GigaSMART Passive SSL Decryption
GigaVUE H Series nodes support Secure Sockets Layer (SSL) decryption. SSL is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them. Passive SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network.
Passive SSL decryption is a pillar of the GigaSECURE Security Delivery Platform. For an overview of GigaSECURE, refer to GigaSECURE Security Delivery Platform.
On GigaVUE H Series nodes, GigaSMART line cards or modules perform the decryption of SSL traffic. Using GigaSMART for decryption offloads the decryption function from tools and offers improved tool performance by removing this computationally intensive task. GigaSMART provides a centralized decryption point. Decrypted SSL traffic can be sent from GigaSMART to inspection tools for further analysis, for example, to look at encrypted communications or to detect malware.
Before SSL traffic is decrypted, the de-duplication GigaSMART operation can be performed. Decrypted traffic from the GigaSMART line card or module can be filtered, aggregated, and replicated and then sent to one or more monitoring tools for analysis.
Passive SSL decryption is supported on the following GigaVUE H Series products with GigaSMART line cards or modules installed:
GigaVUE‑HC3 |
GigaVUE‑HC2 |
GigaVUE‑HC1 |
Use Passive SSL decryption on the GigaSMART line card or module with passive or offline traffic. Tap the traffic to and from a server and pass it to the GigaVUE H Series node with the GigaSMART line card or module.
Passive SSL decryption operations can be assigned to GigaSMART groups consisting of multiple engine ports. Refer to Groups of GigaSMART Engine Ports for details.
For secure storage of private keys, Entrust nShield Hardware Security Module (HSM) is integrated with Passive SSL decryption. Refer to Entrust nShield HSM for SSL Decryption for Out-of-Band Tools for details.
Gigamon also offers inline SSL decryption, which inspects SSL encrypted traffic inline. Refer to Inline SSL Decryption for details.
Configuring Passive SSL Decryption Examples
The following sections provide examples of SSL decryption. Refer to the following:
Example 1: SSL Decryption with a Regular Map on page 613 |
Example 2: SSL Decryption with De-duplication on page 615 |
Other Usage Examples on page 615 |
In Example 1, a regular map is configured to use with the SSL decryption GigaSMART operation.
Step |
Description |
Command |
|||
|
Upload a key and create a service. Refer to Working with Keys and Services on page 609. |
(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem (config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443 |
|||
|
Configure a GigaSMART group. |
(config) # gsgroup alias gsgrp1 port-list 1/1/e1 |
|||
|
Specify the GigaSMART group alias. |
(config) # gsparams gsgroup gsgrp1 |
|||
|
Specify a failover action. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop |
|||
|
Configure session timeouts, in seconds. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60 (config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300 (config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20 |
|||
|
Configure cache timeouts, in seconds. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000 (config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000 |
|||
|
Configure a key/service mapping that maps how a key is assigned to an IP address of a server. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1 |
|||
|
Enable SSL decryption. |
(config gsparams gsgroup gsgrp1) # ssl-decrypt enable |
|||
|
Exit the GigaSMART group configuration mode. |
(config gsparams gsgroup gsgrp1) # exit (config) # |
|||
|
Configure a GigaSMART operation for SSL decryption. |
(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1 |
In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.
Next, configure a traffic map, as follows:
Step |
Description |
Command |
|||
|
Specify a map alias (m1) and specify the map type and subtype. |
(config) # map alias m1 (config map alias m1) # type regular byRule |
|||
|
Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map. |
(config map alias m1) # use gsop gdssl1 |
|||
|
Specify a map rule. |
(config map alias m1) # rule add pass ipver 4 |
|||
|
Specify the destination for packets matching this map. |
(config map alias m1) # to 1/1/g2 |
|||
|
Specify the source port(s) for this map. |
(config map alias m1) # from 1/1/g1 |
|||
|
Exit the map prefix mode. |
(config map alias m1) # exit (config) # |
|||
|
Display the configuration. |
(config) # show gsop (config) # show map (config) # show gsparams |
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:
(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Two typical usage examples are as follows:
Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic. |
Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any. |
SSL encryption secures traffic between a client and a server, such as a Web server. SSL decryption uses keys to decode the traffic between the client and server.
