SSL Insight Deployment for Thunder ADC - A10 … GUIDE SSL Insight Deployment for Thunder ADC . 2...

DEPLOYMENT GUIDE

SSL Insight Deployment for Thunder ADC

2

Deployment Guide | SSL Insight Deployment for Thunder ADC

DisclaimerThis document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to

fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,

but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this

publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not

be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and

services are subject to A10 Networks’ standard terms and conditions.

Table of Contents1 Overview ...................................................................................................................................................................................................................................4

2 Deployment Prerequisites ..............................................................................................................................................................................................4

3 Architecture Overview ......................................................................................................................................................................................................4

3.1 SSL Insight with an Inline Security Deployment ...................................................................................................................................5

4 New SSL Insight Features ...............................................................................................................................................................................................6

4.1 Features ...........................................................................................................................................................................................................................6

4.2 CA Certificate ..............................................................................................................................................................................................................6

5 Configuration Overview ..................................................................................................................................................................................................7

5.1 Thunder ADC Appliance Configuration Overview ...............................................................................................................................7

6 Configuration Steps for Thunder ADC Appliances ..........................................................................................................................................8

6.1 Network Configuration on the Thunder ADC Appliances ...............................................................................................................9

6.2 Configure VLANs and add Ethernet and Router Interfaces.............................................................................................................9

6.3 Configure IP Addresses on the VLAN Router Interfaces .................................................................................................................10

6.4 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................10

7 Configuration Steps for Security Device .............................................................................................................................................................18

8 Summary ................................................................................................................................................................................................................................19

Appendix .......................................................................................................................................................................................................................................20

Appendix A. Complete Configuration File for the Thunder ADC Appliance .......................................................................................20

Appendix B. Webroot BrightCloud URL Classification ......................................................................................................................................21

Appendix C. Dynamic Port Intercept ...........................................................................................................................................................................23

Configuration Samples for Dynamic Port Intercept ....................................................................................................................................23

Appendix D. Single Appliance SSL Insight Solution ...........................................................................................................................................24

Appendix E. Appendix ICAP Support in Client Authentication Architecture .....................................................................................25

ICAP Workflow .....................................................................................................................................................................................................................25

Configuration Requirements .....................................................................................................................................................................................26

Appendix F. Bypass Client Certificate Authentication ......................................................................................................................................26

Configuration for Bypassing SSL Insight for Client Authentication Traffic ....................................................................................27

Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic ..................................................................27

Appendix G. Explicit Proxy .................................................................................................................................................................................................29

Explicit Proxy Configuration .......................................................................................................................................................................................29

Appendix H. Detailed Walkthrough of SSL Insight Packet FLow ................................................................................................................31

Appendix I. SSL Insight Certificate Installation Guide ........................................................................................................................................32

Generating a CA Certificate ........................................................................................................................................................................................32

Installing a Certificate in Microsoft Windows 7 for Internet Explorer ...............................................................................................33

Installing Certificate in Google Chrome ............................................................................................................................................................39

Installing a Certificate in Mozilla Firefox ..............................................................................................................................................................42

3


Appendix J. SSL Insight 4.0.3 Features .........................................................................................................................................................................44

OCSP Certificate Validation .........................................................................................................................................................................................44

OCSP Certificate Validation Process .......................................................................................................................................................................45

SSL Debug Alert Messages .................................................................................................................................................................................................47

Forward Proxy Failsafe ...........................................................................................................................................................................................................48

Command to disable Forward Proxy Failsafe: ................................................................................................................................................48

Forward Proxy Inspect ...........................................................................................................................................................................................................48

Internal Thunder ADC Ends-with Class-list Sample ...........................................................................................................................................49

Internal Thunder ADC Key-string Length Class-list Sample ..........................................................................................................................49

Appendix K. Reference Topologies ................................................................................................................................................................................50

SSL Insight – Inline Single Appliance Deployment......................................................................................................................................50

SSL Insight – Inline and Passive Mode Security Devices ..........................................................................................................................50

SSL Insight – Network and Passive Mode Security Devices ...................................................................................................................50

SSL Insight – Inline Mode with Explicit Proxy ..................................................................................................................................................51

SSL Insight – ICAP Topology with Explicit Proxy ............................................................................................................................................51

SSL Insight in Passive Inline with Explicit Proxy ..............................................................................................................................................52

Inline Mode with Bypass Switch/AFO ................................................................................................................................................................52

HA Inline Mode with Bypass Switch/AFO .......................................................................................................................................................52

About A10 Networks .............................................................................................................................................................................................................53

4


1 OverviewSecurity devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic.

Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve this challenge, A10 Networks® Thunder® ADC line of application delivery controllers’ SSL Insight™ feature eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that enable security devices to inspect encrypted traffic – not just clear text. The Thunder ADC SSL Insight feature acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again, and sends it to the remote destination.

Using A10’s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for encryption, decryption, and load balancing.

2 Deployment PrerequisitesHere are the requirements for an SSL Insight deployment:

• Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS®) version 4.0.3 SP9 or later

• Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention platform

• Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only)

Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 4.0.1 SP9. There are some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is only available for CLI configuration.

3 Architecture OverviewThis section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution, using two Thunder ADC appliances for SSL decryption and re-encryption.

For additional SSL Insight deployment options, please refer to Appendix J.

Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode.

Client Internet

Internal ExternalSecurityAppliance

Figure 1. SSL Insight and Firewall Load Balancing topology example

5


ADP 1“Internal”ÒClientÒFirewall

ADP 2“External”ÒFirewallÒRouter

Client

Internet

SecurityAppliance

Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution

3.1 SSL Insight with an Inline Security DeploymentThe main feature of SSL Insight is to transparently intercept SSL traffic, decrypt it and send it through the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is re-encapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this process in greater detail.

There are three distinct stages for traffic in such a solution, depicted in Figure 2:

1. Encrypted: From client to the internal Thunder ADC appliance, where traffic is encrypted.

2. Decrypted: From the internal Thunder ADC appliance to the external Thunder ADC appliance, through the security device. Traffic is in clear text in this segment.

3. Encrypted: Traffic from the external Thunder ADC appliance to the remote server, where traffic is encrypted again.

Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide1 for additional details on the SSL Insight feature.

Application Server

Internet

Internal Thunder ADC

External Thunder ADC

Encrypted

Encrypted

Decrypted

Inspectionand Protection

DLP UTM

IDS Others

Client

3

2

1

Figure 3. SSL Insight overview

1 Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.

6


4 New SSL Insight Features With the growing request of SSL Insight features, A10 has proactively delivered a new set of SSL Insight features in ACOS 4.x releases. Each upgrade release within 4.x has its special features and administrator must determine the build release based on solution needs. Upgrading to 4.0.3 build will cover all the features of 4.0.1.

4.1 Features

4.1.1 Enhancements for ACOS 4.0.3

• OCSP Support for Server Certificate Validation – this feature is an enhancement version of the server certificate validation introduced in 4.0.3. This feature is used to validate a server certificate before enabling an SSL session with a remote server. This provides support for OCSP and OCSP stapling.

• Debug Messages for SSL Failures – this feature enables TLS alerts to be logged when an SSL session fails, and can be deployed on a client or server SSL template.

• Forward Proxy Failsafe – this feature is a bypass option when an SSL forward proxy fails. Enabling this feature will bypass SSL Insight traffic when SSL handshake fails.

• Forward Proxy Inspect – this feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the class-list entries.

Note: The features described above are shown in detail in Appendix J.

4.1.2 Enhancements for ACOS 4.0.1

With ACOS 4.0.1, A10 introduced significant new features and capabilities that lay the foundation of a rapid services integration platform for enterprise, cloud, and service provider networks. Within the A10 SSL Insight framework, the following features have been added:

• URL Classification Web Category – Classifies all traffic that passes through the A10 device with the capability to bypass specific, sensitive data (for example, healthcare websites due to HIPAA regulations). Refer to Appendix B for more information.

• Single Appliance SSL Insight Feature – Supports internal and external partitions deployed in a single A10 appliance. Refer to Appendix D for more information. Hypervisor-based SSL Insight Support – Supports SSL Insight on ESXi, KVM and Hyper-V hypervisors through A10 Networks vThunder® line of virtual appliances.

• Dynamic Port Intercept – dynamically detects and intercepts the use of SSL, regardless of the protocol running on top of TCP. Refer to Appendix C for more information.

