Driving to Best Practices by Overcoming SSL Decryption Complexities (T1164)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so I think we can get started almost five minutes past and so we'll go five minutes over and I'll try to make sure we can leave some time for our Q&A towards the end so a quick introduction about myself my name is Mandeep Singh Sandhu product line manager at Palo Alto Networks I look after app ID SSL decryption and some of the Panama's infrastructure features today what we are talking about is what are some of the best practices for our customers to adopt SSL decryption get away from the complexities deal with some of the issues so I've structured the presentation in a way where we'll do a quick poll then we'll go through some of the recent things happening in the industry then we'll talk about decryption profile then we talk about decryption policies and then we talk about some of the challenges customers can face with SSL decryption and we'll have some time for Q&A towards the end sounds good okay let's get started so a quick poll quick raise of hands so what are your plans for SSL decryption in the near future so how many of you are in the option a ok about 10 hands option B ok just two people I have a picture it slides down by the way that might relate to you somewhat C I'm curious about C we have three to four okay D everybody right awesome this is why I love Europe you guys do it if I were to ask this question in the US it's probably the same number of hands for B I lived in Europe for seven years before moving to us why I'm always biased a little bit how about option II thank God okay how many here are doing forward proxy outbound most of us okay inbound anybody okay that's not bad option C okay still few people with GDP are and still doing C interesting last one option D how many of you are doing that how many of you heard of that okay you have anybody here a quick raise of hands who has 10 to 12 different devices for security and there's something doing decryption and sending traffic those two devices anybody like a security stack service chain okay this is my third question so for those of you who have no plans or maybe you struggled what is keeping you away from a cell decrypt performance anybody worried about performance okay five to six people legal issues okay I can't fix those by the way but good to know time and effort because we have infinite time in the world and infinite resources and last but not least applications breaking okay there's one more is anybody not planning to do decryption because of GDP are great I think we can skip through ten slides now based on this poll so talking of GDP are like if you take the entire GDP our standard and if you up level a it at a very high level it achieves three things it achieves three things for users it essentially gives users more control of their data so it gives them privacy and data protection that's number one number two is it makes the enterprises and organization technology companies have more responsibility of the data they own this includes even companies like us but this definitely includes the likes of Google Facebook and even enterprises what do you do with that data and last but not least transparency if there is a breach that ever happens in one of these companies they have to report that publicly they cannot withhold that information so that's we all know this right I mean you guys have probably read their standard multiple times and what does SSL decrypt give you a cell decrypt gives you the foundation that we believe is the right philosophy for getting network security it gives you complete visibility it reduces the attack surface because once you have complete visibility you can go and build policies it prevents known threats and it also helps you prevent the unknown threats because if you do not have decryption and you have the Wildfire profiles attached you're not really picking out any files from the TLS traffic and sending them up to wall fire however if you do have a cell decrypt on you are actually picking out files and sending it to wall fire converting unknown threats to known threats now let's look at some of the recent trends so few things happen in the last few years and when I say last few years you can think of starting from 2015 one thing that happened around 2015 is that HTTP 2 became a standard HTTP 1.1 had been around for a really long time and Google created a protocol called speedy which became HTTP 2 they took it to IETF gave performance benefits to the to anyone who owns an HTTP 2 server made things faster for the end-user once that happened they also something interesting happened because HTTP 2 can only be delivered inside as a cell no browser supports http/2 and most servers there's the standard says they could be clear text HTTP too but most implementations are based inside SSL or TLS the other thing that has happened in the last two to three years is the adoption of TLS 1.3 in becoming a standard and as you can see based on these statistics about close to 20 percent off the websites today use TLS 1.3 one thing that also happened while these things are happening is that there's a company by the name of let's encrypt where it becomes super simple to get certificates for your website so all these trends together specifically HTTP 2 and let's encrypt rest led to a a led to a rise in the amount of SSL traffic now TLS TLS 1.3 does some interesting things it essentially takes the TLS 1.2 protocol makes it