Post on 31-Dec-2015
Firewalls and encryptionHow deep the rabbit hole goes?
Introduction
Márton IllésBalaBit
Product Manager
marton.illes@balabit.com
Agenda...
• Bridge of Death, or „you have to know these things when you're a king”
– You have to know these things, when your an Ethical Hacker!
• Modern net-tale about Alice, Bob, Mallory and Trent where it turns out that Mallory might not be such a bad boy and Trent is not as trustworthy as we have thought before...
A word on firewalls
• A firewall is a network-aware access control device, which enforces rules
• Different firewall technologies– Packet Filter– Proxy– Intrusion Prevention System
Our problem
• We want to encrypt our communications
• We want to control all communications on the firewall
• If the communication is encrypted the firewall could not look inside → can not control it!
• Which shell we throw away?– The firewall or the encryption?
How deep the rabbit hole goes?
• Man-in-the-middle „attack”– We stand between client and server– Independent client and server side encryption
• In the middle we do what we want! ;)
• Is Mallory now the good guy?!
Very deep the rabbit hole goes?
• In case of SSL there is no Perfect Forward Secrecy
– Having the private key the encrypted traffic can be check transparently
• Now Mallory is the good guy!
Firewall vs. server vs. encryption
• Against what does a firewall in front of the server protect? - „Az ellen nem véd!” (Bad hungarian humor)
• Besides IP/port filtering what can we do with application layet?
• We got the private key!
SSL client authentication
• It is possible to check and authenticate the certificate of the client
– Mutal X.509 authentication
• Are we positive that the certificate matches the user?
Virus, p0rn and the trojans
• Many „application” uses port 443/tcp
• This is an unfiltered full-speed covert channel– Trojans, backdoors, skype
• Why p0rn sites not available over https?– It is kind a confidental information... :)
• Mallory is here to save us!
Is the man visible in the middle?
• Could the client recognize that the server certificate has changed?
– No, Joe user does not care about such unimporant details.
– Yes, but the certificate is issued by our Trusted Certificate Authority
• We generate a new certificate based on the server's and sign it using our – trusted - authority.
Is the man visible in the middle?
One minute on PKI...
• It should be rather pkI• How much can you trust CAs?
– Who checks and oversees them?– What is the criteria for a CA to be included in
a browser pre-defined trusted CA set?
Life beyond SSL
• There is life beyond SSL– SSH, IPSec, GPG/PGP etc.
• In case of GPG/PGP therea solution called„key escrow”
Lessons learned
• Goal: control enctypted communications
• Control and inspect all the details of the enctypted communication on the firewall
– Rabbit holes are deep...
• MITM could be used for nice purposes!– Mallory is our friend, he is our best friend!
Thanks for listening!