1
2
3
4
5
6
AS_REQ
AS_REP
TGS_REP
TGS_REQ
AS_REP
AS_REQ
Kerberos and Kerberos Constrained Delegation
• Kerberos Constrained Delegation
• Kerberos usually requires the client and the KDC to be in the same network
• In case this is not possible (think of ASA with a clientless SSL Portal), the ASA can request a TGT and Service Ticket on behalf of the client
• ASA would act as an Authentication Proxy to a “kerberized” application Server in the Backend
• WSA currently supports Kerberos Authentication of clients but not Kerberos Constrained Delegation
Kerberos vs. NTLM
• Standard Protocol
• Available on many platforms (MAC, Linux, Windows, iOS,etc.)
• Preferred Protocol by Microsoft
• Less Resource intense
• Authentication in one turn
• Packet is bigger (6-16k)
• Provides SSO for “kerberized” applications
• Client needs to talk to the AD Controller and the Auth Server
A simplified view…
• Microsoft proprietary
• Legacy protocol
• Mostly on Windows Systems
• More Resource intense
• Each Server has to authenticate separately with the AD
• Multiple small packets are exchanged
• Only the Authenticating Server needs to talk to the AD Controller
• Can traverse proxies
Configuration on WSA
• If you upgraded from 7.x to 8.x, re-join the domain
• After re-join, the Kerberos Scheme is availible
Configuration on WSA (2)
• Edit your Identities to use Kerberos as an authentication Scheme
• WSA can only use one NTLM Realm within one Authentication Sequence
• WSA can use multiple Kerberos Realms in one Authentication Sequence
1. Create each Realm on the WSA
2. Create a sequence on all the Realms
3. Create Identity
Multiple Realms within one identity
W2003
WSA
W2008W2008R2
W2012
Client-2
Client-3
Client-4
Client-1
Configuration on WSA (3)• Strongly recommended to add %m to the accesslog (=Authentication Method)
• BASIC. The user name was authenticated using the Basic authentication scheme.
• NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.
• NEGOTIATE. The user name was authenticated using the KERBEROS authentication scheme.
• SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using transparent user identification.
• SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure Mobility.
• SSO_ISE. The user was transparently authenticated by ISE
• FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a application.
• GUEST. The user failed authentication and instead was granted guest access.
Client Tickets on a Windows7 MachineCommand : ”klist tickets’
Ticket-Granting Ticket
Ticket for WSA
Client Tickets with AES EncryptionCSCuo74136 – fixed in 8.0.7 / 8.5.0
• Computer Object generated when joining
domain has:
- msDS-SupportedEncryptionTypes
- operatingSystemVersion
set to <null>
• Result: Clients requesting Ticket for the
WSA Service will get Default Tickets with
DES / RC4
• Object msDS-SupportedEncryptionTypes
must be set to ‘0x1C’
• OS Version must be ‘6’ or higher
Quick Test from a MACRequest a Ticket from the
Kerberos Domain
“MUNSEC.COM”
TGT is displayed
Quick Test from a MAC (2)
• After requesting access from the WSA we got a Service Ticket for the WSA
Service Ticket for access to the
WSA
Quick Test from a MAC (3)
• /System/Library/CoreServices/Ticket Viewer
Request a Ticket from the
Kerberos Domain
MUNSEC.COM
TGT is displayed
Example #1 : Join the AD domain with your MAC
• Joining the MAC to the AD Domain will create a computer account on the AD Server
• After successful join, log out and log in again with your AD Account
• When opening Safari, you will get authenticated to the WSA without prompt
• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf
Join the AD Domain
Kerberos Authentication with WCCP
• When using transparent redirection and Kerberos, non-windows Clients like MAC OS X sometimes have problems with the redirection
• Make sure the WSA Hostname is the same than the redirection name
• WSA only accepts FQDN as Hostname -> Redirection Name as FQDN might cause trouble with Windows Clients
• Windows Clients require the redirection hostname added to the “Intranet Zone”
IE config for Kerberos
• Add the WSA to the local Intranet Zone and enable automatic logon
Firefox config for Kerberos
• Add the WSA as a trusted URL for Kerberos when prompted:
Example #2: SSO on Ubuntu Linux with Kerberos
61
Install Kerberos User Client
Demo: Kerberos on Linux
SSO on Ubuntu Linux with Kerberos
63
TIME! TIME ! TIME!