more faster more secure more efficient and the way it does that is it shortens the handshake it takes 60 cipher suites what you are available in 1.2 and it simplifies that down to five if you have less choices you're more likely less likely to make a mistake which improves security and it does a lot of things for user privacy which has ramifications for the enterprise security industry HTTP 2 on the other hand is very different from HTTP 1.1 so if you look at this picture it's basically like there's there's a comparison of two different types of candy HTTP to what it can do is it can take a single TCP socket TCP session and within the same TCP session it can put different applications so if you use Google Chrome for instance or any browser for that matter and you're going to Gmail and in a second tab you have Google Drive open and on the third tab you have YouTube where you're watching cat videos if you have these three open at the same time and if you go to developer mode inside google chrome you will actually see that all these three cabs or pintu the same TCP session now that makes things challenging right that could be like okay so if it's the same TCP session what's the application what's the URL category right so and none of that problem is a problem unless you decrypt by the way because if you're not decrypting it's just a TLS connection so what we did and nine dotto just to give you just a level set here what we can do for these recent industry trends is that we came out with HTTP to inspection built natively into our firewalls what it does is that as soon as you turn on SSL decryption on the far wall in fort proxy or in any of the supported modes we automatically go and apply policy your existing policy on all these different sessions so even if you have three tabs open for Google Drive Gmail and YouTube and if you download something malicious in Google Drive we will kill only that session while your YouTube video and your Gmail will continue to work and the way we do it as we do it completely transparently you don't have to go and read the RFC of issued EP two to understand how it works unless you know you don't have a life like me and you like tweeting RFC's you can do that but it's completely natively built into the product and the reason I talk about it here is it's important to understand like how we are evolving ourselves as the internet is evolving with these protocols now when it comes to TLS 1.3 there's a few things that we can do today so first of all just some data point here HTTP 2 became a standard in 2015 and it's 2019 now every site that runs HTTP 2 also runs they should EP 1.1 we suppose a similar trend will happen with TLS 1.3 it's not like TLS 1.2 will cease to exist by next year or overnight so they'll continue to work so today if you turn on decryption we downgrade the connection to 1.2 without breaking it without reducing security either it's it's we don't do all that however we are looking at it from a technology point of view and very soon hopefully by next ignite we'll have an answer and a slide as awesome for TLS 1.3 as we have for HTTP 2 but the main thing to understand for 1.3 years it can be decrypted it's not one of those protocols where you cannot do anything about it the other thing to understand is anyone who's doing passive decryption where they were collecting data and then using your servers private key to go back and look into it that's not going to be possible anymore with 1.3 however inline decryption is still possible the other thing about here about Heelys 1.3 is there's a lot of news about the encrypted sni so encrypted S&I is still a draft it has not become a standard some of the CD ends implemented it and they've done some recent experiments and recent research where a lot of things broke with encrypted s and I even for the CD ends there is a way to negotiate it out if you remove the dns request if you can talk to your dns connection before the encrypted sni so there are ways to basically work around that and encrypted sni is still not a reality and we are closely monitoring that I wanted to kind of get that out of the way in the beginning so that when we are going through some of the best practices you guys are not you know thinking about that all the time so we all know this that most of the traffic on the Internet today is encrypted this is a statistic from Google Chrome back from April this here and as you can see close to like 80% of the traffic is encrypted now and some of the reasons for this rise in encrypted traffic is what we just discussed you know HTTP 2 let's encrypt and so forth and so on the other thing that also has risen along with the amount of encrypted traffic is the number of phishing attacks and it's pretty interesting that there is a you know correlation between these two statistics because encryption is a double-edged sword right it gives benefits to the end users into of privacy but it also makes the attackers job a lot easier because he knows that not everybody is gonna go look inside here less connection not everybody has the capabilities to decrypt so I can you know just use SSL for command and control I can use a cell for dropping something malicious into an enterprise or harvesting credentials which still remains the number one way of attacking so what we can do about it is this where we can basically have no plans for SSL decryption which is fine but then it's also accepting the fact that ignorant is place if you don't know what's going on it's easy