• ICAP Support in Client Authentication Architecture – Enables the A10 device to support Internet Content Adaption Protocol (ICAP) on HTTP/HTTPS sessions. ICAP typically serves to provide data loss prevention (DLP) and antivirus services.

• Explicit Proxy Support for SSL Insight – Enables the Thunder ADC device to control client access to hosts based on lists of allowed traffic source (clients) and destination (hosts).

• Bypass Client Authentication Traffic - Enables the A10 device to bypass certain HTTPS traffic that requires client certificate authentication (CAC/PKI). When subjecting this type of traffic to SSL Insight, the CAC transaction will fail.

Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide2. These features are all available in the 4.0.1 SP9 build.

4.2 CA Certificate A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-signed CA certificate generated on the A10 Thunder ADC appliance or on a Linux system.

The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC appliance:


7


slb ssl-create certificate <certificate name>

The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL package installed:

openssl genrsa -out <name>.keyopenssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt

Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using SFTP or SCP.

import ssl-cert <certificate name> scp://[user@]host/<source file>

This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or UNIX clients.

Note: Further details for Group Policy Manager can be found at:

http://technet.microsoft.com/en-us/library/cc772491.aspx

5 Configuration OverviewConfiguration options for the SSL Insight feature are as follows:

1. Network configuration on the Thunder ADC appliance

2. SSL Insight configuration on the Thunder ADC appliance

3. Configuration on the third-party security device

5.1 Thunder ADC Appliance Configuration OverviewThe following sections provide more information about the Thunder ADC configuration items listed in the previous section.

5.1.1 Network Configuration Overview

This solution has one Thunder ADC appliance in the external zone of the security devices and another Thunder ADC appliance in the internal zone of the security devices. This solution assumes that the security devices are configured in L2 transparent mode. Therefore, the Thunder ADC interfaces can be configured in one of the following modes:

• As untagged VLAN interfaces with L3 Virtual Ethernet (VE) configured in the same subnet

• As tagged VLAN interfaces with L3 VEs configured in the same subnet

• As L3 PHY interfaces without requiring any VLANs

This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN interfaces.

5.1.2 SSL Insight Configuration Overview

The SSL Insight configuration is slightly different on the external Thunder ADC appliance compared to the internal Thunder ADC appliance. The primary difference is that client-SSL and server-SSL templates are required on the internal and the external Thunder ADC appliance respectively. Only SSL traffic is intercepted.

SSL Insight Configuration on Internal Thunder ADC Appliance

SSL Insight configuration on the internal Thunder ADC appliance has the following key elements:

• SSL traffic entering on port 443 is intercepted.

- Port 443 is defined under a wildcard VIP to achieve this.

• The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated, except for the issuer and base64 encoded public key.

8


- Client-SSL template is used for this. The Client-SSL template includes the required command forward-proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for signing dynamically forged certificates.

• The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path. Port 8080 is defined for the security device path.

- The command slb server defines a security device path and port number 8080 is added.

• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.

- Service group is defined with port 8080 and bound to the virtual port.

• However, the destination IP (i.e. Internet server IP) remains unchanged.

• The command no-dest-nat port-translation achieves this.

- The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on port 8080 through the security device.

SSL Insight Configuration on External Thunder ADC Appliance

SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder ADC appliance configuration. This configuration has the following key elements:

• Clear-text HTTP traffic entering on port 8080 is intercepted.

- Port 8080 is defined under a wildcard VIP to achieve this.

• The next-hop gateway (default router) is defined as an SLB server.

- The command slb server defines the default router IP address and port number 443 is added.

• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.

- Service group is defined with port 443 and bound to the virtual port.

• However, the destination IP (i.e. Internet Server IP) remains unchanged.

- The command no-dest-nat port-translation achieves this.

• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.

- A server-SSL template is defined and applied to the virtual port. The template includes the command forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL template.

5.1.3 Security Device Configuration

Third-party security devices must be configured according to the recommend best practices of the security vendor. The key requirements for enabling SSL Insight in this configuration are:

• ARP packets should be allowed for both internal and external Thunder ADC appliances.

• Health-check packets should be allowed from the internal Thunder ADC appliance to the external Thunder ADC appliance; unless health-checks are disabled.

6 Configuration Steps for Thunder ADC AppliancesThis section provides detailed steps for configuring SSL Insight on Thunder ADC. Complete configuration details for both internal and external Thunder ADC appliances are shown in Appendix A.

9


6.1 Network Confi guration on the Thunder ADC AppliancesThe steps in this section confi gure the following networking parameters:

• VLANs and their router interfaces

• Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces

The goal is to achieve the following IP addressing scheme on both Thunder ADC appliances as shown in Figure 1:

VLAN VE IP Address Interface

Internal ADC1015

10.10.1.2 /2410.15.1.2 /24

eth1eth5

External ADC2015

20.1.1.2 /2410.15.1.12 /24

eth1eth5

6.2 Confi gure VLANs and add Ethernet and Router InterfacesConfi gure the following VLAN parameters on the internal Thunder ADC appliance as shown in Figure 1:

• VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet interface.

• VLAN-15: This is the path to the external Thunder ADC appliance through the security device. Add router-interface ve 15 along with the Ethernet interface.

Using the CLI:

ACOS(confi g)#vlan 10ACOS(confi g-vlan:10)#untagged ethernet 1ACOS(confi g-vlan:10)#router-interface ve 10ACOS(confi g-vlan:10)#exitACOS(confi g)#vlan 15ACOS(confi g-vlan:15)#untagged ethernet 5ACOS(confi g-vlan:15)#router-interface ve 15ACOS(confi g-vlan:15)#exit

Using the GUI:

1. Navigate to Network > VLAN.

2. Click Create.

3. Enter the VLAN ID, select the interfaces.

4. Name (Optional).

5. Check Create Virtual Interface.

6. Click Create VLAN.

7. Repeat for each VLAN.

10


6.3 Confi gure IP Addresses on the VLAN Router InterfacesVerify that you have enabled the promiscuous VIP option under ve10, in order to subject inbound traffi c to wildcard VIP.

Using the CLI:

ACOS(confi g)#interface ve 10ACOS(confi g-if:ve10)#ip address 10.10.1.2 /24ACOS(confi g-if:ve10)#ip allow-promiscuous-vipACOS(confi g-if:ve10)#exitACOS(confi g)#interface ve 15ACOS(confi g-if:ve15)#ip address 10.15.1.2 /24ACOS(confi g-if:ve15)#exit

Using the GUI:

1. Navigate to Network > Interfaces > Virtual Ethernets. The interfaces confi gured above should be visible.

2. Click edit on ifnum “100” and confi gure the general fi elds and IPv4 address.

3. Click update when done.

4. Repeat for each VE.

5. Enter the IP Address and Subnet and click add.

6. Enable “Allow Promiscuous VIP” option.

7. Click update and continue.

Repeat the steps above on the external Thunder ADC appliance pair, and make sure to use unique IP addresses.

6.4 SSL Insight Confi guration on the Thunder ADC AppliancesSSL Insight configuration on the internal Thunder ADC appliance will intercept traffic on TCP port 443, decrypt it, and send it in clear text over TCP port 8080 to the security device. Consequently, the external Thunder ADC appliance will intercept clear text traffic arriving on TCP port 8080 and encrypt it back before sending it to the remote hosts. All other traffic will be bypassed using wildcard TCP and UDP ports as configured in the following sections.

11


6.4.1 Internal Thunder ADC Appliance

Use the following steps to confi gure SSL Insight parameters in the internal Thunder ADC Appliance.

Confi gure Server for VLAN-15

These steps confi gure an slb server with the VE address for VLAN 15 on the external Thunder ADC appliance. TCP port 8080 is added under the slb server for SSL Insight, along with wildcard TCP port 0 & UDP port 0 for all other traffi c.

Using the CLI:

ACOS(confi g)#slb server SecurityDevice1_Path 10.15.1.12ACOS(confi g-real server)#port 8080 tcpACOS(confi g-real server-node port)#no health-checkACOS(confi g-real server-node port)#exitACOS(confi g-real server)#exitACOS(confi g-real server)#port 0 tcpACOS(confi g-real server-node port)#no health-checkACOS(confi g-real server-node port)#exitACOS(confi g-real server)#exitACOS(confi g-real server)#port 0 udpACOS(confi g-real server-node port)#no health-checkACOS(confi g-real server-node port)#exitACOS(confi g-real server)#exit

Using the GUI:

1. Navigate to ADC > SLB > Servers.

2. Click Create.

3. Enter the following settings:

• Name: “SecurityDevice1_Path”

• Select IPv4

• IP Address: 10.15.1.12

On the right hand side of the GUI within the Port section click Create.

