1. No category

SSL Insight Proof of Concept

DEPLOYMENT GUIDE
SSL Insight Proof of Concept
Deployment Guide | SSL Insight Proof of Concept
Table of Contents
Disclaimer..................................................................................................................................................................... 2
Overview..................................................................................................................................................................................... 3
Deployment Prerequisites...................................................................................................................................................... 3
Basic Topology......................................................................................................................................................................... 3
Certificate Check with Basic Topology........................................................................................................................... 3
SSL Insight with L2 Topology........................................................................................................................................... 5
Thunder SSLi Configuration .................................................................................................................................................. 6
AppCentric Templates Overview..................................................................................................................................... 6
Initial Setup Verification..................................................................................................................................................14
Certificate Requirement for SSL Insight Deployment . ..................................................................................................16
Preparing Certificates .....................................................................................................................................................16
XCA Certificate and Key Management . ......................................................................................................................17
Exporting Certificates from XCA....................................................................................................................................20
Importing Certificates...........................................................................................................................................................22
On the Client Machine......................................................................................................................................................22
A10 Thunder SSLi Device................................................................................................................................................25
Verification with New Certificates.................................................................................................................................27
Bypass Configuration............................................................................................................................................................28
Bypass Domain List.........................................................................................................................................................28
Verification.........................................................................................................................................................................29
Verification.........................................................................................................................................................................31
Advanced Settings.................................................................................................................................................................32
Adding a Passive Security Device (Mirrored Port).....................................................................................................32
Adding Second Path (Load Balancing).........................................................................................................................33
Summary.................................................................................................................................................................................34
Appendix A – Thunder SSLi CLI configuration.................................................................................................................35
Appendix B – Adding Second Path Using Wizard Menu................................................................................................40
About A10 Networks ............................................................................................................................................................41
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but
not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product
specifications and features described in this publication are based on the latest information available; however, specifications are subject to
change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information
regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
2
Deployment Guide | SSL Insight Proof of Concept
Overview
With the growth in encrypted traffic, increasing SSL key lengths and more computationally complex SSL
ciphers, it is increasingly difficult for inline security devices to decrypt SSL traffic. This guide provides
step-by-step instructions for the deployment of A10 Networks® Thunder® SSL Insight® (SSLi®) product line
using A10’s new AppCentric Templates configuration tool. A10’s SSL Insight technology helps eliminate
the SSL blind spot in corporate defenses and enables security devices to inspect encrypted traffic, not just
clear text. In this guide, the SSL Insight solution is deployed in a Layer 2 network environment with a single
Thunder SSLi device using Application Deliver Partitions (ADPs) to create multiple, logical SSLi devices.
This example is a use case for the SSLi deployment with a security device in Bump in the Wire (L2) mode.
Deployment Prerequisites
To deploy the SSL Insight solution with the AppCentric Templates configuration tool, the following are
required:
• A10 Networks Advanced Core Operating System (ACOS®) 4.1.0-P5 or higher
• Thunder SSLi or A10 Thunder Convergent Firewall (CFW) hardware appliance
• Security devices for inspecting the traffic
• Client machine (Windows)
• Internet access through a (gateway) router
Note: A10 SSL Insight supports various types of security device deployment. For example, L2/ bump-in-the-wire
type, L3 (routed and/or NAT) type, proxy devices, explicit proxy and proxy chaining, and/or TAP/passive type
Basic Topology
In this guide, we will use a basic topology with a client device (Windows machine) having Internet access
through a gateway router. As shown in the Firgue1, the client and the gateway are on the same IP subnet
(broadcast domain) to show SSL Insight deployment in L2 environment in the later section.
Client
Gateway Router
(Windows Machine)
IP:
Subnet:
Gateway:
30.99.1.5/ 16
30.99.0.0
30.99.1.10
IP:
Subnet:
30.99.1.10/ 16
30.99.0.0
Figure 1: Basic topology
Certificate Check with Basic Topology
This topology is intended to show a comparison between a network without an SSL Insight device and a
network with an active SSL Insight device placed in the middle. As a first step, on the client machine, open a
web browser (e.g., Mozilla Firefox) and access a secure website using HTTPS protocol, for example https://
finance.yahoo.com. Once the website is open, you can check the security information, more specifically, a
certificate to confirm the details of the issuer and the Chain of Trust.
3
Deployment Guide | SSL Insight Proof of Concept
1. On the browser (e.g., Mozilla Firefox), click on the lock icon located on the left of the URL bar and
click More Information.
Figure 2: Certificate information on browser
2. A Page Info window will pop up. Go to the Security tab and click View Certificate.
Figure 3: Page Info
3. In the Certificate Viewer window, you will see details of the SSL server certificate used for this
website. In this example, you can confirm that this certificate was issued to www.yahoo.com by
Symantec as Intermediate CA with Verisign as Root CA.
4
Deployment Guide | SSL Insight Proof of Concept
Figure 4: Certificate information
SSL Insight with L2 Topology
A10’s SSL Insight technology can be deployed with a single A10 Thunder SSLi appliance by creating two
logical SSLi appliance using ADP partitions: one for decryption and the other for re-encryption. It can also
be deployed using separate Thunder SSLi devices for decryption and encryption. This guide uses a single
appliance deployment with two logical partitions for encrypting and re-encrypting SSL traffic as its primary
example. Here, the partition that decrypts outbound SSL traffic is referred to as SSLi Inside, and the other
partition that re‐encrypts outbound SSL traffic is referred to as SSLi Outside.
As shown in Figure 5, SSLi is deployed based on basic topology (L2) described in the previous section.
