pan-os ssl decryption
-ssl/tls sessions can be decrypted and inspected to enforce security policy
decryption types
- ssl forward proxy (outbound)
- ssl inbound inspection
- ssh decryption
certificate chain of trust
- hierarchical list of certificates used to authenticate
- if a device contains the certificates of the root ca and intermediate ca it can verify a certificate within the chain of trust
certificate verification steps
- determine chain of trust
- validate each certificate based on: valid signature, valid expiry date, no malformation or corruption, not revoked
certificate revocation reasons
- compromised key
- failed verification
preferred way to acquire a certificate in pan-os
- generate a certificate signing request (csr)
- have the csr signed by a ca
csr process
- generate csr on device
- sign identity info with private key
- send csr to ca
- ca signs and returns the csr
- signed request is installed on device
certificate deployment option 1
-obtain a signing certificate from a third party ca
certificate deployment option 2
-use an internal ca to issue a signing certificate to the firewall
certificate deployment option 3
-generate a self signing certificate
ssl forward proxy decryption
- decrypts and inspects ssl/tls traffic from internal users destined for external web servers
- firewall first requests and verifies the external servers’ certificate, resulting in connection between firewall and server
- firewall then signs the server’s certificate with its own and sends it to the client
- the client verifies the firewall’s certificate, resulting in a connection between the client and firewall
- if the server does not present a trusted certificate the firewall signs with untrust certificate and a block page is generated
- the user can choose to proceed or terminate
ssl inbound inspection
- used to check ssl connections from external hosts for threats
- firewall requires copy of server’s public and private keys which allows the firewall to decrypt traffic in both directions
- a decryption policy rule can be defined to inspect incoming ssl/tls connections
ssl inbound inspection unsupported applications
- apps that use client side certificates
- non-rfc-compliant apps
- servers using unsupported cryptographic settings
no decryption
- a decryption profile can be used to enforce minimum ssl security without having to decrypt the traffic
- sessions with expired certificates, or untrusted issuers will be blocked
wildfire threat intelligence cloud
- unknown file and url links from web traffic and email are automatically sent to wildfire threat intelligence cloud servers
- the cloud analyses and generates malware signatures and verdicts
- files can also be manually uploaded to wildfire for analyses
wildfire markings
- benign, does not exhibit malice
- greyware, similar to malware but is not considered malicious
- malware
- phishing