4. Enter port parameters:

• Port: “8080”

• Protocol: “TCP”

• Health Monitor: Select blank (disabled).

• Click Add.

12


5. Enter port parameters:

• Port: “0”

• Protocol: “TCP”

• Health Monitor: Select blank (disabled).

• Click Add.

6. Repeat for UDP port 0.

7. Click OK.

Confi gure a Service Group

The following steps will add the slb server to a service group.

Using the CLI:

ACOS(confi g)#slb service-group SSLi tcpACOS(confi g-slb svc group)#member SecurityDevice1_Path 8080ACOS(confi g-slb svc group)#exitACOS(confi g)#slb service-group All_TCP tcpACOS(confi g-slb svc group)#member SecurityDevice1_Path 0ACOS(confi g-slb svc group)#exitACOS(confi g)#slb service-group All_UDP udpACOS(confi g-slb svc group)#member SecurityDevice1_Path 0ACOS(confi g-slb svc group)#exit

Note: In ACOS 4.0.x code, the CLI confi guration has been updated such that the confi guration in 2.7 code requires a “:” when you confi gure the server device and port. In version 4.0.1 the colon in the CLI is not required.

Using the GUI:

1. Navigate to ADC > SLB > Service Groups.

2. Click Create.

3. Enter the following parameters:

• Name: “SSLi”

• Type: “TCP”

4. Click on Create on the Member section.

5. Select the Existing Server option, and select SecurityDevice1_Path from the drop-down list.

6. Enter the Port, “8080”.

7. Click Create.

8. Enter the following parameters:

• Name: “ All_TCP”

• Type: “TCP”

9. Click Create on Service Groups section.

13


10. Select the Existing Server option and select, SecurityDevice1_Path from the drop-down list.

11. Select the Port, “0”.

12. Click Add.

13. Repeat for UDP port 0.

14. Click OK.

Confi gure the Client-SSL Template

These steps will show the confi guration for the client-SSL template. The command forward-proxy-enable essentially enables SSL Insight on the client-ssl template. The forward-proxy is an A10 specifi c term and is diff erent than the traditional explicit-proxy function.

Note: These steps assume that the CA certifi cate and the private key has been uploaded to the Thunder ADC appliance. For instructions on uploading CA certifi cates and keys, please refer to the ACOS Application Delivery and Server Load balancing Guide3.

Using the CLI:

ACOS(confi g)#slb template client-ssl SSLInsight_ClientSideACOS(confi g-client ssl)#forward-proxy-ca-cert SSLi-CAACOS(confi g-client ssl)#forward-proxy-ca-key SSLi-CAACOS(confi g-client ssl)#forward-proxy-enableACOS(confi g-client ssl)#exit

Using the GUI:

1. Navigate to Confi g Mode > SLB > Template > SSL > Client SSL.

2. Click Create and select Client SSL.

3. Enter a Name, “SSLInsight_ClientSide”.

4. Select the CA certifi cate from the CA Certifi cate drop-down list.

5. Select the private key from the CA Private Key drop-down list.

6. Select Forward Proxy Enable.

7. Click OK.


14


Confi gure the ACL

These steps shows confi guration for an extended ACL to intercept incoming traffi c on VLAN-10. This ACL will be used as part of the wildcard VIP confi guration below.

Using the CLI:

ACOS(confi g)#access-list 100 permit ip any any vlan 10

Using the GUI:

1. Navigate Network > ACL > Extended.

2. Click Create.

3. Enter or select the following settings:

• ID: “100”

• Select “Entry”

• Action: “Permit”

• Service: “Protocol” and “IP”

• Source Address: “Source Address” and select “Any”

• Destination Address: “Destination Address” and select “Any”

• VLAN ID: “100”

4. Click OK.

15


Confi gure the Wildcard VIP

These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat command is used to preserve the destination IP address load-balanced traffi c. The “others” wildcard VIP port can take an already defi ned TCP service group or UDP service group. In this example, the UDP service group is used. For SSL Insight, virtual port 443 is used. The no-dest-nat port-translation command is used to convert incoming 443 traffi c to port 8080, while preserving the destination IP address.

Using the CLI:

ACOS(confi g)#slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100ACOS(confi g-slb vserver)#port 443 httpsACOS(confi g-slb vserver-vport)#service-group SSLiACOS(confi g-slb vserver-vport)#template client-ssl SSLInsight_ClientSideACOS(confi g-slb vserver-vport)#no-dest-nat port-translationACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 tcpACOS(confi g-slb vserver-vport)#service-group All_TCPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 udpACOS(confi g-slb vserver-vport)#service-group All_UDPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 othersACOS(confi g-slb vserver-vport)#service-group All_UDPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#exit

Using the GUI:

1. Navigate to ADC > SLB > Virtual Server.

2. Click Create.


• Name: “Outbound_Wildcard_VIP”

• Wildcard: Select the checkbox.

• Access List: “100”

16


4. From the Virtual Port area click Create.


• Name: Outbound_Wildcard_VP

• Type: “HTTPS”

• Port: “443”

• Service Group: “SSLi”

• Direct Server Return: Select Enabled, and select the Port Translation checkbox.

• Client-SSL Template: “SSLInsight_ClientSide”


• Type: “TCP”

• Port: “0”

• Service Group: “ All_TCP”

• Direct Server Return: Select Enabled.

7. Click OK to exit the Virtual Server Port confi guration page.

8. Click OK to exit the Virtual Server confi guration page.

17

Deployment Guide | SSL Insight Deployment for Single-appliance Architecture

6.4.2 External Thunder ADC Appliance

Use the following steps to configure SSL Insight parameters in the external Thunder ADC Appliance.

Note: For brevity, only the CLI commands are shown in this section.

Add TCP Port 443 to the Default Gateway

These steps define the default gateway as an slb server, and add TCP port 443 for HTTPS traffic under the default gateway.

ACOS(config)#slb server Default_Gateway 20.1.1.10ACOS(config-real server)#port 443 tcpACOS(config-real server-node port)#no health-checkACOS(config-real server-node port)#exitACOS(config-real server)#exit

Add TCP Port 0 and UDP Port 0 to the Default Gateway

These steps add TCP port 0 and UDP port 0 for all other traffic under the default gateway configuration.

ACOS(config)#slb server Default_Gateway 20.1.1.10ACOS(config-real server)#port 0 tcpACOS(config-real server-node port)#no health-checkACOS(config-real server-node port)#exitACOS(config-real server)#port 0 udpACOS(config-real server-node port)#no health-checkACOS(config-real server-node port)#exitACOS(config-real server)#exit

Bind the Server Ports to a Service Group

These steps add the default gateway server ports to a service group.

ACOS(config)#slb service-group DG_SSL tcpACOS(config-slb svc group)#member Default_Gateway 443ACOS(config-slb svc group)#exitACOS(config)#slb service-group DG_TCP tcpACOS(config-slb svc group)#member Default_Gateway 0ACOS(config-slb svc group)#exitACOS(config)#slb service-group DG_UDP udpACOS(config-slb svc group)#member Default_Gateway 0ACOS(config-slb svc group)#exit

Configure the Server-SSL Template

These steps configure the server-SSL template.

Using the CLI:

ACOS(config)#slb template server-ssl SSLInsight_ServerSideACOS(config-server ssl)#forward-proxy-enableACOS(config-server ssl)#exit

Using the GUI:

1. Navigate to SLB/ SLB. 2. Click Add.3. Enter a Name, “SSLInsight_ServerSide”.4. Click Create and select Server SSL. 5. Select Enabled next to SSL Forward Proxy.6. Leave other fields blank.7. Click OK.

18

Deployment Guide | SSL Insight Deployment for Single-appliance Architecture

Confi gure an ACL to Intercept Incoming Traffi c on VLAN-15 for a Wildcard VIP

These steps confi gure an extended ACL to intercept traffi c on VLAN-15. This ACL will be used as part of the following wildcard VIP confi guration:

ACOS(confi g)#access-list 101 permit ip any any vlan 15

Confi gure the Wildcard VIP

These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat command is used to preserve the destination IP address. Virtual port 8080 is added for SSL Insight confi guration. The no-dest-nat port-translation command is used to convert incoming TCP port 8080 traffi c to HTTPS port 443, while preserving the destination IP address.