• The client and the gateway router are on the same IP subnet (L2 environment).
• Thuder SSLi and a security device are delpoyed between the client and the gateway router without
changing IP addresses on existing devices.
• The Thunder SSLi device is configured with an SSLi Inside partition named ”ssli_in” and an SSLi
Outside partition named ”ssli_out.”
• The security device is connected to the Thunder SSLi device: one port for SSLi Inside and one for SSLi
Outside.
• The security device is delpoyed in “Bump in the Wire” (L2) mode.
• No IP address change takes place during the traversal of a packet through the network.
5
Deployment Guide | SSL Insight Proof of Concept
Security Device
IP: 30.99.1.5 / 16
Client
(Windows Machine)
eth2
eth1
IP:
Subnet:
Gateway:
IP: 30.99.1.10 / 16
30.99.1.5/ 16
30.99.0.0
30.99.1.10
Gateway Router
eth3
Thunder SSLi
eth4
IP:
Subnet:
30.99.1.10/ 16
30.99.0.0
Figure 5: SSL Insight deployment in L2 topology
The following describes packet flow through the SSL Insight L2 topology:
1) Encrypted traffic such as HTTPS traffic is originated from the internal client.
2) Traffic is intercepted and decrypted by the SSLi Inside and the clear-text content like HTTP is directed to
the security device.
3) The security device inspects clear-text content from the traffic and sends it back towards the SSLi
Outside.
4) The SSLi Outside re-encrypts the traffic in HTTPS and then forwards it to the gateway router. All
communication beyond the SSLi Outside is encrypted.
5) The destination server receives the encrypted request and sends back the encrypted response.
6) The SSLi Outside decrypts the response, and forwards it as clear-text content (HTTP) to the security
device.
7) The security device inspects the clear-text content of the response traffic and sends it back towards the
SSLi Inside.
8) The SSLi Inside receives the clear-text response traffic, re-encrypts it and sends it to the internal client.
Thunder SSLi Configuration
AppCentric Templates Overview
A10 Networks AppCentric Templates is an easy to use configuration tool for SSL Insight and other popular
applications such as Microsoft Exchange. Besides a regular graphical user interface (GUI), the new
AppCentric Templates tool offers guided topology configuration, easy and quick SSL related configuration,
as well as a widget-based dashboard. This tool is available in ACOS 4.1.0-P5 release, and is accessible via
the GUI through System > AppCentric Templates or by directly entering the path (directory) “/templates”
(e.g., https://<Thunder SSLi device IP>/templates/).
The AppCentric Templates tool for SSL Insight has four main sections:
1) Dashboard - Allows users a view of different statistics related to the current state of the system
including CPU and memory usage, connection rate, traffic rate and device information which includes
information about the installed hardware.
2) Management - Is used to log into the device.
3) Wizard - Provides users with a flow-based configuration of the SSL Insight device.
4) Configuration - Provides users with the current configuration of the device as well as access to some
advance options.
6
Deployment Guide | SSL Insight Proof of Concept
Figure 6: AppCentric Templates Dashboard
Figure 7: AppCentric Templates login
Wizard: Topology
The Topology is the first step in the configuration of an SSLi device. In this step, you will choose the
network and deployment topology you want to use for SSL Insight solution based on the current
deployment.
1. Once logged in, navigate to Wizard > Topology.
2. Choose the topology you will be working with. In this example, L2, Single Path topology (default
option) is selected.
7
Deployment Guide | SSL Insight Proof of Concept
Figure 8: Wizard - Topology configuration
3. Click NEXT.
Note: Thunder SSLi supports a number of different topologies. The topologies can be viewed and chosen from the
Custom tab in the Topology section of the Wizard menu.
Figure 9: Selection of custom topology
8
Deployment Guide | SSL Insight Proof of Concept
Wizard: Decryption
The Decryption step addresses the SSLi Inside properties. In this step, we do the following:
1. Select an Ingress Interface (e.g., Ethernet 1). This is the interface that receives encrypted (SSL)
traffic from the internal client.
2. Assign an IP address to the group of two interfaces in the SSLi Inside (e.g., 30.99.0.37/16).
3. Select SSLi_Test on SSL Certificate and Key drop down menu. This step is used for testing purposes.
SSLi_Test is a self-signed certificate that comes pre-installed with the AppCentric Templates.
Note: If you already have CA certificate (and key) prepared, you can import them on the Thunder SSLi. Please see
the detailed step in the Thunder SSL Insight device section.
Figure 10: SSL Certificate & Key
4. Select an interface on Outbound to Security Device, where the decrypted traffic is sent out towards the
security device. In this example, Ethernet 2 is the outbound interface on the Decryption side (SSLi Inside)
Figure 11: Wizard - Decryption
9
Deployment Guide | SSL Insight Proof of Concept
Wizard: Re-Encryption
The Re-encryption step addresses the SSLi Outside properties. In this step, we do the following:
1. Select an interface on Inbound from Security Device, where the inspected traffic is received from the
security device (e.g., Ethernet 3).
2. Assign an IP address to the group of two interfaces in the SSLi Outside (e.g., 30.99.9.26/16).
3. Select an Egress Interface. This interface sends out the re-encrypted (SSL) traffic towards the
Internet via a gateway router (e.g., Ethernet 4).
4. Specify an IP address (e.g., 30.99.1.10) for the Default Gateway.
Figure 12: Wizard - Re-encryption
Wizard: Bypass Configuration
The Bypass Configuration is an optional configuration, however, it is also important for SSL Insight. While you
strengthen the security solution using SSL Insight, you need to make sure to protect, in other words not to
decrypt/inspect, user’s privacy information such as banking and healthcare information. Any traffic destined
to the websites/IPs marked as Bypass List will not be decrypted and inspected through SSL Insight.
