SSL forward proxy integration with FireEye to inspect HTTPS
We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution. We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes. Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this. SSL forward proxy with route domains Lab setup After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device. Considerations All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions. To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted. The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1. On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection. Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here. Does anyone has some recomendations why this is happening?
“Phishing you say, well that’s not my problem.”
Yes, I heard this at a meeting with the CISO of a well-known establishment just the other day. This was a commonly held belief, just a few years ago, and by many that are now eating crow. When do you recognize that Phishing is ‘Your’ problem and could be a costly one at that to ignore? Efforts to help customers and employees learn how to self-protect and not become victims of deception are important, but not nearly enough. Google did some research that showed 45% of folks are still fooled by the best phishing scams – having their accounts hacked within 30 minutes. According to the report, even the least successful of phishing scams, with success rates of around 3%, can be very dangerous when targeting millions with phishing emails. Protecting your brand from the results of phishing threats (i.e., costly data breaches, wide-spread system infiltration, and unauthorized transactions) bears a greater responsibility. It requires an ongoing effort to identify and overtake attackers, and shutdown malicious services before you suffer what could be crippling losses. It is certain that phishing attacks have played a key role in attributing to the vast number of credentials (over 300 million), banking information and personal (or corporate) identities for sale on the underground internet. Although keylogging, form grabbing and other spyware are commonly used tactics, there is an increase use in fake phishing website designed to look like a legitimate log in pages. These fraudulent websites successfully attract unsuspecting users into volunteering information. Supplemented by email or social media lures, phishing tactics have become a weapon of choice by many attackers and is also used to deploy malware packages to not only gather valuable information, but to ensure the success of larger exploits by controlling devices, evading detection, and gaining access to protected, high valued information and assets and executing a transaction or full attack on a specific application. Verizon estimates that two-thirds of Cyber espionage has a phishing component. Given what was reported about the Sony attacks, a phishing attack may have been instrumental in one of the prominent data breaches of all time – resulting in a loss estimated to have reached 15 million dollars. The point, however, is that guarding against phishing threats (and client-side credential theft) should be an area of focus for companies, institutions and agencies alike. Attackers are monetizing credentials, seeking high-valued information, and are seizing the assets of businesses of all sizes and types. Don’t hold off protecting your users against threats that target them in order to breach your systems or execute fraudulent transactions. Here are 4 best practices that can protect your customers, employees, and brand Protect your customers, employees and your brand 1. Obfuscate form fields: Slow the progress of attacker by obscuring form fields on internet facing login pages and other forms where users input confidential information -- making such fields ambiguous or unknown to attackers 2. Encrypt information at rest in the browser: Protect information while users type within form fields, even before information is submitted then transmitted via SSL 3. Protect against client-side malware: Identify at-risk devices that have been unlocked, are considered vulnerable or which contain malware 4. Identify phishing sites before emails go out: Be informed when your website has been copied, uploaded to spoofed host servers, and when your customers have fallen victim to related phishing lures. Give serious thought to this and don’t wait until price tag to resolve such matters reaches $15,000,000.00. Consider taking the above actions to improve your overall security posture and to protect against phishing threats and credential theft. You cannot expect employees or customers to always make the right choice when exploring the web. Additionally your security strategy and its effectiveness should not be dependent upon your users, nor require their involvement. Put measures in place to provide a degree of confidence that the information behind the internet facing apps your customers and employees use is protected against attackers that may target them to gain access. Visit https://f5.com/products/modules/websafe for more information about F5 solutions that extend application security to the client