SSL and Transport Layer Security (TLS) protocols consist of a set of messages exchanged between a client and server to set up and tear down the SSL connection between them. To set up the connection, the client and server use the Public Key Infrastructure (PKI) to exchange the bulk encryption keys needed for data transfer.
1 shows the basic SSL handshake between a client and server to establish a session. The messages are unencrypted up to step 6 in 1. The messages are encrypted after step 6, including the step 9 Finished message.
1 | Basic SSL Handshake |
Once a session has been established, the keys are saved so a session can be resumed efficiently later. 2 shows the resumed SSL handshake, with fewer steps.
2 | Resumed SSL Handshake |
Passive SSL decryption can be deployed close to the server, as shown in 3.
3 | Inbound (Server Side) |
Passive SSL decryption can also be deployed close to an SSL proxy, with the server in the Enterprise domain as shown in 4.
4 | Outbound (Client/Enterprise Side) |
In 3, tap traffic to the server and then send it for decryption. In 4, tap traffic to the proxy and then send it for decryption. You can have a deployment with either a server or a proxy, but not both.
The supported protocols are as follows:
SSL 3.0 |
TLS 1.0 |
TLS 1.1 |
TLS 1.2 |
The supported authentication (Au) is as follows:
RSA |
The supported key exchange (Kx) is as follows:
RSA |
The supported encryption algorithms (Enc) are as follows:
NULL |
RC4 |
DES |
3DES |
AES (including GCM mode) |
CAMELLIA |
SEED |
IDEA |
The supported compression algorithm is as follows:
NULL |
The supported digest algorithms are as follows:
MD5 |
SHA1 |
SHA2 |
The supported key sizes are 128, 256, 512, 1024, 2048, and 4096.
The supported TLS extensions are as follows:
Extended Master Secret, RFC 7627 |
Encrypt-then-MAC, RFC 7366 |
The supported ciphers are listed in Table 5: Supported Ciphers for Passive SSL decryption.
Cipher Name |
Kx |
Au |
Enc |
Bits |
Mac |
TLS_RSA_WITH_NULL_MD5 |
RSA |
RSA |
NULL |
0 |
MD5 |
TLS_RSA_WITH_NULL_SHA |
RSA |
RSA |
NULL |
0 |
SHA |
TLS_RSA_EXPORT_WITH_RC4_40_MD5 |
RSA_EXPORT |
RSA_EXPORT |
RC4_40 |
40 |
MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
RSA |
RSA |
RC4_128 |
128 |
MD5 |
TLS_RSA_WITH_RC4_128_SHA |
RSA |
RSA |
RC4_128 |
128 |
SHA |
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
RSA_EXPORT |
RSA_EXPORT |
RC2_CBC_40 |
40 |
MD5 |
TLS_RSA_WITH_IDEA_CBC_SHA |
RSA |
RSA |
IDEA_CBC |
128 |
SHA |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |
RSA_EXPORT |
RSA_EXPORT |
DES40_CBC |
40 |
SHA |
TLS_RSA_WITH_DES_CBC_SHA |
RSA |
RSA |
DES_CBC |
56 |
SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
RSA |
RSA |
3DES_EDE_CBC |
168 |
SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
RSA |
RSA |
AES_128_CBC |
128 |
SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
RSA |
RSA |
AES_256_CBC |
256 |
SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
RSA |
RSA |
CAMELLIA_128_CBC |
128 |
SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
RSA |
RSA |
CAMELLIA_256_CBC |
256 |
SHA |
TLS_RSA_WITH_SEED_CBC_SHA |
RSA |
RSA |
SEED_CBC |
128 |
SHA |
TLS_RSA_WITH_NULL_SHA256 |
RSA |
RSA |
NULL |
0 |
SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
RSA |
RSA |
AES_128_CBC |
128 |
SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
RSA |
RSA |
AES_256_CBC |
256 |
SHA256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
RSA |
RSA |
AES_128_GCM |
128 |
SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
RSA |
RSA |
AES_256_GCM |
256 |
SHA384 |
All algorithms used for Passive SSL decryption are FIPS 140-2 compliant.