Figure 13: Wizard - Bypass Configuration
10
Deployment Guide | SSL Insight Proof of Concept
The Bypass Configuration provides following three types of bypass list:
Bypass Category List
Figure 14: Bypass Category List
The Bypass Category List is used to select website categories that you don’t want to decrypt using SSL
Insight. For example, if you select a category, “financial-services,” all the websites under the category will be
bypassed and will not be inspected through SSL Insight. By default, the “financial-services” and “health-andmedicine” options are selected. If required, the selected options can be removed from the right side-bar menu.
Note: This is subject to the A10 URL Classification Service and the license key is required to activate the function.
Bypass Domain List
The Bypass Domain List is used to select certain words or phrases of websites’ domains/URLs. If these
words or phrases are contained in the URL, the traffic destined to the website/URL will be bypassed. For
example, if a word ‘bank’ is added as bypass domain list, any traffic hit websites containing “bank” in its URL
such as bankofamerica.com and usbank.com will be bypassed and will not be inspected through SSL Insight.
The Add Default button can be used to add a pre-defined list of 16 domains, commonly bypassed by users,
to the list of bypassed domains. The list, once added, can be edited on the right side-bar menu.
11
Deployment Guide | SSL Insight Proof of Concept
Figure 15: Bypass Domain List
Bypass IP List
The Bypass IP List option is used to select Source or Destination IP addresses, based on which bypassing
can occur. These IP addresses can either be specific host addresses or can be network addresses.
Figure16: Bypass IP List
12
Deployment Guide | SSL Insight Proof of Concept
Wizard: Confirm
On the Confirm tab, you can review a summary of the SSL Insight configuration properties that have been
done so far. You can edit the configuration by clicking the PREVIOUS button or selecting appropriate tab. If
the configuration is confirmed and correct, click FINISH to finalize the SSL Insight topology configuration,
which opens new window showing the actual CLI-based configuration.
Figure 16: Wizard - Confirm
You can either click APPLY to activate the setting on the Thunder SSLi device, or you can click COPY to
configure the SSLi setting manually through the CLI.
Figure 17: Wizard – Configuration Overview
Once it’s applied, you will be redirected to the SSL Configuration Template page where you can look at the
current configuration applied to the Thunder SSLi device.
13
Deployment Guide | SSL Insight Proof of Concept
Figure 18: SSL Configuration Template
Initial Setup Verification
Now that the basic setup of the SSLi deployment in L2 topology is completed, this section will describe how
to verify the SSL Insight environment and tackle the problems that have arisen due to the configuration.
1. On the client machine, open a web browser (e.g., Mozilla Firefox) and access any secure website.
For example: https://finance.yahoo.com.
2. You will see a security warning on the browser. The following example shows the security warning on
Firefox.
14
Deployment Guide | SSL Insight Proof of Concept
Figure 19: Security warning
3. Accept the risk and open the website, then check the certificate information.
• In Firefox, click Add Exception and then click View on the Certification Status section of the pop-up
window.
• In Chrome, click ‘Lock icon’ on the let of the URL address bar, and click Certificate Information
under the Connection tab.
4. Confirm the forged certificate.
As shown in the example below, the certificate properties, to be specific, issuer information and else,
is different from the original one confirmed in the Certificate Check with Basic Topology section. The
Thunder SSLi successfully proxies the websites’ certificate however, it is missing the certificate chain
of trust resulting in the security warning.
Figure 20: Certificate details
The reason for this security warning is that the generated, self-signed certificate is used on the Thunder
SSLi device. The self-signed server certificate is not a proper CA certificate, and it is not possible for users
to verify whether this is a trusted certificate, since it’s not signed by any trusted CA, nor has a certificate
chain of trust.
15
Deployment Guide | SSL Insight Proof of Concept
In this condition, users will keep receiving security warnings whenever they open a secure website using
HTTP. Some web browsers may not even allow opening a webpage. In order to avoid this, you need to
properly prepare CA certificate(s) to be used for the SSL Insight deployment, which will be described in the
next section.
Certificate Requirement for SSL Insight Deployment
Preparing Certificates
This section describes in depth the certificate requirements for an SSL Insight deployment and how
to avoid getting the security warnings shown in the previous section. The SSL Insight feature relies on
a CA certificate and key pair to decrypt traffic between clients and any external SSL servers that are
not controlled by the same organization. When an internal client initiates the SSL communication with
an external server, Thunder SSLi intercepts the server certificate from the original server, modifies the
certificate and then re-signs it using the CA certificate and the private key stored in it. The re-signed server
certificate is then sent to the internal client.
A free application called XCA1 (X Certificate and key management) is used to generate and manage the CA
certificate, key and certificate chain file.
Note: If you would like to use OpenSSL on a Linux machine instead of the XCA, refer to the SSL Insight
Certification Management Guide.
The XCA serves as the Root Certificate Authority (CA) server and generates/signs intermediate CA
certificate(s) as well as the certificate chain as shown in Figure 20.
1
Root CA Cert with Key
Only Certificate (PEM)
Create/Export
Client (Browser)
Import
CorpRoot
3
Certificate Chain (PEM)
Intermediate CA Cert with Key 1
Corpint1
Export
2
Intermediate CA Cert with Key 2
Corpint2
Import
Certificate and Key (PKCS12)
Import
Create/Export
A10 Thunder SSLi
Figure 21: Certificates for SSLi deployment
CorpRoot certificate is at the top of the chain and is considered the root CA certificate. Under that,
intermediate CA certificates named CorpInt1 is created and signed by CorpRoot. Another intermediate CA
named CorpInt2 is then signed by CorpInt1. All of these are CA certificates and are nested accordingly.
