Advanced Deployment of WSA in IPv4 & IPv6

NetworksTobias Mayer, Consulting Systems Engineer

BRKSEC-3771

• WSA in Dual Stack with IPv6 & IPv4

• Kerberos Authentication Deep Dive

• xBQcQ8HVFbUb8vjqQmx7fw== (all about decryption of TLS )

• Conclusion

Agenda

For Your Reference

• There are (many...) slides in your print-outs that will not be presented.

• They are there “For your Reference”

For YourReference

Angel “Aloisius”

• Some slides have this friendly guy in the right corner

• Those slides are meant to be non-standard advices or tips & tricks

WSA in Dual Stack

• IPv4 and IPv6 are two distinct protocols

• It is not possible to directly route between a IPv4 and a IPv6 host – its simply a different language

• We need someone to “translate” between the two parties so they understand each other

IPv4 and IPv6

Explicit Proxy

Internet

Internet Web

server

Web Security Appliance

ASA 5500

Firewall

• Client requests a website

• Browser connects first to WSA

• WSA connects to website

• Firewall usually only allows webtraffic for proxy

• DNS Resolution is done by WSA

Explicit Proxy with IPv4 & IPv6

Internet

Internet Web

server

Web Security Appliance

ASA 5500

Firewall

• Client requests a website

• Browser connects first to WSA using IPv4 or IPv6

• WSA does DNS lookup

- A record returned and/or AAAA record returned

• Depending on WSA setting, WSA builts outgoing connection either on IPv4 or IPv6

IPv6

IPv4

• Setting IPv6 Adresses on the Interfaces

Explicit Mode with IPv4 & IPv6

• Setting IPv6 Routes

Explicit Mode with IPv4 & IPv6

• Setting DNS Servers

Explicit Mode with IPv4 & IPv6

Which Protocol should be

prefered in case of A and

AAAA record returned?

Packet Capture with IPv6

• Filter can be applied to IPv6

addresses

• Display of packets done via

standard Wireshark

CLI• Neighbor Cache in IPv6 is equivalent to the arp cache in IPv4

Display the arp-cache

Display the neighbor table

Transparent Proxy via WCCP

Internet

Internet Web

server

Web Security Appliance

ASA 5500

Firewall

• Client requests a website

• Browser tries to connect to Website

• Network Device redirects traffic to WSA using WCCP

• WSA proxies the request

• DNS Resolution is done by the Client

IPv6

IPv4

WCCP IPv6

VLAN10

Internetipv6 wccp 91 redirect-list wsav6

!

interface Vlan10

ip address 172.16.10.10

255.255.255.0

ipv6 address 2001:DB8:1:10::66/64

ipv6 nd ra suppress

ipv6 wccp 91 redirect in

ipv6 access-list wsav6

permit tcp 2001:DB8:1:10::/64 any

eq www

permit tcp 2001:DB8:1:10::/64 any

eq 443

VLAN40

WCCP IPv6 & IPv4

VLAN10

Internetip wccp 90 redirect-list wsav4

ipv6 wccp 91 redirect-list wsav6

!

interface Vlan10

ip address 172.16.10.10 255.255.255.0

ipv6 address 2001:DB8:1:10::66/64

ipv6 nd ra suppress

ip wccp 90 redirect in

ipv6 wccp 91 redirect in

ipv6 access-list wsav6

permit tcp 2001:DB8:1:10::/64 any eq www

permit tcp 2001:DB8:1:10::/64 any eq 443

!

ip access-list extended wsav4

permit tcp any any eq 80

permit tcp any any eq 443

VLAN40

Different service groups for IPv4 & IPv6

WCCP IPv6 & IPv4 – WSA Side of things….

In Dual-Stack Environments, two WCCP Service Groups are required.

WCCP IPv6 & IPv4 – WSA Side of things….