All key URLs must point to an RSA private key stored in the PEM or PKCS12 format, as follows:
http://keyserver.domain.com/path/keyfile.pem |
https://keyserver.domain.com/path/keyfile.pem |
ftp://keyserver.domain.com/path/keyfile.pem |
tftp://keyserver.domain.com/path/keyfile.pem |
scp://username[:password]@keyserver.domain.com/path/keyfile.pem |
The supported applications are as follows:
HTTPS |
FTPS |
SMTP, IMAP, and POP3 with StartTLS |
The limitations of Passive SSL decryption are as follows:
Only IPv4 |
Only regular maps; no virtual ports (vports) |
Only combined with the de-duplication GigaSMART operation |
Only one private key per PKCS12 file |
Only server-side authentication |
Only the protocols and ciphers listed in Supported Protocols, Algorithms, and Ciphers. |
Note: If an SSL session cannot be decrypted due to having a non-supported protocol or cipher and if the GS Parameter SSL Decryption has Decrypt Fail Action is set to Pass to Tool Port, the packets will be forwarded to the tool without decryption . Non-supported ciphers and protocols include SSL 2.0, Diffie-Hellman (DHE keys), Ephemeral keys, Elliptic Curves Extension, compression, and 8K key size.
The GigaSMART license for Passive SSL decryption is installed as any other license.
There are no limits to the number of Passive SSL decryption sessions or the number of users.
To perform the configuration in the following section, you must have an admin level access role.
Before uploading keys or configuring SSL, you must create an SSL keychain password. The password is used to encrypt the private keys that you upload to the node.
Keychain passwords are not saved on the node. Refer to Notes about Private Keys and Passwords.
Note: When uploading SSL keys, make sure that you are not creating a duplicate key. Adding a duplicate key can cause errors.
To create an SSL keychain password, use the following steps:
1. | From the device view, go to System > GigaSMART > Passive SSL > Key Store. |
2. | Click Keychain Password. |
3. | Enter a password in the Password and Confirm Password fields. |
You can only configure a strong password. A strong password has at least ten (10) characters and at least three (3) of the following:
uppercase letters |
lowercase letters |
numbers |
special characters |
4. | Click OK. |
After keys are installed on the node, you will be prompted to enter the password after any login as well as after a node reboot, for example:
If you are a user who does not have an admin level access role, when you enter the configure terminal mode, the following message is displayed:
Password required. Please contact administrator.
If you are a user with an admin level access role, but you enter an incorrect password, the following message is displayed:
Password does not match. Please reenter the password
If an SSL keychain password is lost, it can be reset, but all existing private keys will be revoked. When there are keys installed on the node, a warning is displayed before you are prompted for the new password.
Once you have a new password, you will have to upload the keys again.
This section describes working with private keys as well as services. Keys must be uploaded to the GigaVUE H Series node using a unique alias. Services must be defined for each server destination that needs decryption.
To perform the configuration in the following section, you must have an admin level access role.
Encrypted private keys are saved on the node. Refer to Notes about Private Keys and Passwords.
Note: When uploading SSL keys, make sure that you are not creating a duplicate key. Adding a duplicate key can cause errors.
A Key Store certificate can be setup to be auto- enabled, auto-deleted and auto-retained to a passive SSL service. The configuration can be done as follows:
-
On the left navigation pane, click , and then select Physical > Nodes
-
In the Physical Nodes page, select the node for which you want to configure Key Store settings.
-
Go to GigaSMART>Passive SSL >Key Store .