For SSL Insight to successfully forge a certificate, you need the following three files imported in two
separate locations:
1. CorpRoot certificate is exported from the XCA in PEM format and then imported onto the web
browser of the client machine as a Trusted Authority certificate. This CorpRoot file only contains the
Root CA certificate.
1
https://sourceforge.net/projects/xca/
16
Deployment Guide | SSL Insight Proof of Concept
2. CorpInt2 certificate is exported from the XCA in PKCS12 format and then imported onto the Thunder
SSLi device as CorpCA in PFX format. This file contains a chain of all the certificates in the hierarchy
along with the private key.
3. Certificate chain is required to prove that the CorpInt1 certificate that signed the CorpInt2 certificate
is indeed signed by CorpRoot, which is a trusted authority for clients. Therefore, the certificate chain
should include CorpInt1 and CoprInt2 at minimum, and is exported from the XCA in PEM format. This
file will then be imported onto the Thunder SSLi device as CorpChain in PEM format. The order of
certificates inside the file should start with CorpInt2, CorpInt1.
Note: The certificate chain may include the CorpRoot certificate. If this is the case, the CorpRoot certificate
should be concatenated in the last/bottom.
Note: If you are using an intermediate CA directly signed by the root CA on the Thunder SSLi device, you
don’t need to create a certificate chain. You can use the intermediate CA as a forward-proxy-ca-cert, as well
as chain-cert on the Thunder SSLi configuration.
XCA Certificate and Key Management
As a first step of using the XCA, a new database needs to be created. By navigating to File > New Database,
you will be prompted for password entry to the new database. In this guide, a simple password “abc” is
used as an example.
Next, navigate to the Certificate tab and create CA certificates via the following steps:
1. Click on the New Certificate button.
2. On the pop up window, go to the Source tab:
2.1.Signing: Select the Create a self-signed certificate with serial option because this will be the
root certificate of the chain.
2.2.Signature algorithm: Select “SHA 256.”
2.3.Template for the new certificate: Select the [default] CA option and click Apply all.
Figure 22: XCA - Source
17
Deployment Guide | SSL Insight Proof of Concept
3. Move to the Subject tab and enter the followings:
3.1.In the Distinguished name section, enter the following:
• Internal name: CorpRoot
• organizationName: CorpRoot
• commonName: CorpRoot
• countryName: US
• stateOrProvinceName: CA
Figure 23: XCA - Subject
3.2. In the Private key section, click the Generate a New Key button, then generate a 2048 bit key
with RSA as the Keytype.
Figure 24: XCA - New private key generation
18
Deployment Guide | SSL Insight Proof of Concept
4. Go into the Extensions tab.
4.1.In the X509v3 Basic Constraints section, select Certification Authority, under Type.
4.2. (Optional) Manipulate other advance options that include the validity period, etc., if needed.
Figure 25: XCA - Extensions
5. Click OK. The certificate will be created and shown in the Certificates tab of the XCA.
Figure 26: XCA - Created CA certificate
6. To create the intermediate CA certificate CorpInt1, select the created root CA certificate “CoprRoot”
and then click on the New Certificate button.
7. Follow Step 2 but make sure that the Use the Certificate for Signing option is checked in the Signing
section, along with the ‘CorpRoot’ certificate.
8. Repeat Steps 3 to 5. At Step 3.1, use the name CorpInt1 instead of CorpRoot.
19
Deployment Guide | SSL Insight Proof of Concept
9. Once the CorpInt1 CA certificate is created, select “CorpInt1” and then click the New Certificate
button on Certificate tab.
10.Repeat Steps 3 to 5 to create the intermediate CA certificate CorpInt2. At Step 3.1, use CorpInt2
instead of CorpInt1 this time.
11.Now you will see all three CA certificates as follows.
Figure 27: XCA - All three CA certificates
Note: A certificate chain file will be created in the next section as a part of the certificate export process.
Exporting Certificates from XCA
As described in the Preparing Certificates section, you will need to export 3 certificate files from the XCA.
One of these will be imported in the web browsers on all client machines while the other two will be
imported into the Thunder SSLi device. The following steps show how to export the files from the XCA:
Export CorpRoot for Client Machine
1. In the Certificates tab, select the ”CorpRoot” certificate, then click on the Export button located on
the right side of the menu.
2. In the pop up window, check the file name and its path, and select ”PEM” under Export Format.
3. Click OK. This file will be imported into the client web browser.
Figure 28: XCA - Exporting CorpRoot CA certificate
20
Deployment Guide | SSL Insight Proof of Concept
Export CorpInt2 CA Certificate for the Thunder SSLi Device
1. In the Certificates tab, select ”CorpInt2” certificate, then click on the Export button located on the
right side of the menu.
2. In the pop up window, check the file name and its path, and select ”PKCS#12” under Export Format.
3. Click OK and enter a password to encrypt the PKCS#12 file. This file will be imported onto the
Thunder SSLi device and the password is required during the import process.
Figure 29: XCA - Exporting CorpInt2 intermediate CA certificate
Export Certificate Chain File
This step is to create a certificate chain file by contaminating multiple CA certificates, at minimum,
CorpInt1 and CorpInt2.