IPv6 Address of the Switch / Router

WCCP with L3 Switch – IPV6Redirect - Verification

munlab-c6504#sh ipv6 wccp 90 det

WCCP Client information:

WCCP Client ID: 2001:420:44E6:2013::45

Protocol Version: 2.01

State: Usable

Redirection: L2

Packet Return: L2

Assignment: MASK

Connect Time: 00:13:25

Redirected Packets:

Process: 0

CEF: 0

GRE Bypassed Packets:

Process: 0

CEF: 0

Mask Allotment: 4 of 4 (100.00%)

Assigned masks/values: 1/4

Mask SrcAddr DstAddr SrcPort DstPort

---- ------- ------- ------- -------

0000: :: 300:: 0x0000 0x0000

Assignment

Method

Version &

State

Redirect

Method

Mask Value

WCCP Dual-Stack with Router – ISRG2Lab Setup with ISR G2

Gi0

ip wccp source-interface GigabitEthernet0

ip wccp 91 redirect-list IPv4-WCCP

ipv6 unicast-routing

ipv6 cef

ipv6 wccp source-interface GigabitEthernet0

ipv6 wccp 90 redirect-list IPv6-WCCP

!

interface GigabitEthernet0

description WCCP-REDIR

ip address 172.16.201.1 255.255.255.0

duplex auto

speed auto

ipv6 address FD00:ABCD:1:2::1/64

ipv6 nd ra suppress all

!

Internet

P1

P2

Fa0

WCCP Dual-Stack with Router – ISRG2 (2)Lab Setup with ISR G2

Fa0

Gi0

interface Vlan200

description WCCP Inside

ip address 172.16.200.1 255.255.255.0

ip wccp 91 redirect in

ipv6 address FE80::1 link-local

ipv6 address FD00:ABCD:1:1::1/64

ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise

ipv6 wccp 90 redirect in

!

interface FastEthernet0

switchport mode trunk

no ip address

Internet

P1

P2

WCCP and IPv6 - PMTUD

• In IPv6, Fragmentation of Packets is only done by the END-Host.

• Network Devices on the Path are NOT allowed to do any Fragmentation

• Path MTU Discovery is used to determine the MTU on the Path from the Host to the Destination

• Explicit Mode:

• Works straight forward as the Client (End-Host) talks to the Proxy (End-Host)

• Proxy establishes a new Connection to the Destination Server (Separate Session)

WCCP and IPv6 - PMTUD

VLAN10

Internet

VLAN40

(WCCP)

• Client sends HTTP GET to Destination IP

• Request is intercepted by Switch and redirected to the WSA

• WSA forwards the request to the Destination Server on the Internet. Source IP is now either WSA or Client (with IP Spoofing)

• Traffic sent back to WSA from Server

• WSA forwards traffic to the client, spoofing the source of the Destination Server

R1

R2

WCCP and IPv6 – PMTUD (2)

Internet

VLAN40

(WCCP)

• If a device on the path from WSA to the Client (R1) has a lower MTU, it will send a ICMP Type 3 Code 1 (Packet-too-Big).

• Because the SOURCE IP of the Packet is the DESTINATION Server (WSA is spoofing it…) the ICMP packet too big will not reach the WSA.

• Solution:Take care about the MTU Size in your internal network

R1

R2

VLAN10

Redundancy using CARPCommon Address Redundancy Protocol

Internet

L2 Network

Virtual IP

• CARP provides virtual IP

• Works with IPv4 and IPv6

• Requires L2 connectivity

• Communication done via

multicast

• One master, multiple slaves

Redundancy using CARP (2)

Redundancy Group for IPv4 &

IPv6

Redundancy using CARP (3)

Higher Value = Master

Redundancy using CARP (4)Testing via CLI – “TESTFAILOVERCONFIG”

Redundancy using CARP (5)Testing via CLI – “TESTFAILOVERCONFIG”

CARP using mcast for keepalive

IPv6 Links to try

• http://www.ripe.net

• Displays your incoming IPv6 Address

• http://test-ipv6.com/

• Check if your Computer is IPv6 capable

• http://sixy.ch

• Search Engine for IPv6 Enabled Websites

• http://loopsofzen.co.uk/

• Game only reachable over IPv6

• http://6only.6now.net/

• Print a T-Shirt with the IPv6 Address you used to reach the Website

• http://6lab.cisco.com

• Check IPv6 Adoption

• http://www.kame.net/

• The dancing turtle…

CARP on Virtual Appliances

• vSwitch will by default drop all requests to any MAC address that is

not bound to a physical interface

• Requires to set the Security on ESX to “Promiscous Mode = Accept”

CARP – Log FilesLogging to be found in the “system_logs”

SPLUNK for WSA with v6 Leveraging field extractions from the Advanced Reporting App for WSA

Customizing the Access LogExtremely useful in Dual-Stack

Environments to find out

whether WSA makes the

outgoing connection on IPv4 or

IPv6!