to say that there is nothing going on or you can embrace reality so what I have here is actually a running a traffic report where I'm showing all the threads that are seen inside decrypted traffic you can actually run this on your firewalls so if you write a custom report where you put a flag that show me all the threads which are critical or high and the session is a decrypted session you will get interesting data the reason I bring it up here is sometimes it's very important for network administrators to show the value of turning on SSL decryption to the execs like what does this get me why should I go and do this or why should I give you money to go invest into achieving this be it headcount be it other things and this could be a good way to explain that so let's look at some of the best practices now that we kind of set some context and stage around this so what I wanted to give here as an example was something we did with in Palo Alto Networks so we turned on SSL decryption across or entire company across all our offices all different locations or the last over I think a period of about a year and this is a cookbook that we went through which kind of work for us just to give you an idea of scale today we are about 7,000 people at Palo Alto Networks spread across the world our biggest offices are of course in us in Santa Clara but we have a very big office in Amsterdam here we also have big offices in in APAC in Singapore in Japan so the approach that we took was that the first thing that you want to do is you want to do a controlled rollout you don't want to go and implement SSL decryption carte blanche for everyone because that may shorten your career span let me put it that ways so you first want to go through the approval process this involves a lot of discussion with your legal counterparts in your company on what are the risks here if there are any and what should be considered as a right legal approach the second piece of this which is very important is identifying users my favorite users if I was to do this was to pick developers because they are the hardest people to satisfy they will never be happy they're extremely intelligent and if you can make it work for them I think you will be able to make it work for other people they will have a lot of scripts that will run inside SSL they will have a lot of non-standard SSL traffic so starting with that helps also it is important to kind of have a diverse user set not just go with developers and only fix fix it for them what we did add parallel the network's is that people weren't here when we started this project there were some people from our indie developers product managers there were people from marketing and there were people from other departments once you identify your user set you establish PKI then you start writing policies and then you see what happens what works what does not work once you've run this control experiment you replicate it across different locations and you continue expanding it so how do you start how do you lay the foundation so the first thing that I want to talk about about laying the foundation is please do this like when you go back home today well not home but after ignite finishes this week and when you go back to your offices please go block quick nothing's gonna break because Google Chrome will automatically start using TCP the best way to go about blocking quick you have two options you can either use the app ID we have called quick but a better approach is just to block port UDP 443 if you block UDP 443 no other application uses it unless you have one of those developers you built an application 10 years ago to use UDP and 443 hopefully you don't please do this because even if you're not decrypting and you're not doing this you're losing visibility into lot of traffic we can identify pretty much every single Google application or Facebook application without decryption at a higher level we can tell you that someone's going to Gmail versus someone's going to YouTube or so someone's going to Google Drive with quake we can do that with quick everything looks like quick so even if you're not planning to implement decryption you should still do that if you're planning to implement decryption you definitely should do this now having said that it does not mean that this will never become a protocol which will become more popular we are not saying that I think from a technology point of view it's an amazing idea what the what the industry or the likes of Google and IETF are thinking about it is that the Internet of the future will be running on UDP instead of TCP which is a big statement to make so it's still going to its motions it's not a standard yet it's still an RFC it's still a it's still a draft and we are closely monitoring it but for now we recommend customers that security is more important so please do this okay so once you do that the next thing you have to do is you have two options you can either create a self certificate or you can import your enterprise-level PK most likely you'll do the latter you'll and you'll import your enterprise-level certs however if you do create a a self-signed cert you have the options to create or essay or ECDSA certs you can create both ECDSA will give you better performance then RSA and more security because the key size is smaller and we can pick whichever one to use based on the destination server once you've done that the other important thing to understand is the concept of our trust and