What is Radware all about?Eliminate blind spots of SSL encrypted
communication to/from the enterprise
Maintaining information’s communication’s privacy
Compliance and regulatory need for information disclosure
– Log all information access details (what, who when and from
where)
– Prevent unauthorized (source or destination) data
communication
Prevent data leakage of business critical information
Prevent ingress of malware and advanced persistent threats
– through SSL encrypted channel
Monitor traffic to/from cloud applications and services
– Enforce the organization’s data privacy policies on cloud
applications as well
Key Drivers for Inspecting Outbound SSL Traffic
Gain visibility on SSL traffic
• For inbound traffic, where the organization owns the SSL
key
• For outbound traffic, where the organization doesn’t own the SSL
key
Transparent traffic inspection
• Seamless implementation, eliminating any user client
reconfiguration
• Enables traffic inspection of various profiles (not just SSL
traffic on port 443)
Support more than one security solution
• Enable security services chaining (e.g. DLP, anti- malware,
instruction detection)
• Flexible security policies – per service, user profile etc.
• Minimal latency impact
• Even when security solutions suffer from outages
Scalable solution
• Capable of supporting multi-gig of SSL traffic
Challenges & Requirements
WAN Perimeter LAN
Transparently Intercept target data flows and decrypt SSL
traffic
Steer traffic to security appliances
Re-encrypt traffic, to maintain privacy
Transparent Proxy device
– Usually used for application level protection
• Anti virus, anti bot, anti malware, WAF
– HTTPS traffic from client is decrypted and forwarded to VAS
– VAS configured in L3 for IPS analysis
No-MAC (bridge) device
– Usually used for network level protection – Anti DDoS
– HTTPS traffic from client is decrypted and forwarded to VAS
– VAS is configured as transparent L2
(no IP connectivity from Alteon to VAS)
SSL Inspection – Deployment Modes
SSL inspection demo setup
Client PC
VAS
Alteon v30.2.0 and up with SSL license activated
Note: For Web server please use any web server that you feel
comfortable with using HTTPS
To simulate VAS, please use any Linux based server with IP
forwarding function enabled
SSL Inspection Lab Setup
Client IP: 192.168.100.2 GW: 192.168.100.1
Web Server IP:10.0.0.80 GW: 10.0.0.1
VAS IP: 20.20.20.20 GW: 20.20.20.1
1. Set IP interfaces and VLANs for Web server, Client and VAS
2. Set frontend and backend SSL policies
3. Set real server for VAS and assign to server group
4. Create filter “redirect” from client to VAS
5. Create filter “allow” from VAS to Server
6. Enable filters on client/server/VAS ports (port
processing)
7. Create new certificate for SSL inspection
8. Load the certificate to the client’s browser trusted CA
certificate
Configuration Steps
1. Set IP and VLAN for Interfaces
Configure IP address and VLAN for all interfaces • Set Interfaces
for Client, Server and VAS • Set IP address for the interfaces •
Set VLAN for each interface
2. Frontend SSL Policy Configuration
2.1 Frontend SSL policy configuration • Configure SSL policy for
frontend SSL traffic from local
clients to Alteon • Frontend SSL Encryption – Enable
2. Frontend SSL Policy Configuration
2.2 Disable backend SSL • Disable Backend SSL (forwarded to the VAS
for inspection)
2. Backend SSL Policy Configuration
2.3 Backend SSL policy configuration • Configure SSL policy for
Backend SSL traffic • Disable the Frontend SSL Encryption – traffic
coming from
the VAS after inspection and need to be encrypted again • Disable
frontend SSL
2. Backend SSL Policy Configuration
2.4 Backend SSL policy configuration • Configure the Backend SSL –
this is the outbound traffic
that need to be re-encrypted after inspected by the VAS • Set
Backend SSL Encryption to – Enable • Set the SSL ciphers and
allowed SSL/TLS versions
3. Configure Real Server for VAS
3.1 Create Real Server • Create Real server and set the IP
address
3. Configure Real Server for VAS
3.2 Create Real Server Group • Create Real server group and assign
the created real server
to the group
4. Filter from Client to VAS
4.1 Create redirect filter from client to the VAS Match Settings: •
This filter will detect any HTTPS traffic coming
from the client on port 443 and redirect it to the VAS
• Create new filter • Set Action – Redirect • Set Protocol – TCP
and Application HTTP • Set destination parameters –
• IP address/Network – Any • Mask – 0.0.0.0 • Application
port/Range start – 443 • Application port/Range End – 443
4. Filter from Client to VAS