Initialize the User
Show our Tickets
WSA Logs
64
AD-User Kerberos
Debugging on the AD Server
• Turn on debugging on the AD Server for Kerberos
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
• Set “LogLevel” to “1” / Set “LogLevel” to “0” de-activates Kerberos debugging
• Windows Events
• 4768 : A TGT Ticket was Requested
• 4769: A Kerberos Service Ticket was Requested
• Both Events log success and failures. Result Codes: https://www.ietf.org/rfc/rfc4120.txt
• Check on AD-Server if SPN from WSA have been registered:
Windows Machine Authentication Issue
• Turn off NLA-Service Active Probing
– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
– Set “EnableActiveProbing” to 0
• Advancedproxyconfig > authentication…Set to 1 sec for machine authentication
Dual Stack with Kerberos
• Windows AD by default does not include the Client IP in the Client Tickethttp://support.microsoft.com/kb/837361
• Ticket can be used for IPv4 & IPv6 Connections
1417685846.682 43 2001:420:44e6:2013:811e:aaa2:287e:f45c TCP_MISS/304
210 GET http://www.ripe.net/favicon.ico "MUNSEC\evyncke@MUNSEC"
DIRECT/www.ripe.net - DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-
NONE-NONE-DefaultGroup <IW_comp,4.9,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-
,IW_comp,-,"-","-","Unknown","Unknown","-","-",39.07,0,-,"Unknown","-",-,"-",-,-,"-","-
"> - NEGOTIATE DestIP: 2001:67c:2e8:22::c100:68b AUTH: 0 DNS: 0 REP: 1
SFBR: 20 CFBWR: 0 AMP: - - - - - -
SPLUNK for Authentication Reports
• Extract the authentication type (add to the access_logs with the %m Parameter)
• Define a simple search
SPLUNK for Authentication Reports
• Display the different Authentication Methods used
Kerberos - Summary
• WSA can authenticate users using Kerberos
• Need to re-join the Domain if the “Kerberos” scheme is not displayed
• Windows Clients will automatically try Kerberos first then fall back to NTLM
• Modify your accesslog with the “%m” Parameter to check the authentication method
• Enables Users to authenticate with non-windows clients like MAC, LINUX
• Works on IPv4 and IPv6
• Authenticate once and use ticket for multiple sites
• Useful when using several WSA such as with a load balancer * or WCCP
• CARP does not work with Kerberos currently.
* Has to support KDC
xBQcQ8HVFbUb8vjqQmx7f
w==
Drop
Flow for DecryptionIdentity
HTTP Proxy
Authenticatio
nHTTPS Proxy
Access Pol
Block Monitor Warn
Decryption Policy
Pass Decrypt
Block
Page
displayed
Cont
Evaluation
of Access
Policies
Warn
Page
displayed
Page
allowed
Page
blocked
Encrypted
Page
displayed
Goto
Access
Policy
If “Decrypt for EUN”
Selected (in 7.7+)
Block Page displayed
Monitor
Cont. Evaluation of
Decryption Policies
Flow for Decryption (2)
Access Pol
Monitor
Decryption Policy
Monitor
WBRS Check : has ScoreApplications
Granular
Control (if
availible)
Block Monitor
Block
page
displayed
Continue
Eval of
Access
Policies
Passthrough Decrypt Block
WBRS Check : has No Score
Default Action
Certificate installation and usage - recap
• The WSA needs a CA Certificate to be installed
• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for this!
• After receiving the HTTPS Request, the WSA will grab the Server Certificate from the Destination
• It will create a new Certificate with (nearly) all the fields and sign this with her own Certificate
• CRL is not replicated because it would not match the “new” Certificate
• Client needs to trust the Certificate from the WSA
• Use a trusted subordinate CA Certificate or roll out your self-signed Cert to the Clients via GPO
Decryption Policy
• Policy can be based on
• Identification Profile (Identity)
• URL Category
• Web Reputation
• Additional Options
Certificate Error Handling
• Default Values provide a good balance between Security and User Experience
• End-User Notification in case of a “DROP” requires “DECRYPTION”
Settings on the WSA
Decrypting Web Category “Search Engines”Explicit mode
1414066212.006 552 10.61.70.30 TCP_MISS_SSL/200 39 CONNECT
tunnel://www.google.de:443/ "hsimpson@MUNSEC" DIRECT/www.google.de -
DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
<IW_srch,5.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search
Engine","Encrypted","-",0.57,0,-,"-","-",-,"-",-,-,"-","-"> - BASIC DestIP:
2a00:1450:4013:c00::5e AUTH: 0 DNS: 19 REP: 24 SFBR: 0 CFBWR: 49 AMP: - - - - - -
1414066212.218 204 10.61.70.30 TCP_MISS_SSL/200 29694 GET
https://www.google.de:443/?gws_rd=ssl "hsimpson@MUNSEC" DIRECT/www.google.de