forward untrue certificate so you'll have two types you'll have the forward trust certificate which is this sorry I click twice I guess so this essentially is the impersonated certificate for all the trusted sites that a user is going to which are legitimate sites you know which are like Gmail Facebook office 365 Twitter or whatnot and you would want the user experience to be very smooth you don't want them to get a lot of popups and then you also have something called forward onto a certificate which is basically if they're going to an untrusted site you do want to warn them that you're going to an untrusted site and you want to use different certificates for that you don't want to use the same certificate for both purposes now your trusted root certain side the trusted root store on Windows or on your Mac books or whatever you're using and the untrusted one you do not want to install the untrue certificate on that store because you actually do want your users to get a warning if they're going to an untrusted site ok so I'll remember that now how do you once you either created these certificates or imported them what is the best way to integrate with existing PK's so the best way to go about it is that you can use your forward trust as the subordinate CA to your corporate hood CA the reason we recommend customers to do this is because the amount of work you will have to go through is minimal most of your endpoints already will have this routes are imported on the endpoints so you don't have to go through that extra step of pushing this out unless you're creating self-signed certificates if you are doing that and you have to go through that work it's important to remember that for all those browsers you know the trusted CA store is the D Windows Store there's one browser missing there which is my favorite how many of you use Firefox okay so you guys like living on the bleeding edge and maybe some memory leaks but if you do use Firefox this the store for Firefox is built into the browser there's a knob that you can turn on for fireworks but it can default to a Windows Store Firefox also is one of an interesting browsers that starts implementing any technology before any other browser you can install this cert across your endpoints using one of these methods there may be more this is what we came up with you can use the old protect you can use Active Directory search services if you're using likes of Mac books like RIT is you can use jump centerfire your terrorists you can use MD ends there's an open source tool called saltstack that you can use to also push these out now once you have done that the next step is decryption profile so what are the security outcomes for decryption profile I wanted to talk about for every one of the best practices what is the value of doing that best practices it's important to understand like why you're doing that rather than just go and do this so security profiles give you three things that are very high level the protect users from going to bad sites there's multiple ways of protecting users from going to bad sites you can use your L filtering you can use other techniques but also one of the techniques it also gives you a lot of control on what cipher Suites should be negotiated what do you last version should be there and last but not least it also helps you to an application behavior and I'll show you how before I go into the next slides a quick question how many of you here have used HTTP header insertion that we released in 8.1 to three hands okay and I'll tell you why I asked that so how do you protect users from going to bad side so this is what a recommendation is for the best practice it has changed from last year a little bit because last year I think we also had this thing clicked no this works but let me try again oops yeah so the reason I have marked this as unchecked is because a lot of applications have started using client authentication and I don't think we should tell our customers to completely block those because if applications break users will complain and you will not really implement decryption and I'll come back to that option later but what's important is to block all those things the unexpired certificates on trusted issuers versions cipher suites you can also block these depending upon what you want your security posture to be this is if the system is running out of memory the other thing you can do is having granular control on ciphers so please don't allow any TLS version less than 1.2 hopefully you're already doing that we only recommend you allowing ECD achi NASL ec DHE as a key exchange algorithm and these as the encryption algorithms and these as the authentication okay then let's talk about tuning application behavior or controlling it and we have two slides around that so first is the no decryption portion of the SSL decryption profile so it's it's it's it's a little interesting because we have no decryption inside something called SSL decryption what this helps you do is that even if you're not doing SL decrypt you can still create this decryption profile and put it on your decryption policy this is the number one way of blocking anonymizer x' and i've tested this multiple times with x VPN or siphon or ultrasurf or tor if you just do that I think you block at least 50 to 60 percent of their traffic you have to do other things to to completely block it but this becomes this comes in pretty handy so that's why I'm talking about like this alone can give you a lot