Note: In the example below, using XCA actually contaminates all three CA certificates, including CorpRoot. Doing
so will not affect any SSL Insight operations.
1. In the Certificates tab, select the “CorpInt2” certificate, then click the Export button located on the
right side of the menu.
2. In the pop up window, check the file name and its path, and select “PEM chain” under Export Format.
This file contains the complete chain of certificates concatenated in reverse order. This file will be
imported onto the Thunder SSLi device.
Figure 30: XCA - Exporting certificate chain file
21
Deployment Guide | SSL Insight Proof of Concept
Note: If you exported each certificate file in PEM format separately, the certificate chain file can be manually
created using a text editor. To concatenate the certificate files for the certificate chain, make sure to use the
following in order and include the beginning and end tags on each certificate. The resulting file should look like
the following:
-----BEGIN CERTIFICATE----(Primary SSL certificate: CorpInt2.crt)
-----END CERTIFICATE---------BEGIN CERTIFICATE----(Intermediate certificate: CorpInt1.crt)
-----END CERTIFICATE-----
Importing Certificates
On the Client Machine
This section provides steps on how to import a CorpRoot certificate onto web browsers (Mozilla Firefox
and Google Chrome) on a client machine.
Mozilla Firefox
1. Download the CorpRoot certificate (CorpRoot.crt file) from the XCA onto the client machine.
2. Open a new Firefox window and navigate to Open Menu (or Tools on top menu bar) > Options >
Advanced.
3. On the Certificates tab, click on the View Certificates.
Figure 31: Firefox - View Certificates
4. In the pop up window of Certification Manager, a list of Certificate Authorities (CA) can be seen
under the Authorities tab.
5. Click on the Import button, select the downloaded CorpRoot certificate (CorpRoot.crt) file, and then
click Open. You will be asked to trust the new CA. Select the purpose of this CA and click OK.
22
Deployment Guide | SSL Insight Proof of Concept
Figure 32: Firefox - Importing CorpRoot CA
6. Once imported, select the CA certificate (CorpRoot) and click on the View button to see the details of
the certificate.
Figure 33: Firefox - Certificate viewer
Google Chrome
1. Download the CorpRoot certificate (CorpRoot.crt file) from the XCA onto the client machine.
2. Open a new Chrome window and navigate to Menu (Customize and Control button) > setting. You
can also access it by entering chrome://settings/ in the address bar.
3. In the Settings page, scroll down and click Show Advanced settings link at the bottom.
4. Go to HTTPS/SSL section and click on the Manage certificates.
23
Deployment Guide | SSL Insight Proof of Concept
Figure 34: Chrome – Advanced Setting
5. In the pop up window of Certificates, go to the Trusted Root Certification Authorities tab and click
on the Import button.
6. Follow the instructions to Import the CorpRoot CA certificate (CorpRoot.crt). Make sure to place the
CA certificate on to Trusted Root Certification Authority during the import process.
Figure 35: Chrome- Importing CorpRoot CA
7. When you click Finish at the last step, a Security Warning window will be shown. Click Yes to
complete the import process.
24
Deployment Guide | SSL Insight Proof of Concept
Figure 36: Chrome - Security Warning
8. Once imported, select the CA certificate (CorpRoot) and click on the View button to see the details of
the certificate.
Figure 37: Certificate viewer
A10 Thunder SSLi Device
As described earlier, there are two certificate files that need to be imported onto the Thunder SSLi device.
One is the CorpInt2 intermediate CA certificate, along with the private key in PKCS#12 format (file name:
CorpInt2.p12), and the other is the certificate chain file in PEM chain format (file name: CorpInt2.pem).
Make sure to download both files onto the computer that has access to the Thunder SSLi device GUI for
configuration and management purposes.
1. Access the AppCentric Templates of the Thunder SSLi device (https://<IP address>/templates/), then
login through the Management menu.
2. Go to the Configuration menu, click on the Import link of the SSL Insight Certificate section.
25
Deployment Guide | SSL Insight Proof of Concept
Figure 38: Thunder SSLi AppCentric Templates - Configuration
3. The Import SSL popup window will appear, which will allow you to import the CorpInt2 certificate as
CorpCA.
• File Name: CorpCA
• Certification Format: PFX
• Certificate: Select CorpInt2 CA certificate file (CorpInt2.p12)
• Password: password you used when you exported the CorpInt2 certificate in PKCS#12 format
• Click IMPORT
Figure 39: SSLi AppCentric Templates - Importing CorpCA certificate
4. Once imported, the CorpCA certificate can be selected from the dropdown menu.
5. To import the certificate chain, click on the Import link of the Chain of Intermediate Certificates
section and import the CorpInte2.pem file as CorpChain.
• File Name: CorpChain
• Certification Format: PEM
• Certificate: Select the certificate chain file (CorpInt2.pem)
• Click IMPORT
26
Deployment Guide | SSL Insight Proof of Concept
Figure 40: SSLi AppCentric Templates – Importing CorpChain certificate
6. Once both certificate files are imported, they can be selected by clicking on the respective drop down
menus and selecting the relevant certificate and chain:
• SSL Insight Certificate: CorpCA
• Chain of Intermediate Certificates: CorpChain
Figure 41: SSLi AppCentric Templates - Applying imported certificates
7. Click SAVE and then APPLY.
Verification with New Certificates
Once all three certificate files are imported properly, the clients should be able to open any secure websites
without receiving a security warning.
1. On the client machine, open a web browser (e.g., Mozilla Firefox) and access any secure website
using HTTPS (e.g., https://finance.yahoo.com).