-
Click Settings. Configure the following settings:
Auto Enable New Certificates – This setting is not applicable for passive SSL service. |
Auto Delete Expired Certificates – Deletes expired certificates automatically. This setting will be triggered once a day at 12:00:00 UTC. Specify the number of days to retain an expired certificate in the Number of days to retain expired certificatesfield. The default value would be 30 days. |
Auto Delete Certificates with same entity – Deletes expired certificates with similar name associated to a passive SSL service. Once the setting is updated, the oldest certificate will be deleted as and when the maximum number of allowed certificates are crossed. Specify the maximum number of days to retain an expired certificate with same entity in the Max number of Certificates to retain for the same Entity field. |
To upload an SSL private key, do the following:
- From the device view, select GigaSMART >Passive SSL > Key Store to open the Key Store page.
- Click Add. The SSL Key page appears.
- In the SSL Key page, enter the following details:
- For Alias, enter an alias for the SSL key.
- For Description, enter any additional information for the SSL key.
- For Key Upload Type, select PEM, PKCS12 or PKCS11.
- (optional) For Passphrase, enter a passphrase for the key.
- Select a Private Key by pasting the copied key in PEM format or installing from URL or installing from local directory.
- Select a Certificate by pasting the copied key in PEM format or installing from URL or installing from local directory.
Note:
- You can either use the server certificate or the private key to decrypt a passive SSL traffic.
- If the Entrust nShield HSM for SSL Decryption for Out-of-Band Tools is enabled in SSL Service, you can not use the server certificate to decrypt Passive SSL traffic.
- Click OK.
If you choose to use Venafi, Inc. as your Electronic Key Management System (EKMS), ensure that you have the GigaVUE‑FM host address and credentials to push the generated key into the selected nodes. For details on pushing keys from Venafi, see the GigaVUE-FM/Venafi Trust Protection Platform Integration Guide.
To delete a particular SSL private key, select the key on the SSL Keys page, and then select Delete. To delete all SSL private keys, select multiple keys.
The key store certificates added would be displayed in the Key Store page.
To access the Key Store page:
-
On the left navigation pane, click , and then select Physical > Nodes
-
Select the node for which you want to view the key store certificate information.
-
From the left navigation pane, go to System > GigaSMART > Passive SSL > Key Store. The details about the key store certificates added for the selected node is displayed.
The following table describes the fields:
Component |
Description |
||||||
---|---|---|---|---|---|---|---|
Key Alias |
The alias name of the Key certificate. | ||||||
Type |
Defines whether the Key Store is a Certificate or a Private Key . |
||||||
Common name |
A common name given to group the key based on domain. |
||||||
Health Status |
The health indicator of a certificate used in traffic flow. The three major indicators with their respective color legend are as follows: Green - The key certificate is attached to a passive SSL service and the service is part of the passive SSL GSOP, which is used in a traffic map. This will also indicate a certificate which is being used as a signing CA in outbound deployment . Blue - The key certificate is not actively participating in any traffic flow. Red - The key certificate has expired . |
||||||
Organization |
Organization name that provided the key . | ||||||
.Organization Unit |
Organization unit name that provided the key. | ||||||
Expiry Date |
Date on which the key certificate would get expired. |
||||||
Installed On |
Date on which the key certificate was installed. | ||||||
Description |
Description or additional information about the key certificate |
||||||
Status |
Status of the key certificate. The valid values are:
|
You can control the key store certificates display by utilizing the filters provided.
After you have uploaded a private key, you can add a service. A service maps to a physical server, such as an HTTP server. One server can run multiple services. A service is a combination of an IP address and a server port number. Also, the key and the service must be tied together.