text/html DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-
DefaultGroup <IW_srch,5.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-
","Google","Search Engine","-","-",1164.47,0,-,"Unknown","-",1,"-",-,-,"-","-"> - BASIC DestIP:
2a00:1450:4013:c00::5e AUTH: 0 DNS: 0 REP: 0 SFBR: 143 CFBWR: 51 AMP: 1 - - - - -
Decrypting Web Category “Search Engines”Transparent mode
1417171197.329 66 172.16.10.30 TCP_MISS_SSL/200 0 TCP_CONNECT 85.17.181.244:443
"MUNSEC\administrator@munsec" DIRECT/www.startpage.com - DECRYPT_WEBCAT_7-
DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,4.9,1,"-",-,-,-,-,"-",-,-,-
,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Unknown","Unknown","-","-",0.00,0,Local,"-","-",-,"-",-,-,"-","-">
- NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 0 CFBWR: 0 AMP: - - - -
- -
1417171197.338 23 172.16.10.30 TCP_MISS_SSL/200 518 GET
https://www.startpage.com:443/js/abp.js?adType=1&advertiser=1&advertising=1
"MUNSEC\administrator@munsec" DIRECT/www.startpage.com application/javascript
DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
<IW_srch,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-","Generic Search
Engine Traffic","Search Engine","-","-",180.17,0,Local,"Unknown","-",1,"-",-,-,"-","-"> -
NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 20 CFBWR: 1 AMP: 1 - -
- - -
ACL Tag Decoded
DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
ACL Decission TagAccess or
Decryption PolicyIdentity
Outbound
Malware
Scanning
Policy
Data
Security
Policy
External
DLP Policy
Routing
Policy
WSA, Authentication and SSL
• In Explicit mode, a „CONNECT“ request is made, giving the full URL to the WSA together with the „CONNECT“ request
• WSA replies with „407 Proxy auth required“
• At this time, WSA has the following information:- destination host- user agent- user credentials verified
• WSA can decide wether to decrypt based on:- Destination Host- User Agent- Proxy Port- Subnets & Time Range
WSA, Authentication and SSL (2)
• In Transparent mode, there is no “CONNECT” but a “TCP_CONNECT”
• Since Client is not aware of WSA it will start a TCP connection to remote server
• Connection is redirected to WSA, client start an HTTPS/SSL connection directly
• At this point WSA only knows destination IP and port
• WSA sends HTTPS “probe” (it‘s own Client Hello) to get “Server Hello” and server certificate
WSA, Authentication and SSL (3)
• With the server certificate, WSA has knowledge of:
- Client IP- Destination IP
- Server Certificate
- Common Name (CN) from server certificate is used as a request URL, thus used for URL category matching
• Based on this information WSA can match Identity and Decryption Policy and determine whether to DECRYPT or PASS THROUGH the request
• All information normally send in the HTTP Header (Cookies, User Agent, Mime-Type etc) are encrypted in the tunnel and thus not available to the WSA at this point.
WSA, Authentication and SSL (4)• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
WSA, Authentication and SSL (4)• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
WSA, Authentication and SSL (5)
• Finding out the correct URL Category....
• Solution:Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7+)
• Most Browser support it since many years
• CLIENT HELLO during TLS sends the Host URL:
Server Name Indication - Test
TMAYER-M-T2AF:iitp tmayer$ openssl s_client -connect
midmarketcioforum.pathable.com:443
CONNECTED(00000003)
62663:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:/SourceCache/OpenSSL098/OpenSSL098-
52.1/src/ssl/s23_clnt.c:585:
Connection without SNI…
…but required by the server
TMAYER-M-T2AF:iitp tmayer$ openssl s_client -servername midmarketciofourm.pathable.com
-connect midmarketcioforum.pathable.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=YVv3G4-n4KOXYXCLfIddFS92BN4-LPum/OU=GT66017752/OU=See
www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated -
RapidSSL(R)/CN=*.pathable.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Server Name Indication – Test (2)
Connection with SNI
HTTPS Logs on WSA – Level “Trace”
Trying TLS 1.0, Server refuses
Trying SSLv3, Server refuses
Testing the Server for a specific Protocol
Check if the Server Supports TLS 1.2Openssl can test TLS Connection
simulating the client side
Testing the Server for a specific Protocol (2)
Yes, it Does!
Testing the Server for a specific Protocol (3)This is how it would look like in case the protocol is not supported…
No, it does not!