ACOS(confi g)#slb virtual-server Inside_To_Outside 0.0.0.0 acl 101ACOS(confi g-slb vserver)#port 8080 httpACOS(confi g-slb vserver-vport)#service-group DG_SSLACOS(confi g-slb vserver-vport)#template server-ssl SSLInsight_ServerSideACOS(confi g-slb vserver-vport)#no-dest-nat port-translationACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 tcpACOS(confi g-slb vserver-vport)#service-group DG_TCPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 udpACOS(confi g-slb vserver-vport)#service-group DG_UDPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#port 0 othersACOS(confi g-slb vserver-vport)#service-group DG_UDPACOS(confi g-slb vserver-vport)#no-dest-natACOS(confi g-slb vserver-vport)#exitACOS(confi g-slb vserver)#exit

7 Confi guration Steps for Security DeviceSecurity devices must be confi gured in Layer 2, transparent mode. Please refer to the confi guration steps shown in your security device documentation.

19


8 SummaryUnprecedented growth in encrypted traffic, coupled with increasing SSL key lengths and more computationally complex SSL ciphers, makes it difficult for inline security devices to decrypt SSL traffic. A wide range of security devices require visibility into encrypted traffic to discover attacks, intrusions and malware. SSL Insight, included as a standard feature of Thunder ADC, offers organizations a powerful load-balancing, high availability and SSL decryption solution. Using SSL Insight, organizations can:

• Analyze all network data, including encrypted data, eliminating blind spots in their threat protection solution

• Provide advanced SSL inspection features and SSL decryption for third-party security devices

• Detect encrypted malware, insider abuse and attacks transported over SSL/TLS

• Deploy best-of-breed content inspection solutions to fend off cyber attacks

• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors

For more information about Thunder ADC products:

• https://www.a10networks.com/products/thunder-series/thunder-application_delivery_controller

• https://www.a10networks.com/resources/solution-briefs

• https://www.a10networks.com/resources/case-studies

20


AppendixThe Appendix section provides a list of configuration options as referred to in the main document. Some features shown may have not have GUI configuration. We suggest using the CLI-only configuration samples until the next ACOS release becomes available.

Appendix A. Complete Configuration File for the Thunder ADC Appliance

Internal Unit Configuration External Unit Configurationhostname Thunder-Internal! vlan 10 untagged ethernet 1 router-interface ve 10!vlan 15 untagged ethernet 5 router-interface ve 15!access-list 100 permit ip any any vlan 10!interface ve 10 ip address 10.10.1.2 255.255.255.0 ip allow-promiscuous-vip!interface ve 15 ip address 10.15.1.2 255.255.255.0!slb server SecurityDevice1_Path 10.15.1.12 port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-checkslb service-group All_UDP udp member SecurityDevice1_Path 0!slb service-group All_TCP tcp member SecurityDevice1_Path 0!slb service-group SSLi tcp member SecurityDevice1_Path 8080

hostname Thunder-External! vlan 20 untagged ethernet 1 router-interface ve 20!vlan 15 untagged ethernet 5 router-interface ve 15!access-list 101 permit ip any any vlan 15!interface ve 20 ip address 20.1.1.2 255.255.255.0!interface ve 15 ip address 10.15.1.12 255.255.255.0 ip allow-promiscuous-vip!slb template server-ssl SSLInsight_ServerSide forward-proxy-enable!slb server Default_Gateway 20.1.1.10 port 0 tcp no health-check port 0 udp no health-check port 443 tcp no health-checkslb service-group DG_TCP tcp member Default_Gateway 0!slb service-group DG_UDP udp member Default_Gateway 0

21


Internal Unit Configuration External Unit Configurationslb template client-ssl SSLInsight_ClientSide forward-proxy-enable forward-proxy-ca-cert SSLi-CA forward-proxy-ca-key SSLi-CA!slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100 port 0 tcp service-group All_TCP no-dest-nat port 0 udp service-group All_UDP no-dest-nat port 0 others service-group All_UDP no-dest-nat port 443 https service-group SSLi template client-ssl SSLInsight_ClientSide no-dest-nat port-translation!end

slb service-group DG_SSL tcp member Default_Gateway 443!slb virtual-server Inside_To_Outside 0.0.0.0 acl 101 port 0 tcp service-group DG_TCP no-dest-nat port 0 udp service-group DG_UDP no-dest-nat port 0 others service-group DG_UDP no-dest-nat port 8080 http service-group DG_SSL template server-ssl SSLInsight_ServerSide no-dest-nat port-translation!end

Appendix B. Webroot BrightCloud URL Classification SSL Insight technology includes a subscription service called Dynamic Web Category Classification via Webroot BrightCloud’s Threat Intelligence Services. This service allows customers to granularly control which types of SSL traffic to decrypt and which types to forward without inspection. Thunder ADC customers can analyze and secure SSL traffic while bypassing communications to sensitive sites such as banking and healthcare applications.

Internet

Internet

Internet Server

A10 Thunder ADC Web Classi�cationCloud

Encrypted

Encrypted

Decrypted

Client

Security Device

Figure 4. A10 and Webroot architecture

22


When a user’s client browser sends a request to a URL, ACOS checks the category of the URL.

• If the category of the URL is allowed by the configuration, the Internal Thunder ADC device leaves the data encrypted and sends it to the SSL Insight outside device, which sends the encrypted data to the server.

• If the category of the URL is not allowed by the configuration, the Internal Thunder ADC device decrypts the traffic and sends it to the traffic inspection device.

Installation requirements:

• Must have a Webroot/BrightCloud URL Classification Subscription and per Thunder ADC device licensing (contact your Regional Sales Director for pricing).

• Internal Thunder ADC must have access to the Internet for Webroot database download.

• DNS configuration is required.

To install the URL classification feature, you must have a Webroot token license sent from the A10 Global License Manager (GLM). Once received, initiate the following command within CLI only:

SSLi(config)#internal Import web-category-license “license token name”

Once the license has been imported, initiate a “web-category enable” command. This feature enables the Thunder ADC device to communicate with the BrightCloud database server and download the URL Classification database. When the download is complete, there will be a “Done” confirmation from the CLI if the import was successfully initiated; otherwise, an error message will appear. For an additional debugging and installation reference, please refer to the Webroot Category Installation Guide4.

vThunder(config)#import web-category-license license use-mgmt-port scp://[email protected]/home/jsmith/webroot_license.jsonDone. <-- this brief message confirms successful import of the license

If a failure occurs, ACOS will display an error message similar to the following:

vThunder(config)# import web-category-license license use-mgmt-port scp://[email protected]/home/jsmith/webroot_license.jsonCommunication with license server failed <-- this message indicates failed import

Note: The Webroot database will download from the data interface by default. There is an option to configure from the management interface but it is not recommended.

To enable the Webroot URL classification feature, you must have the following configuration within the client SSL template.

Here is a sample configuration:

slb template client-ssl ssli-client-template forward-proxy-enable forward-proxy-bypass web-category financial-services forward-proxy-bypass web-category business-and-economy forward-proxy-bypass web-category health-and-medicine


23


Appendix C. Dynamic Port InterceptThe Dynamic Port Intercept feature dynamically detects and intercepts any HTTPS traffic on any TCP session, regardless of the protocol running on top of TCP. To configure Dynamic Port Intercept within an A10 device, the SSL Insight configuration can remain the same except with a few changes. In order to configure the Internal Thunder ADC for Dynamic Port Intercept, the administrator needs to deploy 2 separate real servers configurations namely for standard SSL traffic and the another real server configuration specific for bypassed and non-SSL traffic. For the External A10 device, it will require 2 real server configure geared for SSL traffic and Non-SSL traffic which forwards all traffic to the Internet default gateway.

Configuration Samples for Dynamic Port Interceptslb server Gateway 10.10.4.1 health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable!!slb service-group Outbound_TCP tcp member Gateway 0!slb service-group Outbound_UDP udp member Gateway 0!slb template server-ssl Server-SSL forward-proxy-enable!slb virtual-server Outside_SSLi_VIP 0.0.0.0 acl 101 port 0 tcp-proxy service-group Outbound_TCP template server-ssl Server-SSL no-dest-nat use-rcv-hop-for-resp!slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 102 port 0 tcp service-group Outbound_TCP no-dest-nat use-rcv-hop-for-resp port 0 udp service-group Outbound_UDP no-dest-nat use-rcv-hop-for-resp port 0 others service-group Outbound_UDP no-dest-nat use-rcv-hop-for-resp!end

24


Appendix D. Single Appliance SSL Insight SolutionThis section provides instructions on how to confi gure the ADP devices within a single A10 appliance. To deploy SSL Insight, you will need at least 2 partitions; one to decrypt SSL traffi c and a second appliance to encrypt SSL traffi c.