of advantages and blocking anonymizer is just one thing it will do but it will also give you give stop your users from going to bad sites even without having to decrypt very powerful this is gonna change when TLS 1.3 happens can anybody tell me why so Korea so the search will already be verified for the server it's not that the reason it won't work with 1.3 years the certificate is encrypted so the certificate is encrypted you can't really do this which means you need to decrypt to look at the cert and that's a reality we have to embrace but guess what 80% of the sites it'll still work with today so use it while it lasts 20% of sites are using 1.3 80% are still using 1.2 I was asking about HTTP header insertion the reason I asked about that is HTTP header insertion when we built it it was an 8.1 then we built a capability in 9.0 called HTTP 2.0 which is supporting that however there's only so much time and resources we do not support inserting HTTP headers inside HTTP 2 streams so if you're using HTTP header insertion 8.1 and you're planning to upgrade to 9.0 and you are using HTTP header insertion to differentiate between Gmail personal and Gmail corporate or you are using office 365 only my tenant capability then when you upgrade to 9 dot o please check this flag specifically for Google not for office 365 office basically we're still not using HTTP 2 by the way and the reason is that this will downgrade the connection to 1.1 only for that specific decryption policy so that you can continue to use HTTP header insertion when we created HTTP 2 as a capability we do not support it for some features like header insertion like client less VPN so we wanted to give users flexibility where they can still use those capabilities by downloading into 1.1 the users will not have any visibility into this it'll be completely transparent to the users so that's what decryption profile the next thing which is the most important thing to talk about here is decryption policy the reason I need to look at my phone is they don't have a timer here so so decryption policy what are Gold's some of the goals of decryption policy what are the security outcomes so you want to hit these outcomes you wanna have compliance you want to balance security and privacy and you also want to balance security and performance and how do you do that and to understand that we need to talk about your l filtering and what we have done in 9.0 so in 9.0 we came out with multi Ural category support so every for every year L we can have up to four year old categories what we also did we added because now you can have multi util category we also added risk per URL so we can identify a URL as high risk medium risk or low risk depending upon our own intelligence driven from pandb on if this specific domain top-level domain has seen malicious activity or not if it has seen malicious activity in the last 30 days its high if it has seen it in the last 60 dates it's it's medium and if not it's low there are however some exceptions some hard rules where some types of websites will always be considered medium risk an example of that is file sharing sites Dropbox box office we say Google Drive onedrive we will never mark them as low risk there will always be medium risk and the reason behind that is the likelihood of a malicious file being on one of those sites is very high now what happens when you take these two things when you take the multi category and combine it with risk so we even extended this concept to custom URL category so so far today before 9 or when you write a custom util category you write a bunch of URLs and you say this is my custom URL category so we improved that to basically now say that you can take you can make something called custom ittle category match where you can combine these two aspects so you can have blogs and you can combine risk with that so you can say blogs per high risk or high risk blog sites you can even combine card like two different categories to create a new category like we don't have a category for medicinal marijuana but you can actually combine medical and one more category I forgot to combine to make that category but combining risk with an existing category will help you do some interesting things in SSL decryption and I'll talk about why so we all know about the sensitive Ural categories correct I suppose most of you here are not decrypting these anybody here decrypting these on the top you're decrypting all of them interesting we should catch up after we finish so the other thing to look into this is that if you are not decrypting these because of legal compliance reasons you can now combine it with risk to make this decision a little different you may not want to decrypt these categories but you may be able to convince your CI or C so that if someone's going to a high risk financial site or a high risk shopping shopping site we should actually decrypt this traffic so the way you do that is you create a custom util match category by combining two different categories example here is that I've created something called low risk shopping there's no such thing as low risk shopping by the way like you always lose money happens all the time but what I mean here is that things like Amazon or you know I don't know a European shopping site I guess Media Markt or Bolcom the likelihood of something malicious going on there is very low so you can you you can be okay - actually not decrypt those but you you want to decrypt everything else because