2. Confirm the page opens without any security warnings related to the certificate.
3. Check the details of the certificates and confirm the server certificate for this website has been
forged by the Thunder SSLi device.
• No change on Common Name (CN) of server certificate (Issued To)
• Issuer (Issued By) is now CorpInt2
• A complete chain of trust is showed in the Certificate Heirarchy tab
27
Deployment Guide | SSL Insight Proof of Concept
Figure 42: Certificate verification
Bypass Configuration
Basic bypass configuration is covered in the Thunder SSLi Configuration section using the AppCentric
Templates for initial setup. This section provides more sample configurations and verifications using the
Bypass Domain List and Bypass Category List.
Bypass Domain List
The bypass list for domains/URL can be configured in the Configuration tab (if not done in the initial setup
wizard).
1. Click on the check box of the Bypass Domain List, or click on the pencil icon
configured.
if it’s already
2. In the Add to Bypass List pop up window, go to the Direct Input tab.
3. Enter the word “bank” under the Contains section, click ADD, and then SAVE.
28
Deployment Guide | SSL Insight Proof of Concept
Figure 43: Add to Bypass List
4. Click SAVE to apply the changes to the Configuration tab.
Figure 44: Updated bypass domain list
Verification
Based on the configuration shown in the previous section, any traffic hitting websites containing the word
“bank” will be bypassed and not descrypted by Thunder SSLi. This section provides the steps needed to
verify this behavior.
1. On the client machine, open a web browser (e.g., Mozilla Firefox) and access an HTTPS website
containing the word “bank” in the URL (e.g., https://www.bankofamerica.com).
29
Deployment Guide | SSL Insight Proof of Concept
2. Once opened, check the certificate information and confirm that it’s not forged by the Thunder SSLi
device.
• No change on Common Name (CN) of server certificate (Issued To).
• Issuer (Issued By) is Symantec in this example, NOT CorpInt2.
Figure 45: Bypassed website by URL filter
To prove that bypassing is only taking place based on the domain lists, you can open any other HTTPS
websites, for example https://www.wellsfargo.com and see if the forged server certificate is issued by
CorpInt2.
Different websites using HTTPS can be opened to verify the functionality of these options. Some examples
are https://www.usbank.com, https://finance.yahoo.com, https://www.google.com, etc.
Bypass Category Lists
Bypass category list is subject to subscription to A10’s URL Classification Service and a license key is
required to activate the function. If you have the license and enabled web-category on the Thunder SSLi,
follow the steps below.
1. In the Configuration tab, click on the check box of the Bypass Category List, or click pencil icon
if already configured.
2. The Bypass Category List window will pop up; go to the Direct Input tab.
3. Check “financial-services” and “health-and-medicine”, then click SAVE.
30
Deployment Guide | SSL Insight Proof of Concept
Figure 46: Bypass Category List
4. Click SAVE to apply the change in the Configuration tab.
Figure 47: Updated Bypass Web Category List
Verification
Based on the configuration shown in the previous section, any traffic hitting websites classified in the
“financial-service,” “gaming,” and “government” categories will be bypassed and not descrypted by Thunder
SSLi. This section provides the steps needed to verify this behavior.
1. On the client machine, open a web browser (e.g., Mozilla Firefox) and access an HTTPS website. In
this example, https://www.wellsfargo.com is used since it’s a financial service institution and doesn’t
contain the word “bank” in the URL in order to differenciate from the previous test case.
31
Deployment Guide | SSL Insight Proof of Concept
2. Once opened, check the certificate information and confirm that it’s not forged by the Thunder SSLi
device.
• No change on Common Name (CN) of server certificate (Issued To).
• Issuer (Issued By) is Symantec in this example, NOT CorpInt2.
Figure 48: Bypassed website by the Web category
This confirms that the website was bypassed and the traffic to and from the website will not be decrypted
and inspected.
Advanced Settings
Adding a Passive Security Device (Mirrored Port)
A10’s SSL Insight offers broad deployment options including supports for various types of security devices.
This section describes how to add a passive security device in the existing L2 Thunder SSLi deployment.
This configuration change can be easily done using the SSL Insight AppCentric Templates.
1. Navigate to the SSL CONFIGURATION TEMPLATE under the Configuration menu.
2. In the Security Device Mode section under Decryption, click on the Mirror Interface option right next
to the appropriate Outbound Interface (e.g., Ethernet 2) and choose an interface (e.g., Ethernet 7)
that is connected to the passive security device.
Figure 49: Adding mirror interface for passive security device
32
Deployment Guide | SSL Insight Proof of Concept
3. Click SAVE and then APPLY.
With this configuration, any traffic intercepted by the SSLi Inside will be mirrored and forwarded to the
passive security device via Ethernet 7.
Adding Second Path (Load Balancing)
In case you need to deploy multiple security devices for additional security and/or higher scale, additional
outbound paths can be added for redundancy and load balancing. This configuration can be done using
the Configuration menu or the Wizard menu of the SSL Insight AppCentric Templates. For the details of
configuration using Wizard menu, refer to the appendix.
1. Navigate to the SSL CONFIGURATION TEMPLATE under the Configuration menu.
2. In the Security Device Mode section under Decryption, click on the + icon on the Outbound, then
”PATH2” is created.
3. On PATH2 of the Outbound, select Interface (e.g., Ethernet 5) and assign IP address (e.g.,
30.100.0.37/16).
4. Move to the Re-Encryption section, click on the + icon to make ”PATH2” in the Incoming section.
5. On PATH2 of the Inbound, select Interface (e.g., Ethernet 6) and assign an IP address (e.g.,
30.100.0.27/16).