To create a partition, navigate to the right-hand side of the GUI and click the dropdown under Partition: shared, then select +Create.

Administrator account privilege is required to create partitions:

Partition Name Device ID Type

Internal Unique Number ADC

External Unique Number ADC

Figure 5. Partition creation

To navigate from one partition to another, select the top right-hand corner under Partition:”xxxx” and select the appropriate partition to confi gure.

Here are a few commonly used CLI commands for an ADP confi guration:

• To create a partition:

- SSLi(confi g)#partition “internal” id 2 application-type adc

• To switch from one partition to another:

- SSLi(confi g)#active-partition “internal”

• Current active partition: internal

- SSLi[internal](confi g)#

Once the SSL Insight partitions have been confi gured, the Thunder ADC appliance should have at least three partitions: Shared, Internal and External.

Note: Please make sure that you are on the correct partition when creating confi gurations. In addition, you will need to use the command system ve-mac-scheme system-mac to support MAC address duplication in a single device solution.

25


Appendix E. Appendix ICAP Support in Client Authentication ArchitectureThe Internet Content Adaptation Protocol (ICAP) has become a defacto-standards in the security industry for lightweight HTTP-like protocol that integrates with proxy servers or server load balancers. A10 has developed an integration based on RFC3507 to support SSL Insight deployments.

To configure the A10 Thunder ADC to integrate with ICAP services, you must deploy your A10 device to act as a forward-proxy server to intercept any HTTP and HTTPS traffic which is passed to the security device that supports ICAP services.

HTTP Client Internet

SecurityAppliance

HTTP HTTP

DLP/AV Services

ICAP

Figure 6. ICAP integration

ICAP Workflow1. The web client requests a GET (that is, an HTTP request) from the web server.

2. The Thunder ADC intercepts the request and forwards it to the ICAP server in an ICAP REQMOD message to the ICAP server.

3. The ICAP server sends a REQMOD response to the Thunder ADC.

4. The ICAP REQMOD response and the actions taken by the Thunder ADC can be one or more of the following:

• ICAP REQMOD response has Status Code 200 and contains an HTTP request.

The Thunder ADC sends the HTTP request contained in the ICAP response to the web server (instead of the original intercepted HTTP request).

• ICAP REQMOD response has Status Code 204.

The Thunder ADC sends the original intercepted HTTP request to the web server.

• ICAP REQMOD response has Status Code 100.

The Thunder ADC sends more data to the ICAP server.

• ICAP REQMOD response has Status Code 200 contains an HTTP response.

The Thunder ADC does not send an HTTP request to the web server. Instead, it sends this HTTP response back to client.

• ICAP REQMOD response has any other Status Code.

The Thunder ADC treats the ICAP response as if it were Status Code 204.

26


Configuration RequirementsThe following configuration requirements enables Thunder ADC to support ICAP Client Authentication with any AV or DLP solutions.

1. Configure the IP addresses of the ICAP server and create the ICAP service group:

ACOS(config)#slb server ICAP_SG1_Path 10.1.260.11ACOS(config-real server)#port 1344 tcpACOS(config)#slb service-group ICAP_sg httpACOS(config-slb svc group)#member ICAP_SG1_Path 1344

2. Create the ICAP REQMOD template. Include the ICAP service group and the URL of the ICAP REQMOD server:

ACOS(config)#slb template reqmod-icap reqmod_abcdACOS(config-reqmod-icap)#service-group ICAP_sgACOS(config-reqmod-icap)#service-uri icap://abcd.com/reqmod_abcd

3. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the ICAP RESPMOD server:

ACOS(config)#slb template respmod-icap respmod_abcdACOS(config-respmod-icap)#service-group ICAP_sgACOS(config-respmod-icap)#service-uri icap://abcd.com/respmod_abcd

4. Apply the SLB RESPMOD and REQMOD templates to the http port of the virtual server:

ACOS(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl 100ACOS(config-slb vserver)#port 443 httpsACOS(config-slb vserver-vport)#template reqmod-icap reqmod_abcdACOS(config-slb vserver-vport)#template respmod-icap respmod_abcd

Appendix F. Bypass Client Certificate Authentication Some HTTPS servers might require client certificate authentication (CAC/PKI) when the server authenticates incoming requests based on the certificate in the client’s certificate store. If SSL Insight lacks the necessary client certificate and key information, CAC will fail when requested by the server.

Client authentication traffic is dynamically detected and automatically bypassed, based on general SNI matches.

For example in Figure 7, after the Thunder ADC receives the client hello message from the client, the device checks whether this server’s certificate is saved in the cache. If the certificate has not been saved, Internal Thunder ADC starts a server SSL connection to the backend server to retrieve the certificate. Internal Thunder ADC also detects whether the backend server requires client certificate authentication. If the server requires backend authentication, Internal Thunder ADC stops retrieving the certificate and checks whether the server name matches the configuration condition to bypass the traffic.

Note: To bypass the traffic, Internal Thunder ADC stops SSL Insight processing and switches from HTTPS processing to generic TCP proxy processing.

27


Client Certi�cate Response Client Certi�cate Response

Server

Firewall

Client

Internal Thunder ADCVIP (0.0.0.0:443)

port translation:443 > 8080

External Thunder ADCVIP (0.0.0.0:8080)

port translation:8080 > 443

Bypassed SSL Connection

TCP TCP

Figure 7. Bypass client certificate authentication

Client Authentication Traffic Network Example

The A10 Thunder devices do not have the private key of the real servers such as mail.google.com and mail.yahoo.com. Instead of the real server’s certificate, Internal Thunder ADC uses its own public/private key pairs. Because the certificates on the Internal Thunder ADC is a CA cert file, and is trusted by the client, the client’s browser will not display a warning about the “fake” certificate.

Configuration for Bypassing SSL Insight for Client Authentication TrafficYou can bypass SSL Insight for client authentication traffic by entering the following commands on each of the servers for which you want to bypass the traffic:

slb template client-ssl clientsslforward-proxy-bypass client-auth case-insensitiveforward-proxy-bypass client-auth class-list testclassforward-proxy-bypass client-auth contains jsmithforward-proxy-bypass client-auth ends-with abcforward-proxy-bypass client-auth equals test.hello.comforward-proxy-bypass client-auth starts-with efg

The following list provides additional information about the options:

• case-insensitive means that a case insensitive forward proxy bypass occurs.

• class-list means that forward proxy bypass occurs when the SNI string matches the class-list.

• client-auth means that forward proxy bypass occurs when the client cert auth is requested.

• contains means that forward proxy bypass occurs when the SNI string contains another string.

• ends-with means that forward proxy bypass occurs when the SNI string ends with another string.

• equals means that the forward proxy bypass occurs when the SNI string equals another string.

• starts-with means that forward proxy bypass occurs when the SNI string starts with another string.

Sample Configuration for Bypassing SSL Insight for Client Authentication TrafficTo configure this feature, complete the following tasks:

• Configuring the Internal Thunder ADC device

• Configuring the External Thunder ADC device

28


Configuring the Internal Thunder ADC Device

The following output shows how to configure the Internal Thunder ADC device:

class-list bypass ac starts-with a10a10 equals ssl-i contains hello.com!access-list 101 permit ip 2.2.2.0 0.0.0.255 any!interface ethernet 4 ip address 2.2.2.2 255.255.255.0 ip allow-promiscuous-vip

!slb server s1 3.3.3.1 port 8080 tcp no health-check!slb service-group sg1 tcp!!slb service-group sg1-8080 tcp member s1:8080!!slb template client-ssl ssl_int cert new_self.crt key new_self.key forward-proxy-enable forward-proxy-ca-cert new_self.crt forward-proxy-ca-key new_self.key forward-proxy-bypass client-auth contains abc.com forward-proxy-bypass client-auth equals a10a10 forward-proxy-bypass client-auth class-list bypass!slb virtual-server vs1 0.0.0.0 acl 101 extended-stats port 443 httpsservice-group sg1-8080 template client-ssl ssl_int no-dest-nat port-translation

Configuring the External Thunder ADC Device

The following CLI output shows how to configure the External Thunder ADC device:

access-list 101 permit tcp any any eq 8080interface ethernet 3 ip address 3.3.3.2 255.255.255.0 ip allow-promiscuous-vip

!slb template server-ssl ssl_int forward-proxy-enable!!