Source IP from Client = IPv6Destination IP = v4

SPLUNK for WSA with v6

• Extract the Destination IP (previously added to the access_logs)

• Calculate a new field to determine if the address is v4 or v6

SPLUNK for WSA with v6

• Define your searches using the previously defined fields:

Destination IP Version Source IP Version

SPLUNK for WSA with v6

• Display the V6 to V6 Connections from the last 24 hours

Example Report #1

SPLUNK for WSA with v6 (2)

• Display the top Domains that are IPv6 enabled together with the Web Category

Example Report #2

SPLUNK for WSA with v6 (2)

• Display the top Domains that are IPv6 enabled together with the Web Category

Example Report #2

SPLUNK for WSA with v6

Take source-ip and resolve DNS

Name

DNS Resolution is very helpful

with IPv6

Example Report #3

Summary of IPv6 Deployment

• WSA can use IPv4 and IPv6 concurrently

• Setup is done with just a few steps

• If only outgoing is IPv6 enabled, IPv4 clients require zero change

• Easy to make your first step towards IPv6 with the use of WSA!

• Authentication and Decryption work the same with IPv6 as with IPv4

• Transparent redirection via IPv6 requires support of WCCP v2.01

• Take care of MTU size in your network

• Modification of the access log with additional parameters enables good visibility into IPv6 network traffic using tools like SPLUNK

• WSA can use CDA for usernames and IP Mapping

• But:

• Using clients with dual-stack you have maybe a lot of ip addresses

• Clients use one ip address to log on to the AD -> this ip gets mapped in CDA.

• If the client traverses the proxy using another ip address, the firewall has no info about this ip and cannot map the user

• Conclusion: Identity based on IP <-> User mapping does notwork well with dual-stack clients

• Need alternative solutions: active authentication like Kerberos

Identity with WSA

Kerberos Authentication

Kerberos – A Quick Refresher

Authentication

Service

Ticket Granting

Service

Key Distribution Center

KRB Enabled

Web Service

1. Auth &

Request TGT

2. Get TGT

3. Request

Service Ticket

4. Get Service

Ticket

5. Send Service

Ticket to

Service

6. Use Service

1

2

3

4

5

6

AS_REQ

AS_REP

TGS_REP

TGS_REQ

AS_REP

AS_REQ

Kerberos and Kerberos Constrained Delegation

• Kerberos Constrained Delegation

• Kerberos usually requires the client and the KDC to be in the same network

• In case this is not possible (think of ASA with a clientless SSL Portal), the ASA can request a TGT and Service Ticket on behalf of the client

• ASA would act as an Authentication Proxy to a “kerberized” application Server in the Backend

• WSA currently supports Kerberos Authentication of clients but not Kerberos Constrained Delegation

Kerberos vs. NTLM

• Standard Protocol

• Available on many platforms (MAC, Linux, Windows, iOS,etc.)

• Preferred Protocol by Microsoft

• Less Resource intense

• Authentication in one turn

• Packet is bigger (6-16k)

• Provides SSO for “kerberized” applications

• Client needs to talk to the AD Controller and the Auth Server

A simplified view…

• Microsoft proprietary

• Legacy protocol

• Mostly on Windows Systems

• More Resource intense

• Each Server has to authenticate separately with the AD

• Multiple small packets are exchanged

• Only the Authenticating Server needs to talk to the AD Controller

• Can traverse proxies

Configuration on WSA

• If you upgraded from 7.x to 8.x, re-join the domain

• After re-join, the Kerberos Scheme is availible

Configuration on WSA (2)

• Edit your Identities to use Kerberos as an authentication Scheme

• WSA can only use one NTLM Realm within one Authentication Sequence

• WSA can use multiple Kerberos Realms in one Authentication Sequence

1. Create each Realm on the WSA

2. Create a sequence on all the Realms

3. Create Identity

Multiple Realms within one identity

W2003

WSA

W2008W2008R2

W2012

Client-2

Client-3

Client-4

Client-1

Configuration on WSA (3)• Strongly recommended to add %m to the accesslog (=Authentication Method)

• BASIC. The user name was authenticated using the Basic authentication scheme.

• NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.

• NEGOTIATE. The user name was authenticated using the KERBEROS authentication scheme.

• SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using transparent user identification.

• SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure Mobility.

• SSO_ISE. The user was transparently authenticated by ISE

• FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a application.

• GUEST. The user failed authentication and instead was granted guest access.

Client Tickets on a Windows7 MachineCommand : ”klist tickets’

Ticket-Granting Ticket

Ticket for WSA

Client Tickets with AES EncryptionCSCuo74136 – fixed in 8.0.7 / 8.5.0

• Computer Object generated when joining

domain has:

- msDS-SupportedEncryptionTypes

- operatingSystemVersion

set to <null>

• Result: Clients requesting Ticket for the

WSA Service will get Default Tickets with

DES / RC4

• Object msDS-SupportedEncryptionTypes

must be set to ‘0x1C’

• OS Version must be ‘6’ or higher

Quick Test from a MACRequest a Ticket from the

Kerberos Domain

“MUNSEC.COM”

TGT is displayed

Quick Test from a MAC (2)

• After requesting access from the WSA we got a Service Ticket for the WSA

Service Ticket for access to the

WSA

Quick Test from a MAC (3)

• /System/Library/CoreServices/Ticket Viewer

Request a Ticket from the

Kerberos Domain

MUNSEC.COM

TGT is displayed

Example #1 : Join the AD domain with your MAC

• Joining the MAC to the AD Domain will create a computer account on the AD Server

• After successful join, log out and log in again with your AD Account

• When opening Safari, you will get authenticated to the WSA without prompt

• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf

Join the AD Domain

Kerberos Authentication with WCCP

• When using transparent redirection and Kerberos, non-windows Clients like MAC OS X sometimes have problems with the redirection

• Make sure the WSA Hostname is the same than the redirection name

• WSA only accepts FQDN as Hostname -> Redirection Name as FQDN might cause trouble with Windows Clients

• Windows Clients require the redirection hostname added to the “Intranet Zone”

IE config for Kerberos

• Add the WSA to the local Intranet Zone and enable automatic logon

Firefox config for Kerberos

• Add the WSA as a trusted URL for Kerberos when prompted:

Example #2: SSO on Ubuntu Linux with Kerberos

61

Install Kerberos User Client

Demo: Kerberos on Linux

SSO on Ubuntu Linux with Kerberos

63

TIME! TIME ! TIME!

Initialize the User

Show our Tickets

WSA Logs

64

AD-User Kerberos

Debugging on the AD Server

• Turn on debugging on the AD Server for Kerberos

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

• Set “LogLevel” to “1” / Set “LogLevel” to “0” de-activates Kerberos debugging

• Windows Events

• 4768 : A TGT Ticket was Requested

• 4769: A Kerberos Service Ticket was Requested

• Both Events log success and failures. Result Codes: https://www.ietf.org/rfc/rfc4120.txt

• Check on AD-Server if SPN from WSA have been registered:

Windows Machine Authentication Issue

• Turn off NLA-Service Active Probing

– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

– Set “EnableActiveProbing” to 0

• Advancedproxyconfig > authentication…Set to 1 sec for machine authentication

Dual Stack with Kerberos

• Windows AD by default does not include the Client IP in the Client Tickethttp://support.microsoft.com/kb/837361

• Ticket can be used for IPv4 & IPv6 Connections

1417685846.682 43 2001:420:44e6:2013:811e:aaa2:287e:f45c TCP_MISS/304

210 GET http://www.ripe.net/favicon.ico "MUNSEC\evyncke@MUNSEC"

DIRECT/www.ripe.net - DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-

NONE-NONE-DefaultGroup <IW_comp,4.9,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-

,IW_comp,-,"-","-","Unknown","Unknown","-","-",39.07,0,-,"Unknown","-",-,"-",-,-,"-","-

"> - NEGOTIATE DestIP: 2001:67c:2e8:22::c100:68b AUTH: 0 DNS: 0 REP: 1

SFBR: 20 CFBWR: 0 AMP: - - - - - -

SPLUNK for Authentication Reports

• Extract the authentication type (add to the access_logs with the %m Parameter)

• Define a simple search

SPLUNK for Authentication Reports

• Display the different Authentication Methods used

Kerberos - Summary

• WSA can authenticate users using Kerberos

• Need to re-join the Domain if the “Kerberos” scheme is not displayed

• Windows Clients will automatically try Kerberos first then fall back to NTLM

• Modify your accesslog with the “%m” Parameter to check the authentication method

• Enables Users to authenticate with non-windows clients like MAC, LINUX

• Works on IPv4 and IPv6

• Authenticate once and use ticket for multiple sites

• Useful when using several WSA such as with a load balancer * or WCCP

• CARP does not work with Kerberos currently.