Prerequisites
Before creating a service, you must do the following:
Upload a private key as described in Upload SSL Private Keys |
Create GigaSMART Group with SSL Decryption enabled. |
To create a service, do the following:
1. | From the device view, select GigaSMART > Passive SSL > SSL Services. The SSL Services page appears. |
2. | Click New. |
3. | On the SSL Service configuration page, do the following: |
Enter an alias. |
Enter the information for the service: IP Address, Server Port. |
Select the alias of SSL Key previously uploaded. For the steps, refer to Upload SSL Private Keys. |
Select the GigaSMART Group with SSL decryption enabled to associate with this SSL service. |
shows an example of an SSL Service.
4. | Click OK. |
Delete SSL Service
To delete a particular SSL service select the service on the SSL Services page, and then select Delete. To delete all SSL services, select multiple keys.
Notes about Private Keys and Passwords
Consider the following notes about private keys and passwords:
Encrypted private keys are stored on the node. When a private key is uploaded, it is encrypted with a password before it is stored, therefore keys are password-protected. Keychain passwords are not stored on the node. |
Because only encrypted private keys are stored on the node and because the keychain password is not stored on the node, after any node reboot you will be prompted to enter the password. Until the password is entered, Passive SSL decryption is not working. |
Key content cannot be displayed. |
Keys that are synchronized across a cluster are encrypted. |
Use the following table of ECODE messages to assist with troubleshooting Passive SSL decryption:
ECODE |
Description |
81 |
TCP flow errors detected. Make sure you see the complete TCP flow. Use the de-duplication GigaSMART operation with Passive SSL decryption. |
103 |
Session limit reached. The session table has been exhausted. If the session timeout (session-timeout) value is large, lower it. |
104 |
Key/ticket cache limit reached. The allocated cache entries have been used up. If the timeout (key-cache-timeout or ticket-cache-timeout) value is large, lower it. |
206 |
No server info. A flow has been received for which service-key mapping is not defined. |
213 |
Packets for missed TCP handshake. Packets were received for TCP flows that do not exist. If the device was just started, this should trend down quickly. |
218 |
Unknown SSL version. An SSL handshake processing error occurred. Use the de-duplication GigaSMART operation with Passive SSL decryption. |
221 |
Unknown SSL version. An unsupported SSLv2 handshake was seen. |
222 |
Protocol error. An unsupported protocol version was seen. |
225 |
Unsupported cipher. The cipher suite cannot be decrypted. |
226 |
Pre-master secret error. Check that the private key is correct and that the session is complete. |
228 |
Generic decryption error. Usually indicates errors in the handshake. Check that you are getting the full session from both sides. |
231 |
Invalid MAC. Likely indicates that invalid or truncated packets have been received. |
232 |
Session not in cache. Indicates that you are trying to decrypt a restarted session where the original negotiation was not seen. These should trend down in time, but if they do not, increase the key-cache-timeout value. |
237 |
Cannot decrypt ephemeral key based encryption. One of the Ephemeral/PFS ciphersuites, usually Diffie-Hellman Ephemeral, has been seen. These are not supported. |
245 |
Ticket not in cache. This is usually not an error. Indicates that you are trying to decrypt a restarted session where the original negotiation was not seen. These should trend down in time, but if they do not, increase the ticket-cache-timeout value. |
GigaSMART provides support for Flow Ops reporting. You can generate the Flow Ops report for Passive SSL Decryption, view the session summary and session statistics, and export the report to a remote server.
To view the session summary and session details of the Passive SSL Decryption Flow Ops report:
-
From the device view, go to System > GigaSMART > Passive SSL > Session Statistics.
-
From the GigaSMART Group drop-down list, select the required GigaSMART group. The Session Summary and Session Details appear. For descriptions of the session statistics, refer to Flow Ops Report Statistics for Passive SSL Decryption.
-
In the Session Summary table, click the Report Summary link to view the graphical representation of the trending data for the Passive SSL Decryption session summary as shown in the following figures:
You can also choose to export the session summary to a remote server. Select the required row in the Session Summary table, and then click Export Report. The Upload Flow Ops Report page appears. Enter the remote server path and password to access the server. Click Upload. The details are exported to the remote server.