29


slb server s2 3.3.3.1 port 443 tcp no health-check!slb service-group sg1-443 tcp member s2:443!!slb virtual-server vs2 0.0.0.0 acl 101 port 8080 http service-group sg1-443 template server-ssl ssl_int no-dest-nat port-translation

Appendix G. Explicit ProxyExplicit Proxy ConfigurationThe Explicit Proxy feature enables the Thunder ADC device to control client access to hosts based on lists of allowed traffic source (clients) and destination (hosts).

Client Explicit Proxy

InternetClass-List

Policy Template

Figure 8: Bypass client certificate authentication

This feature is available in ACOS release 2.7.2 and was reintroduced in ACOS release 4.0.1 SP9. When this feature is enabled, an HTTP virtual port on the Thunder ADC device intercepts the HTTP requests from the client, validates both the source and destination and forwards only those requests that come from valid sources and destinations, and are sent to permitted destinations. Destinations are validated based on URL or hostname strings. For approved destinations, the DNS is used to obtain the IP addresses.

Note: All Explicit Proxy integration with SSL Insight must be deployed in a partition (ADP). Integration of Explicit Proxy and SSL Insight in the same partition or appliance will be supported in future releases.

Sample Configuration for Explicit Proxy

The Class-list will match on the alphabetic strings that contain any of the 26 letters of the English alphabet. If the string matches it will forward to the correct destination.

class-list dest ac contains example contains google contains test !class-list dest1 ac contains example1 contains america !class-list dest2 ac contains bank contains sample !class-list src ipv4 192.0.2.212/32

30


203.0.113.0/24 198.51.100.0/24!slb server fake-server 192.168.230.101 port 80 tcp port 443 tcp health-check-disable !slb server ubuntu_serv 192.168.221.70 port 80 tcp port 443 tcp

slb service-group fake-sg tcp health-check-disable member fake-server 80 member fake-server 443 !slb service-group ubuntu_sg tcp member ubuntu_serv 80 member ubuntu_serv 443 !slb template policy test forward-policy action a1 forward-to-internet fake-sg snat snat fallback ubuntu_sg snat snat log action a2 forward-to-service-group ubuntu_sg snat snat log action a3 drop log source s1 match-class-list src destination class-list dest action a1 url priority 10 destination class-list dest1 action a2 url priority 300 destination class-list dest2 action a3 url priority 15 source s2 match-any destination any action a1slb virtual-server test 10.50.10.123 port 8080 http service-group fake-sg template policy test !

Note: The fake-server and fake-sg are required as placeholders for action forward-to-internet.

31


Appendix H. Detailed Walkthrough of SSL Insight Packet FLow

If the certi�cate exists in cache, send it to client andmove to (2). Otherwise, establish SSL connectionwith the remote server and get the certi�cate fromthe remote server.

Extract header information from server certi�cate.Change Issuer and the Public Key as exist in Client-SSL-Template. Reassign the new certi�cate using theCA-Certi�cate as exist in the Client-SSL-Template.Send the reconstructed Server-Hello to client.

1

A10 Thunder ADC A10 Thunder ADC ServerFirewall

Clear Text ZoneEncrypted Zone

SYNSYN/ACK

ACKClient-Hello

SYN/ACKACKClient-HelloSSL HandshakeMessages +Finished

EncryptedApplication Data

Encrypted ApplicationResponse

Server-Hello(Server Cert +

Local Public Key +signed by local CA)

SSL-HandshakeMessages

+ Finished



SYN

SYN/ACKACKClient-Hello

Server-Hello(Server Cert – Public KeySigned by well known CA)

SSL-Handshake Messages+ Finished

RST

SYN

Clear TextApplicationData

Clear TextApplication

Response

Encrypted Zone

2

Data decrypted and sent in clear textthrough �rewall

SSL-Reverse-Proxy:New SSL session initiated with remote server. Data encrypted and sent to remote server

Response is decrypted and sent through �rewall

Response is encrypted again and sent to client

3

4

5

6

1

2

3

6

4

5

Clients

Figure 9. SSL Insight packet flow

32


Appendix I. SSL Insight Certifi cate Installation GuideA prerequisite for confi guring Thunder ADC’s SSL Insight feature is generating a CA certifi cate with a known private key. This CA certifi cate must then be installed to all client machines on the internal network. If the CA certifi cate is not installed, internal users will see an SSL “untrusted root” error whenever they try to connect to an SSL-enabled website.

This guide includes the following contents:

• Generating a CA Certifi cate

• Exporting a Certifi cate from Thunder ADC

• Installing a Certifi cate in Microsoft Windows 7 for Microsoft Internet Explorer

• Installing a Certifi cate in Google Chrome

• Installing a Certifi cate in Mozilla Firefox

Generating a CA Certifi cateThe SSLI Insight feature relies on an SSL certifi cate and key pair to encrypt traffi c between clients and the Thunder ADC appliance. A self-signed certifi cate can be generated by the Thunder ADC appliance or can be created by a Linux system with OpenSSL installed. Alternatively, an ADC administrator can request and install a CA-signed certifi cate from the Thunder ADC appliance. For instructions on requesting a CA-signed certifi cate, please see the Application Delivery and Server Load Balancing Guide5.

To generate a self-signed certifi cate from Thunder ADC in ACOS version 4.0.1:

1. Select ADC > SSL Management.

2. Click Create.

3. Enter the name: SSLi-CA

4. Common name: SSLi-CA

5. Enter the rest of the certifi cate information in the remaining fi elds of the Certifi cate section.

Note: If you need to create a wildcard certifi cate, use an asterisk as the fi rst part of the common name.

6. From the Key drop-down list, select the length in bits for the key. (2048 is the recommended key size)

7. Click Create. The Thunder ADC device generates the self-signed certifi cate and a key. The new certifi cate and key appears in the certifi cate list. The certifi cate is ready to be used in client-SSL and server-SSL templates.


33



Other Options to Generate a Certifi cate

Instead of creating a self-signed certifi cate within Thunder ADC, administrators can generate a certifi cate from a Linux server. The following two commands can generate and initialize a CA certifi cate on a Linux system with an OpenSSL package installed. Once generated, the certifi cate can be imported onto the Thunder ADC device using FTP or SCP.

openssl genrsa -out ca.keyopenssl req -new -x509 -days 3650 -key ca.key -out ca.crt

The root certifi cate must be imported onto the client machines. This can be done manually or using an automated service such as Microsoft Group Policy Manager.

Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.aspx

Exporting a Certifi cate from Thunder ADC

To export a self-signed certifi cate from Thunder ADC from the Thunder ADC GUI in ACOS 4.0.1:

1. Select ADC > SSL Management.

2. On the menu bar, select the Certifi cate.

3. Click Export.

Notes: If the browser security settings normally block downloads, you may need to override the settings. For example, in Internet Explorer, hold the Ctrl key while clicking Export. See the Application Delivery and Server Load Balancing Guide6 for more information and for instructions for the command line interface (CLI).

Installing a Certifi cate in Microsoft Windows 7 for Internet ExplorerTo import an untrusted or self-signed CA certifi cate into your Windows 7 computer, you must be logged on as an administrator, and the untrusted or self-signed CA certifi cate should have been imported onto your computer already.

1. Open Certifi cate Manager by clicking the Start button

2. Type certmgr.msc into the search box and then press Enter.

3. If you’re prompted for an administrator password or confi rmation, type the password or provide confi rmation.

34


4. In Certifi cate Manager, select the folder that you want to import the certifi cate into. In this exercise, we have selected the folder: Trusted Root Certifi cation Authorities > Certifi cates.

5. Click the Action menu, point to All Tasks, and then click Import.

35


6. In Certifi cate Import Wizard, click Next to proceed to the File Import page.

7. Select Browse to locate the certifi cate fi le that is to be imported.

Note: the Open dialog box only displays X.509 certifi cates by default. If you want to import another type of certifi cate, select the certifi cate type you want to import in the Open dialog box and click Open.

36


8. Click the Next button.

9. Click the Next button.

37


10. Confi rm your selections and click Finish.

11. In the Security Warning popup window, select Yes, since you made an informed decision to import this certifi cate.

38


12. If the import is successful, you will see a dialog box with the message “The import was successful.”

13. You can see the newly installed CA certifi cate under the specifi ed folder.

39


Installing Certifi cate in Google Chrome 1. To install the CA certifi cate on Google Chrome, open the Chrome browser.