someone could be using one of those shopping sites to harvest credit cards so how do you put this in policy so so one example is that balancing compliance with security which we just talked about you created that custom middle category now you can actually in your no diecut policy you can basically say well I don't want to decrypt financial services government health and medicine legal but also low-risk shopping another way you can use this is to balance performance with security you can basically say how many Game of Thrones fans here Game of Thrones if you're a Game of Thrones fans and if you're in Barcelona you should go to Girona they actually did a lot of scenes in Girona by the way Agora now I know what's the right pronunciation the reason I talk about Game of Thrones here is like you will not really get a lot of security benefit if you are decrypting someone's game of thrones traffic first of all like you shouldn't be watching Game of Thrones value at work but maybe you are do you really want to put all the processing power of the firewall into decrypting Netflix or HBO now or one of these other streaming services you may want to do that but really other than giving you visibility and reporting into how much bandwidth you're wasting on streaming it wouldn't really give you any security values so you may be okay to say okay you know what I want the most value out of my investment I don't want to decrypt anything which are streaming related or which is low-risk streaming so you'll be able to take out the likes of Netflix but anything which is streaming side and which is malicious you'll still be able to protect your users from going to those sites okay so this is how you write policy where the URL filtering with nine auto with risk-based categorization it helps you write more intelligent policies it helps you write the strike balance across performance and security so a good start now another way of looking at it would be okay you have your node decrypt rule on the top and law of customers and there were a few hands that went up in the morning when I asked like how many of you are okay about starting decryption we are not saying that go back from ignite on Monday and turn on SSL decryption for everything we were always suggesting that first decrypt then create your some users who don't want to be decrypted and decrypt everything else now instead of that you can do don't decrypt your sensitive categories just go and decrease decrypt high-risk or medium risk you will cover all file sharing activity between high risk and medium risk you will cover all malicious sites that you cut completely outright block you'll be able to decrypt you'll be able to get experience get confidence and once you get enough confidence you can move to this final goal we are decrypting everything else so the risk-based Ural categorization now gives you a very good starting point you can in fact even start with high risk to be honest if you just want to show the value to your exact stuff just start with high risk URLs run that traffic report and then come back and turn it on for high risk and medium risk and then at one point get here where you're decrypting everything except those exceptions we will talk about decrypt bypass as part of troubleshooting on what do you mean by dedicate bypass okay so another thing I want to talk about before you move into the challenges and troubleshooting is how many of you have heard of doe do h okay do T and do H are DNS over HTTP and DNS over TLS respectively new inventions of course from our favorite company Google and Mozilla turned on inside Firefox by the way what it does is it basically takes your DNS traffic and it puts it inside as a cell do H puts it inside regular TLS traffic on port 443 and it becomes a problem it solves also a problem where you know it gives you more gives more privacy to your users and doesn't and kind of to some degree stops the Internet service provider from selling your targeted advertisements but for enterprises it also makes you blind for that DNS traffic so our recommendation is that how you can block this dus traffic is you can either user app ID which will block all publicly known do H resolvers or you can decrypt this traffic and then definitely you can block toh do t is a little easier to handle because it uses a standard port eight five three so if you want to block D or T you can just block it by three in either cases your browser will downgrade to using standard DNS it will not really literally break your users by the way we get a lot of questions on this so you want to talk about that so what are some of the challenges so generally when users turn on our customers turn on SSL decryption few things go wrong right first is decryption breaks applications break and the reason applications break are high level three reasons one is mutual authentication incomplete certificate chain certificate pinning incomplete certificate chain doesn't happen that often anymore because companies are fixed that but very common is mutual auth and certificate pinning so how do you fix this problems or how do you deal with them so for mutual authentication mutual authentication is a concept where generally when you go to a server the server is authenticating that you're authenticating the server if it is legitimate but in some cases the server may also want to authenticate the client now this never happens on normal web browsing traffic because it's just impossible to do it there because now server