Figure 50: Adding second outbound path
6. Click SAVE and APPLY.
Note: It’s important to remember that IP addresses for newly added interfaces (for second path) should be taken
from another subnet and not an existing one (e.g., 30.99.0.0/16). In this example, IP addresses are assigned from
the new subnet 30.100.0.0/16. Note that even though it’s using a different IP subnet, it will have no effect, nor
change on the IP header of the original packet.
In case of multiple paths, a session table with corresponding MAC addresses will be maintained on the
SSLi Outside partition so that the packets can follow the same path on the way back as it had taken on the
way towards the remote server.
33
Deployment Guide | SSL Insight Proof of Concept
Summary
The growth in encrypted traffic, coupled with increasing SSL key lengths and more computationally
complex SSL ciphers, makes it difficult for inline security devices to decrypt SSL traffic. A wide range of
security devices require visibility into encrypted traffic to discover attacks, intrusions and malware. This
guide focuses on A10 Networks new AppCentric Templates-based SSLi configuration tool. Once you
have completed the instructions described in this guide, you will be ready to use your new deployment in
decrypting SSL traffic. SSL Insight technology, included as a standard feature of A10 Thunder SSLi, offers
organizations a powerful solution for load balancing, high availability and SSL inspection. With SSL Insight,
organizations can:
• Analyze all network data, including encrypted data, eliminating blind spots in their threat protection
solution
• Provide advanced SSL inspection features and SSL decryption for third-party security devices
• Detect encrypted malware, insider abuse and attacks transported over SSL/TLS
• Deploy best-of-breed content inspection solutions to fend off cyber attacks
• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64bit ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors.
For more information about A10 Thunder SSLi products, please visit:
https://www.a10networks.com/products/ssl-insight-securing-encrypted-traffic
https://www.a10networks.com/resources/solutionsheets.php
https://www.a10networks.com/resources/case-studies
34
Deployment Guide | SSL Insight Proof of Concept
Appendix A – Thunder SSLi CLI configuration
### Shared partition ###
!
!
system ve-mac-scheme system-mac
!
partition ssli_in id 1
!
partition ssli_out id 2
!
mirror-port 1 ethernet 7
!
interface management
ip address 10.100.9.199 255.255.255.0
ip default-gateway 10.100.9.1
!
interface ethernet 1
!
interface ethernet 2
!
interface ethernet 3
!
interface ethernet 4
!
interface ethernet 5
!
interface ethernet 6
!
interface ethernet 7
!
interface ethernet 8
!
!
end
### Partition ssli_in ###
!
!
access-list 190 remark ssli_in
!
access-list 190 deny ip 192.168.9.200 0.0.0.0 any vlan 850
!
access-list 190 deny ip 192.168.9.201 0.0.0.0 any vlan 850
!
access-list 190 permit ip any any vlan 850
!
class-list bypass_domains ac
contains .gov
contains bank
user-tag ssli_in
!
vlan 850
untagged ethernet 1 to 2
router-interface ve 850
name ssli_in_ingress_egress
user-tag ssli_in_ingress_egress
!
35
Deployment Guide | SSL Insight Proof of Concept
vlan 852
untagged ethernet 5
router-interface ve 852
name ssli_in_egress_path2
user-tag ssli_in_egress_path2
!
interface ethernet 1
name ssli_in_ingress
enable
!
interface ethernet 2
name ssli_in_egress
enable
!
interface ethernet 5
name ssli_in_egress_path2
enable
!
interface ve 850
name ssli_in_ingress_egress
ip address 30.99.0.37 255.255.0.0
ip allow-promiscuous-vip
!
interface ve 852
name ssli_in_egress_path2
ip address 30.100.0.37 255.255.0.0
ip allow-promiscuous-vip
!
!
ip route 0.0.0.0 /0 30.99.0.27
!
slb server fw1 30.99.0.27
user-tag ssli_in
port 0 tcp
health-check-disable
user-tag ssli_in_1_tcp_port
port 0 udp
health-check-disable
user-tag ssli_in_1_tcp_port
port 8443 tcp
health-check-disable
user-tag ssli_signaling
!
slb server fw2 30.100.0.27
user-tag ssli_in
port 0 tcp
health-check-disable
user-tag ssli_in_2_tcp_port
port 0 udp
health-check-disable
user-tag ssli_in_2_udp_port
port 8443 tcp
health-check-disable
user-tag ssli_signaling
!
slb service-group SG_SSLi_TCP tcp
user-tag ssli_in
36
Deployment Guide | SSL Insight Proof of Concept
member fw1 0
member fw2 0
!
slb service-group SG_SSLi_UDP udp
user-tag ssli_in
member fw1 0
member fw2 0
!
slb service-group SG_SSLi_Xlated tcp
user-tag ssli_in
member fw1 8443
member fw2 8443
!
slb template client-ssl cl_ssl
template cipher cl_cipher_template
chain-cert CorpChain
forward-proxy-ca-cert CorpCA
forward-proxy-ca-key CorpCA
forward-proxy-ocsp-disable
forward-proxy-cert-expiry hours 1
forward-proxy-enable
forward-proxy-bypass class-list bypass_domains
forward-proxy-bypass client-auth class-list bypass-clientauth
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category gambling
forward-proxy-bypass web-category government
user-tag ssli_in
!
slb template http ClientIPInsert
user-tag ssli_in
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
user-tag ssli_in
port 0 tcp
service-group SG_SSLi_TCP
no-dest-nat
port 0 udp
service-group SG_SSLi_UDP
no-dest-nat
port 0 others
service-group SG_SSLi_UDP
no-dest-nat
port 443 https
service-group SG_SSLi_Xlated
template http ClientIPInsert
template client-ssl cl_ssl
no-dest-nat port-translation
!
end
### Partition ssli_out ###
!