2. Click the “Customize and Control Google Chrome” option located on the right hand corner of the browser window.

3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certifi cates button.

40


4. In the certifi cate folder on the Trusted Root Certifi cation Authorities tab, click the Import button and a Certifi cate Import Wizard will appear.

5. In the Certifi cate Import Wizard, click the Next button.

41


6. Click the Next button to browse to the location of the CA certifi cate.

7. Once the correct certifi cate has been located, click Next to install the certifi cate in the “Trusted Root Certifi cate Authorities” certifi cate store. Click Next and Finish and then click OK.

42


Installing a Certifi cate in Mozilla FirefoxMozilla Firefox utilizes a certifi cate store and all root CA certifi cates are stored within the certifi cate store. In order for SSL Insight to perform properly, each client must download and install the SSL root certifi cate. Otherwise, Firefox will generate an error message warning clients about SSL error connection attempts.

1. To install an SSL root certifi cate in Firefox, launch the Firefox browser and open the Options window.

43


2. From the Options window, select the Advanced settings option and then click the Certifi cate tab. From the Certifi cates window, click the View Certifi cates button. Mozilla will display the Certifi cate Manager dialog.

3. Click the Import button.

4. Navigate to where the certifi cate is located and click Open. A Downloading Certifi cate window will be displayed.

5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certifi cate should be imported and the client machine can access HTTPS applications without receiving an error message.

44


Appendix J. SSL Insight 4.0.3 FeaturesOCSP Certificate ValidationThe OCSP Certificate Validation is a critical feature in SSL Insight, as it offers the capability to validate an external server when acting as a proxy server. With OCSP certificate validation, it uses an ACOS SSL certificate to validate if an SSL certificate is valid or expired as indicated by the Certificate Authority (CA). Before the SSL session is initiated, the following transaction is initiated to validate the current state of a server certificate. Keep in mind that OCSP validation is only initiated in the backend SSL server certificate.

After the TCP connection has been established within Internal Thunder ADC device and client, the OCSP certificate validation begins:

Client

No (Drop Session)

OCSP Server

Internal Thunder ADC/External Thunder ADC

Remote Server

Yes, ValidCerti�cate

Internet

ADP 1“Internal”ÒClientÒFirewall

ADP 2“External”ÒFirewallÒRouter

Figure 10: OCSP detailed cert validation process

45


Figure 11: OCSP detailed cert validation process

OCSP Certificate Validation Process1. The internal Thunder ADC device contacts the OCSP server embedded within the Authority Information

Access (AIA) field in the certificate sent by the Internet Server. An OCSP request is sent to the OCSP URL within the AIA field in each certificate inside the chain, for which the internal Thunder ADC does not already have an OCSP cache entry. If the OCSP URL is an HTTP URL, an HTTP connection is initiated to that OCSP responder. If the OCSP URL is an HTTPS URL, the Thunder ADC device will not continue with OCSP verification for that certificate/certificate chain.

CA certifcates are imported onto the Internal Thunder ADC device.

The internal Thunder ADC device establishes a TCP connection and begins an SSL handshake with the remote server.

The server response with its certi�cate andstaples OCSP status if OCSP stapling is supportedby the server.

1

InternalThunder ADC

2

If the server response contains the stapled OCSPstatus as “good,” then an SSL connection is establishedbetween the Thunder ADC device and the client.If the OCSP stapling is not supported, the InternalThunder ADC device requests certi�cation informationfrom the OCSP certi�cate server.

If the certi�cation of the external server is “revoked,” the SSL connection is either dropped or bypasseddepending on the Thunder ADC con�guration. If the certi�cation of the external Thunder ADC device is “good,” the SSL proxy connection is established between the client and Thunder ADC device.

3

4

5

Resolve Veri�cation ‘Good’

Veri�cation ‘Revoked’Veri�cation’Unknown’

Client

Internet ResolveVeri�cation ‘Good;

Veri�cation ’Revoked’Veri�cation ‘Unknown’

OCS entry incache?

Connection?

If no OCSPStaplingSupport

Resolve Failed Fetch(default: dropconnection)

No

No

Yes

Yes

Server

Firewall

ExternalThunder ADC

OCSP Certi�cateServer

InternalThunder ADC

Fail?

YesConnect to

OCSPCerti�cate

Server

3

2

5

1

4

Certi�catecontains OCSPinformation?

46


2. If the OCSP server responds that the certificate is valid, the internal Thunder ADC device caches the certificate validity information with its expiration time expressed in seconds. If this OCSP entry expires while a forged certificate corresponding to it is still in the cache, then that forged certificate is also aged out. When a new client request comes to the Thunder ADC device for the same website, the OCSP verification and certificate forging process repeats again.

3. If the OCSP server responds that the certificate is not valid, then depending on the Thunder ADC device configuration, Thunder ADC will either drop the connection or bypasses SSL proxy to allow the client to connect directly to the external server.

Note: OCSP certificate validation is enabled by default. To disable the OCSP verification from the CLI, use the following command:

slb template client-ssl ssli forward-proxy-ocsp-disable

There are a few different options to configure OCSP cert validation, therefore, an administrator has to understand how the different OCSP cert validations are configured. The internal Thunder ADC device will only be configured and no changes or feature enabling will be required in the external Thunder ADC device.

Note: This new feature (in 4.0.3) can only be configured in CLI. Configuration via the GUI will be available in a future release.

To configure OCSP server validation, the following CLI commands are required:

• Source NAT Pool - required for OCSP Server and Thunder Server Verification Module (SVM) to dynamically initiate TCP connections. In the TCP connections, it will require a source NAT pool address for OCSP server connections. The following commands are required to make the OCSP server to function:

Thunder-Internal(config) #ip nat pool ocsp 5.5.5.100 5.5.5.100 netmask /24 Thunder-Internal(config) #slb svm-source-nat pool ocsp

• DNS Required - to be able to look up the IP address of the OCSP server for cert validation, a DNS server on the internal Thunder ADC device has to be configured. A secondary DNS IP address can also be configured for redundancy purposes.

Thunder-Internal(config) #ip dns primary 8.8.8.8

Once the required CLI are configured, configure the SSL Client template in the internal Thunder ADC device with the following commands:

Thunder-Internal(config) #slb template client-ssl SSLInsight_ClientSide Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_CAs Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_intermediate Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca new_self.crt Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA1 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA2 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA3 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA4 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA5 Thunder-Internal(config-client SSL) #forward-proxy-ca-cert enterpriseABC-selfsigned Thunder-Internal(config-client SSL) #forward-proxy-ca-key enterpriseABC-key Thunder-Internal(config-client SSL) #forward-proxy-enable

Other options within OCSP cert validation is to enable the internal Thunder ADC device to drop if the certificate from the external server is not valid. By default, internal Thunder ADC device does not drop connection for invalid certs.

#forward-proxy-trusted-ca

47


The command “Forward-proxy-trusted-ca” will bypass all client connections if the external server cert is invalid.

To drop the external server connection, the following CLI command in the SSL Client Template:

#forward-proxy-verify-cert-drop

Route configuration for inline single appliance with L3V partition is required. The port 443 HTTPS on the wildcard VIP must include the DNS server and non-HTTP protocols must be bypassed. You must create a dynamic services template and bind it to the internal Thunder ADC device VIP.

To define the Dynamic service template, configure the following:

Thunder-Internal(config) #slb template dynamic-service dl Thunder-Internal(config-dynamic service) #dns server 8.8.8.8 Thunder-Internal(config-dynamic-service) #exit

Once the Dynamic-Service is defined, bind the dynamic-service template in the internal Thunder ADC device VIP

Thunder-Internal(config) #slb virtual-server Inside_VIP 0.0.0.0 acl 100 Thunder-Internal(config-slb vservice) #port 443 https Thunder-Internal(config-slb vserver-vport) #no-dest-nat port-translation Thunder-Internal(config-slb vserver-vport) #service-groip FW1_Inspect_SG Thunder-Internal(config-slb vserver-vport) #use-rcv-hop-for-resp Thunder-Internal(config-slb vserver-vport) #template dynamic-service dl Thunder-Internal(config-slb vserver-vport) #template http non-http-bypass Thunder-Internal(config-slb vserver-vport) #template client-ssl SSLInsight_ClientSide Thunder-Internal(config-slb vserver-vport) #exit

SSL Debug Alert MessagesThis feature can be used to monitor a session that shows why the SSL session failed. This debugging option is not enabled by default. This debug message feature can be enabled from a client or server SSL template and alerts will be provided with brief description. The alert can trigger during an SSL handshake or while sending/receiving application data. Fatal alerts will only be logged. The Thunder ADC device will only log the fatal level and is not customizable. To enable this feature, use the ACOS CLI and run the following command:

inside(config-client ssl)#enable-tls-alert-logging fatal

Note: this feature can be enabled on the Internal or External Thunder ADC device.