will have to remember identity of about 7 billion people that live on this planet however it is very easy to do when you're not using a browser but when you're using a thick client Skype for business for instance you have many other clients on your mobile devices that can do this where the client is also authenticating itself now if you have that thing clicked it will automatically block these sessions however if you don't have that click it will continue to work but in the logs you'll be able to go and see that there is a session and reason where the failure reason was third validation this is when you know that okay this is these connections are failing because of mutual authentication you can go and remediate these we're gonna make this a lot simpler very soon I completely acknowledge that troubleshooting decryption is very time-consuming and we are actively working on something which will make this a lot simpler for all our customers so what happens if you don't have that plagued is that we will add this to the ssl exclude cache this is different from exclude list if it's added to exclude cache the first time we will remember it and any subsequent connections will not break they will continue to work because there's a cache and here it says bypass decryption for this and this is the command to see that incomplete certificate chain so about two percent of the top 140,000 domains still have incomplete certificate chains these are sites these are not the most common sites by the way you will not have these problems from the most popular sites however if you do have this click which you will always have which which is the best practice when you go to a site with an incomplete certificate chain you will get this error to remediate this you the lot of browsers have started fixing these themselves so the likes of Chrome Firefox they fix this problem themselves if you still run into a situation where this is not fixed you can fix it like this by clicking the trusted root CA for the subordinate CA however if this is a non-sanctioned application please do not allow traffic and the likelihood of this happening for a very popular application is pretty much zero it's only a sites where the admins are somewhat lazy and you know you don't need to this problem however what is more common and happens all the time is this and this is different from mutual authentication so SSL pinning there were two types of pinning back in the day when I say back in the day things changed about a year back there was SSL certificate pinning we're a company that has created an application so instance your mobile phone or your browsers when you have a fat client they tell the application that only create a connection if you see a certificate from Google from Apple or from a specific entity if you see anything outside of that don't connect just break it there used to be another pinning called HP KP which was pinning implemented through the browser where there was an idea that you could do this for websites HP KP got obsoleted about a year back so don't have to worry about that this is still there and this is becoming more common this is becoming more common as more and more applications have you know you have the mobile versions and on tablets it's become super common since Android 7 plus so please use Apple like I do for better security and privacy I'm just kidding Android 7 plus anything that uses anything that uses Android samplers you will have this problem because all those applications are pinned so you will not be able to decrypt them the only option is to bypass them technically it's impossible to do decryption if the endpoint is essentially telling that I only expect a certificate that is served to me by Apple or Google and it's not just a problem for palo alto networks there is a problem across the entire industry what we are focusing a lot of our efforts on is how we help customers get to a state where they get security without breaking all these applications and where you can selectively make a decision ok last but not least the decryption exclude list so this has existed on a firewall for a very long time we actually made some improvements to the exclude list recently we're in Panama say dot o and onwards you can actually go and see this list and you can actually go and edit this list you can remove entries you can add entries the way exclude list works is that we whenever we create a new app ID we do this research of this application we'll work with decryption if we find out it will not work we push a Content update to update the list that for this new map ID that we're releasing decryption breaks it so please exclude it you can actually also add to this list based on on your own research if you have applications within your enterprise environment that are breaking after decryption now there's a there's a distinction between using this versus using a no degrade policy you can also create a custom URL category and say ok all these URLs that I have in my environment I don't want to decrypt when you do it with exclude list you don't get as much control as you get when you do it with policy because when you do it with policy you can do source type e you can do all those match columns when it is an exclude list everything is excluded from decrypting so use this only for the most popular applications and for anything that you have created within your environment where in some cases you want to decrypt and in some cases you don't use the policy to do a nor decrypt ok last section I'll quickly run through some of the useful CLI commands feel free to take pictures just kind of a deep dive on what can help you troubleshoot while you're adopting these best practices there's a really good seal like command that can show you all the statistics for all the certificates that are being used across the far wall what versions and ciphers are being negotiated there's another CLI command that helps you look at the exclude cache on what are all the different applications that are being populated into the exclude cache because you know some of them are using mutual authentication this can be viewed and cleared through CLI if you have run into a really big problem and you want to quickly disable SSL decryption hopefully you don't run into that you can actually run a command on the on the entire firewall but it's troubleshooting don't forget to unrung the command after you fix the problem and call-to-action we have everything documented as best practices please go read that for customers who are thinking of adopting SLD clip also look at best practices assessment tool to understand how far you need to go how far you have come along to constantly measure yourself there's a lab we have in this ignite for deep dive on SSL decryption best practices I encourage you to go and try that and give us feedback and there are more resources listed here best practice for decryption URL filtering we will talk about this also in another session that I do on Friday at 8 a.m. in the morning save the best for last it's gonna be the best session for ignite it's about best practices for securing your internet gateway and that is the session we will talk about everything how you use your all filtering how you use app ID and how do you get there faster thank you I think we still have few minutes for questions yes yeah so the question is like when we were implementing SSL decryption at Palo Alto Networks what are some of the experiences that we went through what worked what did not work what applications broke what did not break so we ran into problems of course it's not like it was a completely smooth transition some of the applications that were affected lot of our mobile application like any app that you use from a mobile phone even from an iPhone lot of those were not working and we had to work with our IT as part of rnd to go figure out which one of those have to be excluded from decryption I think that was the exercise that took probably the most amount of time but once we got to know what works what doesn't work we got to a stable State a lot of these were actually developer applications also or announced applications some of them some of them we were able to go back and change the application to make it work some of them or applications like whatsapp in which you can't really do much you don't have an option some of them were covered by exclude list some of them were discoveries where we had to add things so no short answer but yeah there that was part of the process any other question a separate question for a separate discussion not for this but yeah we can we can do that yes 1.5 no 1.3 yeah so the question is how will we deal with TLS 1.3 and SSL pinning and the answer is the same way you deal with it in TLS 1.2 because TLS 1.3 will still have something called SNI it's not going to be encrypted not today not maybe in a year from now so if you have access to the s and I you will be able to exclude it you'll be able to write policies you'll be able to do pretty much the same thing that you do with 1.2 today the biggest difference with 1.3 will we will not have access to a clear text server certificate which means the no decrypt piece off decryption profile you will not be able to apply okay is there a stable version of nine oh that is out there today yes the stable version of nine Oh which is preferred version is nine of four which i think is about three to four weeks old now and to give you another data point I think about 11% of our customers are using 9.0 today on their firewalls 9'o is the one that supports HTTP version 2 that is correct for anything prior to 900 we downgrade SDP to two HTTP 1.1 so you'll still be able to get all the visibility we just downloaded so the question is any large deployments where we have seen a customer deploy BYOD without using MDM I don't know I don't have but I can I can try to find that for you I'm sure there must be somebody who has done that yeah so the what is the question is what is the frequency of the update to the SSL exclude list so the frequency is that any time we update new apps once a month we definitely go and add to that list but we are trying to get to a model where we start updating that list more often outside of the new app ID list as a general measure like if we find out that these applications do not work with SSL decryption we want to start updating exclude less more often so you'll see more updates coming out sooner okay last question and then I think we are out of time how do you get the presentation okay also your question I'll have to ask the Ignite I don't know where's the marketing people but I think these will be made available after the conference if not then just send me an email I guess okay thank you so much [Applause]

Info

Channel: Palo Alto Networks Ignite

Views: 3,156

Rating: 5 out of 5

Keywords: Data Security, Network Security, NGFW

Id: ak_LfDtArGY

Channel Id: undefined

Length: 54min 33sec (3273 seconds)

Published: Thu Dec 12 2019