Skip to main content

SSL Decryption FortiGate

 

We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted.

There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it .




We will need to first setup the SSL/SSH inspection. There are 2 ways of doing deep packet inspection . One of them is for outgoing traffic also technically sometimes referred to as Source NAT and the other one is for incoming traffic referred to as Destination NAT. 

Source NAT is usually the traffic the we are using for the purpose of surfing the internet from inside of an protected network to the outside . Destination NAT is used for provided application as a service to the customer. The SSL Certificate bundle of that particular service domain must be imported inside the FortiGate.

Exemption of certain web categories and addresses can also be done which we will talk about it later in the blog.



We will need to use now use the SSL Inspection profile that we have just made with our policy.



You can see in the policy named SOSYS-INTERNET under Security Profiles that we have used Anti Virus , IPS and custom-deep-inspection. Custom Deep Inspection will be applied to anyone that is trying to browse the internet from SOSYS-SUBNET.

Finally we will need to install the CA Certificate in the web browser of the end host client as a trusted root certificate.



Once we start browsing the website we can see the certificate we had imported and deep packet inspection has started working . 



Exempt of sites can also be done with the help of addresses (FQDN, IP Address) or web site categories maintained by Fortiguard. I have done using addresses in this particular example for a site boxoffice.gov.np using wildcard FQDN






You can now clearly see the certificate Issued by is now by Geotrust not by Fortigate and therefore it is also not performing deep packet inspection for this particular site. This is usually done for some trusted websites like youtube, facebook and so on .

On my final note I would like to add that although these devices does do deep packet inspection and helps us find those malware inside the data sent but there does imply some down side as well. The performance of these firewalls does go down significantly because they need to decrypt the packet inspect the packet and re-encrypt it and send it towards the application server or towards the internet.






Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more

POLICY ROUTES FORTIGATE

 Policy routes also referred to as policy based routing is a very popular technique that routes the incoming packets based on the set of policy defined. The policy usually defines that the packet from particular source are routed to particular gateway.  Simply not trying to make it theoretically lengthy lets try this feature out in Fortigate. In our particular scenario there are 2 fortigate boxes residing in HA (Active/Passive) mode. There are two upstream ISP connected with the fortigate box one named after port 1 SUBISU and the other being port 2  WEBSURFER. We have two internal gateways which contains subnet of 172.16.0.0/28 and the other one being 172.16.0.16/28. We will be leveraging the privilege of policy route and send the packet incoming from 172.16.0.0/28 subnet towards Websurfer upstream and the packet coming from 172.16.0.16/28 subnet towards SUBISU upstream which will help us on utilizing both the links making it more efficient usage of bandwidth. We will nee...
Post a Comment
Read more