Attached are a lists of fatal SSL alerts that ACOS outputs.

[“close_notify”] = 0,[“unexpected_message”] = 10,[“bad_record_mac”] = 20,[“decryption_failed”] = 21,[“record_overflow”] = 22,[“decompression_failure”] = 30,[“handshake_failure”] = 40,[“no_certificate”] = 41,[“bad_certificate”] = 42,[“unsupported_certificate”] = 43,[“certificate_revoked”] = 44,[“certificate_expired”] = 45,[“certificate_unknown”] = 46,[“illegal_parameter”] = 47,[“unknown_ca”] = 48,[“access_denied”] = 49,[“decode_error”] = 50,

48


[“decrypt_error”] = 51,[“export_restriction”] = 60,[“protocol_version”] = 70,[“insufficient_security”] = 71,[“internal_error”] = 80,[“user_canceled”] = 90,[“no_renegotiation”] = 100,[“unsupported_extension”] = 110,[“certificate_unobtainable”] = 111,[“unrecognized_name”] = 112,[“bad_certificate_status_response”]= 113,[“bad_certificate_hash_value”] = 114,[“unknown_psk_identity”] = 115

Forward Proxy FailsafeThis Forward Proxy Failsafe is a new feature in release 4.0.3 that enables the ACOS to dynamically bypass the SSL Insight request when ACOS is unable to fetch the server certificate. This feature is enabled by default and auto bypassed transactions are logged within syslog automatically with a keyword log of “bypassed.” This is only available in the Client SSL template.

SSL HandshakeServer

Failed

Success

SSL Failure Failsafe Bypass

Client

Command to disable Forward Proxy Failsafe: slb template client-ssl ssli enable-tls-alert-logging fatal forward-proxy-ca-cert 2k.pem forward-proxy-ca-key 2k.key forward-proxy-enable forward-proxy-failsafe-disable forward-proxy-bypass web-category financial-services forward-proxy-bypass web-category health-and-medicine non-ssl-bypass service-group nonssli-tcp

Forward Proxy InspectThe Forward Proxy Inspect feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the class-list entries. A match process is initiated and if there is a match on the class-list then the SSL Insight process will continue. If the forward proxy inspection fails, then the SSL session is dropped.

49


Success

Fail SSL Session is dropped

Server

ForwardProxy Inspect

No Class-list Match

Client-SSL template

Client

Aho-Corasick Class-list match“.com”“.edu”

To enable this feature, the class-list strings (case sensitive) must be defined and supports “starts-with,” “ends-with,” and “contains or equal.”

Internal Thunder ADC Ends-with Class-list Sample class-list test ac contains ssl-inspect1 ends-with .com ends-with .edu

Internal Thunder ADC Client SSL template Sample:slb template client-ssl client-ssl forward-proxy-ca-cert ssl-ca forward-proxy-ca-key ssl-ca forward-proxy-enable forward-proxy-inspect inspect-list test

Internal Thunder ADC Key-string Length Class-list Sample class-list max-length-key-string ac contains 012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.012345678901234567890123456789.0123456!slb template client-ssl client-ssli forward-proxy-ca-cert ax-1024 forward-proxy-ca-key ax-1024 forward-proxy-enable forward-proxy-inspect inspect-list max-length-key-string

50


Appendix K. Reference TopologiesSSL Insight – Inline Single Appliance Deployment

ADP 1 ADP 2

InternetSSL

HTTP

SSL

Firewall or inlineSecurity Device

Secure Tra�c

Clear Tra�c

The Inline Single Appliance Deployment Mode provides SSL visibility to an inline security device. This configuration has the following topology description:

• One partition decrypts SSL traffic and forwards it to security devices

• A second partition encrypts traffic

• L2 deployment

SSL Insight – Inline and Passive Mode Security Devices

Internet

SSL SSLHTTP HTTP

SWG

ATP / SIEM

Client

IPS/FirewallSecure Web

Gateway Secure Tra�c

Clear Tra�c

The Inline and Passive Deployment Mode shows multiple security devices running on Layer 2 configuration or on a TAP mode using mirror port configuration. This configuration has the following topology description:

• Open once and inspect multiple times

• Multiple security devices

• Inline (Layer 2) and passive (TAP) mode devices supported on SPAN/Mirror Port

SSL Insight – Network and Passive Mode Security Devices

Internet

SSL SSLHTTP HTTP

SWG

ATP / SIEM

Client IPS/FirewallSecure Web

GatewaySecure Tra�c

Clear Tra�c

The Network and Passive Deployment Mode shows multiple security devices running on Layer 3 configuration or on a TAP mode using mirror port configuration. This configuration has the following topology description:

• Open once and inspect multiple times

• Multiple security devices

• Network (Layer 3) and passive (TAP) mode devices supported on SPAN/Mirror Port

• High availability (HA) Support

51


SSL Insight – Inline Mode with Explicit Proxy

ADP 1 ADP 2 ADP 3

Internet

SSL(Explicit Proxy) SSL

HTTP

Client

Firewall or InlineSecurity Device

Secure Tra�c

Clear Tra�c

First A10 PartitionForwards the explicit proxy

tra�c to SSL; HTTP Connect Header is removed and destination IP is changed

Second A10 PartitionForwards SSL tra�c

to HTTP and sends tra�c to �rewall for inspection

Third A10 PartitionConverts HTTP back to SSL; HTTPS tra�c is forwarded

to destination

The Inline Mode with Explicit Proxy Deployment Mode is a combination of Explicit Proxy with SSL Insight solutions. The first partition is configured as Explicit Proxy and the second and third partitions will be used for SSL Insight configuration.

SSL Insight – ICAP Topology with Explicit Proxy

ADP 1 ADP 2

InternetSSL SSL


reqmod/respmod

Data LossPrevention

(DLP)

Secure Tra�c

Clear Tra�c

The ICAP Topology with Explicit Proxy Deployment Mode provides an SSL visibility to an ICAP enabled DLP. This configuration has the following topology description:

• Requires an ICAP template and then bound to a vPort

• ICAP solution is based on RFC standards 3507

• Configurable and solution can work with internal and external Thunder Series devices

52


SSL Insight in Passive Inline with Explicit Proxy

ADP 1 ADP 2 ADP 3

Internet

SSL(Explicit Proxy) SSL

HTTP

Client

Firewall/IPS

Secure Tra�c

Clear Tra�c

ATP / SIEM

The Passive Inline with Explicit Proxy Deployment offers explicit proxy configuration and supports multiple inline and passive (TAP) security devices. Customers may deploy in explicit proxy mode when they are replacing an existing explicit proxy or prefer it over our standard SSL proxy.

Inline Mode with Bypass Switch/AFO

ADP 1 ADP 2

Internet

SSLSSL

Bypass Switch Bypass Tra�c

HTTP


Secure Tra�c

Clear Tra�c

The Inline Mode with Bypass Switch/AFO Deployment shows standard inline deployment mode with the option to deploy a bypass switch. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions.

HA Inline Mode with Bypass Switch/AFO

Internet

SSLSSL

HTTP

Firewall or inlineSecurity Device

BypassSwitch

Bypass Tra�cSecure Tra�c

Clear Tra�c

The Inline Mode with Bypass Switch/AFO Deployment shows standard inline (L2) mode in a multi-device deployment with a bypass switch option. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions

53


Corporate HeadquartersA10 Networks, Inc3 West Plumeria Ave.San Jose, CA 95134 USATel: +1 408 325-8668Fax: +1 408 325-8666www.a10networks.com

Part Number: A10-DG-16154-EN-04 Dec 2015

Worldwide OfficesNorth [email protected] [email protected] America [email protected] [email protected] [email protected]

Hong Kong [email protected] [email protected] [email protected] Asia [email protected]/New Zealand [email protected]

To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative.

©2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.

About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com

SSL Insight Deployment for Thunder ADC - A10 … GUIDE SSL Insight Deployment for Thunder ADC . 2...

Documents

Transcript of SSL Insight Deployment for Thunder ADC - A10 … GUIDE SSL Insight Deployment for Thunder ADC . 2...