Easier to check a Website
• Check a Website for all thingsaround TLS
• Ciphers
• Certificates
• Handshake Simulations
• …
• Powered by Qualys
https://www.ssllabs.com/ssltest/
Common SSL Troubleshooting Steps
• Check your Access Logs
• Look at ACL Decision tags
• Check the destination url on https://www.ssllabs.com/
• Alternative: SSLYZE from https://github.com/nabla-c0d3/sslyze/releases
• Try to access the page directly without the WSA in the Path
• Using curl or openssl
• Try to access the page with the WSA in the Path
• Check the https_logs -> put at least into “debug” mode
• Check the PCAPS
Thoughts around HTTP and TLS
HTTP
• HTTP 1.0
• One Request -> One Response
• “Head of Line” Blocking Problem (like a Supermarket with only one register)
• HTTP 1.1 “Pipelining”
• Multiple Requests sent at once
• Opening more Registers in the Supermarket…
• Still, Responses have to arrive in the order the Requests were sent….Does not solve the “Head of Line” Blocking Problem
• Most Browsers might limit the amount of connections you can send at once.
“Pipelining”
HTTP
Page comes up pretty fast but takes long time to complete:
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
GET picture?user=tmayer <--- takes a long time because of the database lookup
Page does not display anything in the beginning but then displays all in the end:
GET picture?user=tmayer <--- takes a long time because database lookup
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
“Pipelining”
SPDY (“Speedy”)
• Three main enhancements over HTTP 1.1
• Header Compression
• True Connection Multiplexing (on the server),
Request as many connections as you want and receive responses in any order by using only one SPDY Connection
Prioritization of the responses is left to the client
• PUSH Content to the client
Using a existing SPDY connection without the client need to send a request first.A lighter Version would just send a “Hint”
SPDY & HTTP2• SPDY Protocol might be a problem for intermediate Gateways, proxies, … as
they might not be able to understand it.
• To overcome this problem:
• SPDY is using TLS for tunneling its data between client and server
• Limitations of SPDY
• SPDY uses TLS, no visibility of Gateway, Malware scanners, etc!!
• Multiplexing will only occur on a per host basis
A website that has content from 16 other servers will require the client to open 16 connections
• HTTP/2 Specification is strongly based on input from SPDY & TLShttp://daniel.haxx.se/http2/http2-v1.8.pdf
https://www.ietf.org/blog/2015/02/http2-approved/
HTTP, HTTPS, and HTTP2 Layering
http:// https:// https://
Fewer TCP connections6-8 TCP connections per site
http://
HSTS
• Protect secure HTTPS Websites against downgrade attacks
• Web Server can signal to the client that only HTTPS is allowed to interact
• This signal is transported using a HTTPS Response Header
• The client behaves as follows
• Automatically turn any http:// links into https:// links
• If the secure connection cannot be assured (ex: Self Signed Certificate is used), do not allow the user to override
• If you want to decrypt using a proxy, a valid CA Certificate is required.
“HTTP Strict Transport Security” - http://tools.ietf.org/html/rfc6797
Certificate Pinning – RFC 7469• Method to actually compare the Certificate presented from the Server to a
“stored” CA Certificate on the Client. Requires a method to ensure the Client is running the latest Version of your Software
• Applies to centrally updated Applications that connect to predictable Servers
• Two ways to do it:
• Incorporate a static list in the application, which of the CA Certificates is expected to be used for signing the server certificate
• Send a new “Header”(HPKP) to signal within the TLS Handshake that the client should PIN a certain public key for a certain amount of time
• Chrome connecting to gmail.com, twitter, FF connecting to mozilla.orghttps://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
Example: Firefox
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
0: Pinning disabled
1: Allow User MiTM (with a trusted CA)
2: Strict. Always enforced
3: Enforce Test Mode
Example: Firefox
Strict Pinning
Links for further information
• Internet Draft for specifying a Public Key Pinning in HTTPhttp://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
• OWASP Explanation of Certificate Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
• HSTS “HTTP Strict Transport Security”https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• Public Key Pinning Extension for HTTPhttp://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
• Certificate Pinning RFC 7469http://tools.ietf.org/html/rfc7469
• Internet Advisory Board – Statement on Confidentialityhttps://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality
For reading in those nights where you cannot sleep…
Summary
• WSA is working very well with IPv4 and IPv6
• Good way to start getting experience with IPv6
• Enables IPv4 clients to reach IPv6 Destinations
• Collect statistics about IPv6 usage
• WSA supports Kerberos Authentication
• Useful for transparent authentication of non-windows Systems
• Works fine with IPv4 and IPv6
• WSA has detailed decryption capabilities
• Granular policies when to decrypt can be made
• However: Big Trend to have much more encrypted connections on the Internet and everyone that wants to decrypt connections needs to adopt.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Thank you(Vergelts God )