4.2 Action Setting • Set Delayed Bind – Forceproxy • Set Real
Server Port – 80 • Set Return to Last Hop – Enable • Set Reverse
Session – Enable • Set Hash Based Group Metrics – Both
4. Filter from Client to VAS
4.3 SSL settings • Set SSL inspection – Enable • Set SSL Policy –
Select the frontend SSL policy
created in step 2
5. Filter from VAS to Web Server
5.1 Create filter from VAS to Web Server Match Settings: • This
filter will detect the HTTP traffic coming from
the VAS on port 80 and will encrypt it to be set to the Web server
as HTTPS
• Create new filter • Set Action – Allow • Set Protocol – TCP and
Application HTTP • Set destination parameters –
• IP address/Network – Any • Mask – 0.0.0.0 • Application
port/Range start – 80 • Application port/Range End – 80
5. Filter from VAS to Web Server
5.2 Action Setting • Set Delayed Bind – Forceproxy • Set Real
Server Port – 443 • Set Return to Last Hop – Enable • Set Reverse
Session – Enable
5. Filter from VAS to Web Server
5.3 SSL settings • SSL Inspection – Enable • Select the Backend SSL
policy created in step 2
6. Port Processing Configuration
Client Port Processing: • Enable Filter/Outbound LLB • Add the
“Client to VAS” filter VAS Port Processing: • Enable
Filter/Outbound LLB • Add the “VAS to Server” filter Server Port
Processing: • Enable Filter/Outbound LLB
Client Port Processing VAS Port Processing
6. Port Processing Configuration – Summary Table
7. New Certificate For Inspection
7.1 Create new certificate repository entry For SSL inspection to
operate there is a need for CA certificate with a known private
key, such as a self- signed CA certificate generated on Alteon. It
will be used for signing dynamically dummy certificates • Set the
Certificate ID • Set the common name
7. New Certificate For Inspection
7.2 Generate the certificate • Generate the certificate
7. Certificate Repository – Outcome
7. New Certificate For Inspection
7.3 Set the SSL Inspection parameters • Select the Key which
defined in previous step • Select the Signing CA Certificate which
defined in
previous step
8. Client Certificate Settings
8.1 Export certificate Under SSL configuration • Export the
certificate to a file • Load the certificate to the client’s
browser
trusted CA certificate
8. Client Certificate Settings
8.2 Add certificate to client’s PC Under control panel Internet
Options Content Certificates Select Trusted Root Certification
Authorities Import The settings is applicable for IE and
Chrome
8. Client Certificate Settings
created previously
Dummy VAS Configuration
In order for traffic to be forwarded to VAS and back to the server,
a Linux based
server can be used to simulate VAS
Configure the Linux server to forward (simulate router
functionality), all incoming
traffic back to Alteon
Use the command “sysctl -w net.ipv4.ip_forward=1” to enable IP
forwarding
Check SSL Inspection
Connect to the web application From the client’s browser, connect
to the web server (https://10.0.0.80)
Check SSL Inspection
Check SSL Inspection
The “Issued By” filed is now based on the CN and Organization of
the inspection certificate generated by Alteon and configured as
the “Signing CA Certificate”
SSL Inspection – No MAC Device
Two Leg IPS Mode
SSL inspection demo setup
Client PC
VAS
Alteon v30.2.0 and up with SSL license activated
SSL Inspection – IPS Mode
VAS
5
IP Interface for VAS Traffic
Set IP interface for VAS ingress traffic In this deployment mode
user’s decrypted traffic is sent between two Alteon ports where the
VAS is listening and inspect the traffic. Need to setup “dummy”
interfaces to pass the traffic
• Set interface ID • Set IP address, mask and
VLAN
Create Dummy Real Server for VAS traffic
• Create real server for ingress VAS traffic • Under IDS set
specific port for which all
traffic will be forwarded
Create Dummy Real Server for VAS traffic
• Create real server for egress VAS traffic • Under IDS set
specific port for which all
traffic will be forwarded
Create Real Server Group
• Create real server group
Create new Health Check
• Create new logical expression health check based on ARP and Link
to monitor the VAS links
Create Real Server Group
• Assign the ARP&Link Health check to the server group
Add Static ARP
• Add static ARP to enable Alteon to pass traffic from ingress VAS
port 7 to egress VAS port 9 by adding static ARP of the dummy real
server using Alteon MAC address
Port Processing Configuration
• Enable filter on Client port #5 • Select “client to VAS” filter
which
redirect all HTTPS traffic to the VAS
Port Processing Configuration
Port Processing Configuration