!
access-list 191 remark ssli_out
!
access-list 191 permit ip any any vlan 860
!
37
Deployment Guide | SSL Insight Proof of Concept
access-list 191 permit ip any any vlan 862
!
vlan 860
untagged ethernet 3 to 4
router-interface ve 860
name ssli_out_ingress_egress
user-tag ssli_out_ingress_egress
!
vlan 862
untagged ethernet 6
router-interface ve 862
name ssli_out_ingress_path2
user-tag ssli_out_ingress_path2
!
interface ethernet 3
name ssli_out_ingress
enable
!
interface ethernet 4
name ssli_out_egress
enable
!
interface ethernet 6
name ssli_out_ingress_path2
enable
!
interface ve 860
name ssli_out_ingress_egress
ip address 30.99.0.27 255.255.0.0
ip allow-promiscuous-vip
!
interface ve 862
name ssli_out_ingress_path2
ip address 30.100.0.27 255.255.0.0
ip allow-promiscuous-vip
!
!
ip route 0.0.0.0 /0 30.99.1.10
!
slb template cipher sr_cipher_template
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
TLS1_RSA_AES_128_SHA256
TLS1_RSA_AES_256_SHA256
TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_128_SHA
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_256_SHA
TLS1_DHE_RSA_AES_256_SHA256
38
Deployment Guide | SSL Insight Proof of Concept
user-tag ssli_out
!
slb template server-ssl sr_ssl
forward-proxy-enable
template cipher sr_cipher_template
user-tag ssli_out
!
slb server GW 30.99.1.10
user-tag ssli_out
port 0 tcp
health-check-disable
user-tag ssli_out_1_tcp_port
port 0 udp
health-check-disable
user-tag ssli_out_1_udp_port
port 443 tcp
health-check-disable
!
slb service-group GW_SSL_443 tcp
user-tag ssli_out
member GW 443
!
slb service-group GW_TCP_0 tcp
user-tag ssli_out
member GW 0
!
slb service-group GW_UDP_0 udp
user-tag ssli_out
member GW 0
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 191
user-tag ssli_out
port 0 tcp
service-group GW_TCP_0
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
service-group GW_UDP_0
use-rcv-hop-for-resp
no-dest-nat
port 0 others
service-group GW_UDP_0
use-rcv-hop-for-resp
no-dest-nat
port 8443 http
service-group GW_SSL_443
use-rcv-hop-for-resp
template server-ssl sr_ssl
no-dest-nat port-translation
!
end
Note: All configurations added in the section Advanced Settings are shown in Italic above.
39
Deployment Guide | SSL Insight Proof of Concept
Appendix B – Adding Second Path Using Wizard Menu
The section describes how to configure the L2 SSL Insight deployment with multiple paths/security devices
using the Wizard menu of the A10 AppCentric Templates.
1. In the Wizard menu, go to the TOPOLOGY tab.
2. Click CUMSTOM and choose ”L2, MULTIPLE PATH” option, then click NEXT.
Figure 51: Topology - L2, MULTIPLE PATH
3. In the DECRYPTION tab, you will see additional columns for second path on top of the basic
configuration shown in the Thunder SSLi Configuration section. Enter the following, along with basic
configurations, and click NEXT:
• Interface (Path 2): ETHERNET 5
• IP Address & Mask (Path 2): 30.100.0.37/16
Note: It’s important to note that IP addresses for newly added interfaces (for second path) should be taken from
another subnet other than an existing one (e.g., 30.99.0.0/16). In this example, IP addresses are assigned from
the new subnet 30.100.0.0/16. Also, note that even though it’s using a different IP subnet, it will have no effect,
nor change on the IP header of the original packet.
4. In the RE-ENCRYPTION tab, you will see additional columns for second path on top of the basic
configuration done in the Thunder SSLi Configuration section. Enter the following, along with basic
configurations, and click NEXT:
• Interface (Path 2): ETHERNET 6
• IP Address & Mask (Path 2): 30.100.0.27/16
5. Configure BYPASS CONFIGURATION if needed and click NEXT.
6. Once all the configuration is done, click FINISH and APPLY.
40
Deployment Guide | SSL Insight Proof of Concept
Figure 52: L2 Multipath configuration using Wizard menu
About A10 Networks
A10 Networks is a leader in application networking, providing a range of high-performance application
networking solutions that help organizations ensure that their data center applications and networks
remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose,
California, and serves customers globally with offices worldwide. For more information, visit:
www.a10networks.com
Corporate Headquarters
Worldwide Offices
A10 Networks, Inc
3 West Plumeria Ave.
San Jose, CA 95134 USA
Tel: +1 408 325-8668
Fax: +1 408 325-8666
www.a10networks.com
North America
[email protected]
Europe
[email protected]
South America
[email protected]
Japan
[email protected]
China
[email protected]
Part Number: A10-DG-16160-EN-01
Sept 2016
Hong Kong
[email protected]
Taiwan
[email protected]
Korea
[email protected]
South Asia
[email protected]
Australia/New Zealand
[email protected]
©2016 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are
trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks
are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of
trademarks, visit: www.a10networks.com/a10-trademarks.
To learn more about the A10 Thunder Application
Service Gateways and how it can enhance your
business, contact A10 Networks at:
www.a10networks.com/contact or call to talk to an
A10 sales representative.
41

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz