2 Replies Latest reply on Jun 22, 2012 3:08 PM by mhar

    Loss in security going from SSL/TLS App to "SSL Generic" App?

      We have a several rules on our 8.2.1 load-sharing firewall cluster where SSL is decrypted at the firewall for inspection and passed on to the web server or web server load balancer as plain text (port 80 or 81).  Since going to version 8 (about a year ago) on new hardware, I see a HUGE amount of broken SSL traffic with this error:

       

      The SSL session failed.  This may be a configuration error.

       

      I ran packet captures on my own computer and found when this happens it appears that my PC is immediately closing the connection after the SSL greeting from the firewall.  My PC then starts the 3-way handshake again and it works fine.  I notice no delay in my traffic (this failure and new connection happen very quickly).  That made me think it was a PC or browser issue (this is always IE, but may be different versions at our customer sites).  However, when I change the Application from SSL/TLS to my own "SSL Generic" Application on port 443, the problem goes away.  No more of these errors are logged in the firewall for the internal test rule I created.

       

      So, I'm tempted to change all of our rules for SSL-decrypted traffic over to my generic App.  However, I know that the included Apps (when handled by proxies, at least) have some additional security checks than what you get with a generic proxy.  Looking at the App Defenses, I see that there is no App Defense for "SSL/TLS (HTTPS)".  Does traffic handled by this SSL/TLS app use the HTTP App Defense chosen, or does it not have any App Defense features at all, even though it's decrypted at the firewall?  Will I lose security checks if I change to my generic SSL App?

       

      Message was edited by: mhar on 6/20/12 11:32:42 AM CDT
        • 1. Re: Loss in security going from SSL/TLS App to "SSL Generic" App?
          sliedl

          PM me your Grant number and I'll open a ticket for you.  I want you to send me audits and tcpdumps.  I believe what is happening is the firewall is sending extraneous FINs or RSTs here which causes your client to FIN/ACK the connection.  It is similar to something I just read about in another issue.

           

          The firewall decrypts the traffic via the SSL rules then hands it off to the ACL rules.  The rules look for a matching application.  HTTP has ports TCP/80 and SSL/443.  The SSL/443 here means "This application might travel over 443 and be SSL-encapsulated so you may want to decrypt it" (basically).  The rules see that this is SSL/443 traffic so it matches the HTTP application and then takes the actions that are specified in the HTTP Application Defense set in that Application Defense group for that rule (virus-scanning, etc.).  If you wanted to ONLY allow decrypted HTTPS inbound you would do 'Override Ports' on the HTTP application and take out the TCP/80 part, so we'd only be looking for SSL/443 traffic.  That way you would not allow inbound HTTP/80 via your decrypting/scanning HTTPS ACL rule.

           

          You have to use HTTP in your ACL rule, not SSL/TLS(HTTPS) (since it is no longer HTTPS right now, it's been decrypted).  That is how I understand how this works.  Page 209 of the 8.2.0 Admin Guide has a good explanation of decrypting inbound SSL and how to make your rules.

          1 of 1 people found this helpful
          • 2. Re: Loss in security going from SSL/TLS App to "SSL Generic" App?

            Thanks, sliedl.  I have been using the SSL/TLS app all this time, so I'm guessing that means I've had reduced security as it would not be looking for specifically HTTP traffic, but anything that is or was SSL encrypted.  I just made a test rule for just our company for this traffic using the HTTP Application.  I want to see if this helps with the SSL errors in the log.  If not, I'll look at getting you all that data you requested.