* Has to support KDC

xBQcQ8HVFbUb8vjqQmx7f

w==

Drop

Flow for DecryptionIdentity

HTTP Proxy

Authenticatio

nHTTPS Proxy

Access Pol

Block Monitor Warn

Decryption Policy

Pass Decrypt

Block

Page

displayed

Cont

Evaluation

of Access

Policies

Warn

Page

displayed

Page

allowed

Page

blocked

Encrypted

Page

displayed

Goto

Access

Policy

If “Decrypt for EUN”

Selected (in 7.7+)

Block Page displayed

Monitor

Cont. Evaluation of

Decryption Policies

Flow for Decryption (2)

Access Pol

Monitor

Decryption Policy

Monitor

WBRS Check : has ScoreApplications

Granular

Control (if

availible)

Block Monitor

Block

page

displayed

Continue

Eval of

Access

Policies

Passthrough Decrypt Block

WBRS Check : has No Score

Default Action

Certificate installation and usage - recap

• The WSA needs a CA Certificate to be installed

• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for this!

• After receiving the HTTPS Request, the WSA will grab the Server Certificate from the Destination

• It will create a new Certificate with (nearly) all the fields and sign this with her own Certificate

• CRL is not replicated because it would not match the “new” Certificate

• Client needs to trust the Certificate from the WSA

• Use a trusted subordinate CA Certificate or roll out your self-signed Cert to the Clients via GPO

Decryption Policy

• Policy can be based on

• Identification Profile (Identity)

• URL Category

• Web Reputation

• Additional Options

Certificate Error Handling

• Default Values provide a good balance between Security and User Experience

• End-User Notification in case of a “DROP” requires “DECRYPTION”

Settings on the WSA

Decrypting Web Category “Search Engines”Explicit mode

1414066212.006 552 10.61.70.30 TCP_MISS_SSL/200 39 CONNECT

tunnel://www.google.de:443/ "hsimpson@MUNSEC" DIRECT/www.google.de -

DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup

<IW_srch,5.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search

Engine","Encrypted","-",0.57,0,-,"-","-",-,"-",-,-,"-","-"> - BASIC DestIP:

2a00:1450:4013:c00::5e AUTH: 0 DNS: 19 REP: 24 SFBR: 0 CFBWR: 49 AMP: - - - - - -

1414066212.218 204 10.61.70.30 TCP_MISS_SSL/200 29694 GET

https://www.google.de:443/?gws_rd=ssl "hsimpson@MUNSEC" DIRECT/www.google.de

text/html DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-

DefaultGroup <IW_srch,5.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-

","Google","Search Engine","-","-",1164.47,0,-,"Unknown","-",1,"-",-,-,"-","-"> - BASIC DestIP:

2a00:1450:4013:c00::5e AUTH: 0 DNS: 0 REP: 0 SFBR: 143 CFBWR: 51 AMP: 1 - - - - -

Decrypting Web Category “Search Engines”Transparent mode

1417171197.329 66 172.16.10.30 TCP_MISS_SSL/200 0 TCP_CONNECT 85.17.181.244:443

"MUNSEC\administrator@munsec" DIRECT/www.startpage.com - DECRYPT_WEBCAT_7-

DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,4.9,1,"-",-,-,-,-,"-",-,-,-

,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Unknown","Unknown","-","-",0.00,0,Local,"-","-",-,"-",-,-,"-","-">

- NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 0 CFBWR: 0 AMP: - - - -

- -

1417171197.338 23 172.16.10.30 TCP_MISS_SSL/200 518 GET

https://www.startpage.com:443/js/abp.js?adType=1&advertiser=1&advertising=1

"MUNSEC\administrator@munsec" DIRECT/www.startpage.com application/javascript

DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup

<IW_srch,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-","Generic Search

Engine Traffic","Search Engine","-","-",180.17,0,Local,"Unknown","-",1,"-",-,-,"-","-"> -

NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 20 CFBWR: 1 AMP: 1 - -

- - -

ACL Tag Decoded

DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup

ACL Decission TagAccess or

Decryption PolicyIdentity

Outbound

Malware

Scanning

Policy

Data

Security

Policy

External

DLP Policy

Routing

Policy

WSA, Authentication and SSL

• In Explicit mode, a „CONNECT“ request is made, giving the full URL to the WSA together with the „CONNECT“ request

• WSA replies with „407 Proxy auth required“

• At this time, WSA has the following information:- destination host- user agent- user credentials verified

• WSA can decide wether to decrypt based on:- Destination Host- User Agent- Proxy Port- Subnets & Time Range

WSA, Authentication and SSL (2)

• In Transparent mode, there is no “CONNECT” but a “TCP_CONNECT”

• Since Client is not aware of WSA it will start a TCP connection to remote server

• Connection is redirected to WSA, client start an HTTPS/SSL connection directly

• At this point WSA only knows destination IP and port

• WSA sends HTTPS “probe” (it‘s own Client Hello) to get “Server Hello” and server certificate

WSA, Authentication and SSL (3)

• With the server certificate, WSA has knowledge of:

- Client IP- Destination IP

- Server Certificate

- Common Name (CN) from server certificate is used as a request URL, thus used for URL category matching

• Based on this information WSA can match Identity and Decryption Policy and determine whether to DECRYPT or PASS THROUGH the request

• All information normally send in the HTTP Header (Cookies, User Agent, Mime-Type etc) are encrypted in the tunnel and thus not available to the WSA at this point.

WSA, Authentication and SSL (4)• Should we decrypt? Very often based on URL Category...(think of finance

websites...)

WSA, Authentication and SSL (4)• Should we decrypt? Very often based on URL Category...(think of finance

websites...)

WSA, Authentication and SSL (5)

• Finding out the correct URL Category....

• Solution:Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7+)

• Most Browser support it since many years

• CLIENT HELLO during TLS sends the Host URL:

Server Name Indication - Test

TMAYER-M-T2AF:iitp tmayer$ openssl s_client -connect

midmarketcioforum.pathable.com:443

CONNECTED(00000003)

62663:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert

handshake failure:/SourceCache/OpenSSL098/OpenSSL098-

52.1/src/ssl/s23_clnt.c:585:

Connection without SNI…

…but required by the server

TMAYER-M-T2AF:iitp tmayer$ openssl s_client -servername midmarketciofourm.pathable.com

-connect midmarketcioforum.pathable.com:443

CONNECTED(00000003)

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/serialNumber=YVv3G4-n4KOXYXCLfIddFS92BN4-LPum/OU=GT66017752/OU=See

www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated -

RapidSSL(R)/CN=*.pathable.com

i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA

1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA

i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Server Name Indication – Test (2)

Connection with SNI

HTTPS Logs on WSA – Level “Trace”

Trying TLS 1.0, Server refuses

Trying SSLv3, Server refuses

Testing the Server for a specific Protocol

Check if the Server Supports TLS 1.2Openssl can test TLS Connection

simulating the client side

Testing the Server for a specific Protocol (2)

Yes, it Does!

Testing the Server for a specific Protocol (3)This is how it would look like in case the protocol is not supported…

No, it does not!

Easier to check a Website

• Check a Website for all thingsaround TLS

• Ciphers

• Certificates

• Handshake Simulations

• …

• Powered by Qualys

https://www.ssllabs.com/ssltest/

Common SSL Troubleshooting Steps

• Check your Access Logs

• Look at ACL Decision tags

• Check the destination url on https://www.ssllabs.com/

• Alternative: SSLYZE from https://github.com/nabla-c0d3/sslyze/releases

• Try to access the page directly without the WSA in the Path

• Using curl or openssl

• Try to access the page with the WSA in the Path

• Check the https_logs -> put at least into “debug” mode

• Check the PCAPS

Thoughts around HTTP and TLS

HTTP

• HTTP 1.0

• One Request -> One Response

• “Head of Line” Blocking Problem (like a Supermarket with only one register)

• HTTP 1.1 “Pipelining”

• Multiple Requests sent at once

• Opening more Registers in the Supermarket…

• Still, Responses have to arrive in the order the Requests were sent….Does not solve the “Head of Line” Blocking Problem

• Most Browsers might limit the amount of connections you can send at once.

