SSL and network monitoring aren’t the most compatible of partners – even with the most sophisticated detection infrastructure in the world, you’ll not derive many useful indicators from the barren randomness of encrypted traffic. Consider the plight of the Sguil sensor shown below:
The webserver’s use of SSL means that network-based incident detection is problematic. No amount of tuning of the sensor’s Snort instance will help it detect intrusion attempts – the only traffic it will see is HTTPS. Also, if an incident is detected by other means (e.g., customer notification, web server log file monitoring, etc.) the investigative value of Sguil’s full packet capture is greatly diluted.
There are a number of ways to get back the visibility stolen by SSL, including the following. You could:
Terminate the SSL “in front of” the webserver, perhaps on a reverse-proxying loadbalancer or web application firewall. You can then monitor the decrypted traffic between the loadbalancer and the webserver.
Perform monitoring tasks on the webserver itself, perhaps by increasing the level of web and application logging.
Give your existing sensor platforms the means to decrypt the SSL sessions.
We first need to understand a little about the mechanics of SSL decryption; you can read about it in depth here. In a nutshell there are two conditions that must be met before we can proceed:
The server must be using the RSA key exchange mechanism. if you’re using DSA keypairs or the Diffie-Hellman key exchange mechanism you’re probably out of luck.
You must have access to the server’s private RSA key, and be able to copy it onto your Sguil sensor.
The latter point means that the only SSL decryption we’re going to be able to pull off is decryption of traffic to and from servers that we own – we’re not going to be able to magically decrypt arbitrary SSL traffic (darn!) However, this is quite adequate from the viewpoint of intrusion detection and network forensics.
Where are the Keys?
Getting the server’s private key onto the Sguil sensor could take a bit of work. The key might be stored in a .pem file somewhere on the server, making it child’s play to copy it to the Sguil sensor. However, certain operating systems like Windows store certificates and keys in a “certificate store” instead of .pem files. In order to get the private key, we need to first export the certificate and key together as a PKCS12 file (read about that here). Once we’ve got the exported certificate, we can proceed to extract the private key using openssl like this:
When prompted, enter the password you gave when you exported the certificate and key. The file myExportedCertificate.pem will contain a block of text that looks like this:
A word of warning
As noted your server’s private key is a very sensitive thing indeed. With it, an attacker can decrypt the server’s SSL traffic or use it together with the server’s certificate in order to masquerade as a legitimate site. You must take extreme care with the handling of the private key – don’t leave copies of it lying around in temporary directories, make very sure it doesn’t end up on the Internet by accident, and make certain that the Sguil sensor you copy it to is as locked down as much as possible. Leaking a private key is too high a price to pay for visibility into your SSL traffic.
Hi all, I have an ASA 5525x with PC-A on the INSIDE network with IP address 10.20.32.40. PC-B is in DMZ with an IP address of 10.20.30.10. The security level for INSIDE is 100 and DMZ is 50. I have rules to allow PC-A to communicate with...
Something change on the incoming mail policy.We want to change the configuration of the anti-spam policy for positive spam- from deliver to quarantine , but the option is not exist ,I can only choose - deliver ,drop ,bounce.Can any body explai...
Hello, We have certain teams that have very limited ISE GUI permissions for both Menu and Data. The purpose is to give them as simple an interface as possible but enable them to add/edit/delete endpoints that will have access to their specific networ...
Hello Everyone, I am working in an organization and want to create a server for Virtualization, i really do not have so much knowledge about the servers and know anything about Server Virtualization. Please help how what to look for in servers for virtual...
Hi,we have ISP1 and ISP2. There is metric 1 for ISP1 and metric 2 for ISP2. both ISP are in separate zone. when i create flexconfig for specific souce with ISP2 which is not working and still hitting ISP1 only.\ i have configured below flexconfig.1. ...