“Pipelining”

HTTP

Page comes up pretty fast but takes long time to complete:

GET index.html <-- pretty fast

GET favicon.gif <-- pretty fast

GET picture?user=tmayer <--- takes a long time because of the database lookup

Page does not display anything in the beginning but then displays all in the end:

GET picture?user=tmayer <--- takes a long time because database lookup

GET index.html <-- pretty fast

GET favicon.gif <-- pretty fast

“Pipelining”

SPDY (“Speedy”)

• Three main enhancements over HTTP 1.1

• Header Compression

• True Connection Multiplexing (on the server),

Request as many connections as you want and receive responses in any order by using only one SPDY Connection

Prioritization of the responses is left to the client

• PUSH Content to the client

Using a existing SPDY connection without the client need to send a request first.A lighter Version would just send a “Hint”

SPDY & HTTP2• SPDY Protocol might be a problem for intermediate Gateways, proxies, … as

they might not be able to understand it.

• To overcome this problem:

• SPDY is using TLS for tunneling its data between client and server

• Limitations of SPDY

• SPDY uses TLS, no visibility of Gateway, Malware scanners, etc!!

• Multiplexing will only occur on a per host basis

A website that has content from 16 other servers will require the client to open 16 connections

• HTTP/2 Specification is strongly based on input from SPDY & TLShttp://daniel.haxx.se/http2/http2-v1.8.pdf

https://www.ietf.org/blog/2015/02/http2-approved/

HTTP, HTTPS, and HTTP2 Layering

http:// https:// https://

Fewer TCP connections6-8 TCP connections per site

http://

HSTS

• Protect secure HTTPS Websites against downgrade attacks

• Web Server can signal to the client that only HTTPS is allowed to interact

• This signal is transported using a HTTPS Response Header

• The client behaves as follows

• Automatically turn any http:// links into https:// links

• If the secure connection cannot be assured (ex: Self Signed Certificate is used), do not allow the user to override

• If you want to decrypt using a proxy, a valid CA Certificate is required.

“HTTP Strict Transport Security” - http://tools.ietf.org/html/rfc6797

Certificate Pinning – RFC 7469• Method to actually compare the Certificate presented from the Server to a

“stored” CA Certificate on the Client. Requires a method to ensure the Client is running the latest Version of your Software

• Applies to centrally updated Applications that connect to predictable Servers

• Two ways to do it:

• Incorporate a static list in the application, which of the CA Certificates is expected to be used for signing the server certificate

• Send a new “Header”(HPKP) to signal within the TLS Handshake that the client should PIN a certain public key for a certain amount of time

• Chrome connecting to gmail.com, twitter, FF connecting to mozilla.orghttps://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

Example: Firefox

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

0: Pinning disabled

1: Allow User MiTM (with a trusted CA)

2: Strict. Always enforced

3: Enforce Test Mode

Example: Firefox

Strict Pinning

Links for further information

• Internet Draft for specifying a Public Key Pinning in HTTPhttp://tools.ietf.org/html/draft-ietf-websec-key-pinning-20

• OWASP Explanation of Certificate Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

• HSTS “HTTP Strict Transport Security”https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

• Public Key Pinning Extension for HTTPhttp://tools.ietf.org/html/draft-ietf-websec-key-pinning-20

• Certificate Pinning RFC 7469http://tools.ietf.org/html/rfc7469

• Internet Advisory Board – Statement on Confidentialityhttps://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality

For reading in those nights where you cannot sleep…

Summary

• WSA is working very well with IPv4 and IPv6

• Good way to start getting experience with IPv6

• Enables IPv4 clients to reach IPv6 Destinations

• Collect statistics about IPv6 usage

• WSA supports Kerberos Authentication

• Useful for transparent authentication of non-windows Systems

• Works fine with IPv4 and IPv6

• WSA has detailed decryption capabilities

• Granular policies when to decrypt can be made

• However: Big Trend to have much more encrypted connections on the Internet and everyone that wants to decrypt connections needs to adopt.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Thank you(Vergelts God )