Cisco SSL Appliance Administration & Deployment Guide Version 3.9 November 20, 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2015 Cisco Systems, Inc. All rights reserved. C O N T E N T S Introduction 1-1 SSL Inspection Overview 1-1 Product Overview 1-3 Key Features 1-4 Security Best Practices 2-1 Master Key Storage 2-1 Management Interfaces Access Control 2-2 Secure SNMP Monitoring 2-2 Certificate Resigning Using Secure Key Sizes 2-2 HSM Authentication Using Secure Key Sizes 2-2 SSL Appliance WebUI Keys and Certificates Using Secure Key Sizes 2-3 Wiping Appliance Hard Disk Before RMA 2-3 System Behavior & Deployment Examples 3-1 Transparent SSL Decryption / Encryption 3-1 SSL Decryption Methods 3-2 Known Server Key Method 3-2 Certificate Resigning Method 3-4 Self-Signed Server Certificate Handling 3-5 Decryption Methods in Cooperative Configurations 3-6 Mark SSL Plaintext 3-6 Deployment Modes 3-7 Passive-Tap Mode 3-8 Passive-Inline Mode 3-10 Active-Inline Mode 3-11 Policies 3-13 Segment Policies 3-14 Policy Rulesets 3-15 Lists 3-21 Reset Generation 3-22 Failure Modes and High Availability 3-22 Link Failures 3-23 Software (Data-Plane) Failures 3-24 Cisco SSL Appliance Admistration & Deployment Guide iii Contents Example Deployment Configurations 3-25 Outbound Inspection 3-25 Inbound Inspection 3-27 Inbound and Outbound Inspection 3-27 High Availability Deployment 3-28 Initial Configuration and Setup 4-1 Power On the Appliance 4-1 Bootup Behavior 4-2 Configuring System Date/Time and Timezone 4-2 Configure Management Network Settings 4-3 Configure Management Users 4-5 System Status 4-6 Install a Local CA for Certificate Resign 4-8 Local Resigning CA Specific Tools 4-9 Create a Local CA 4-9 Import a CA 4-11 Import Known Server Keys 4-12 Example Passive-Tap Mode Inspection 4-12 Example Passive-Inline Mode Inspection 4-20 Example Active-Inline Mode Inspection 4-25 Work with a SafeNet Java HSM 5-1 Adding an HSM 5-2 Before You Begin: PKI Basics 5-2 Add a Trusted Certificate 5-2 Add a Client Certificate 5-3 Add an HSM 5-5 Add Resigning Certificates 5-5 Add a new HSM Resigning Certificate Authority 5-5 Write HSM Configuration in Policy 5-7 HSM Logs 5-8 HSM Diagnostics 5-9 User Interface Overview 6-1 Introduction 6-1 Configure the Browser 6-1 Login Process 6-2 Use the Main Screen 6-3 Monitor the System 6-6 Cisco SSL Appliance Admistration & Deployment Guide iv Contents Monitor the Dashboard for Current Status 6-6 Gather System Information 6-7 View System Log Entries 6-9 SSL Session Log 6-10 SSL Statistics 6-12 Certificates 6-13 Errors 6-14 Diagnostics 6-14 Debug 6-15 Configure Segments and Policies 6-17 Configure Rulesets to Handle SSL Traffic 6-18 Disable a Rule 6-21 Configure Receive Interfaces with Segments 6-23 System Options 6-23 Segments 6-25 Certificate Status Actions 6-26 Plaintext Marker and Failure Mode Options 6-27 Translate VLAN IDs with VLAN Mappings 6-28 About VLAN Configurations 6-28 VLAN Notes 6-29 Example Basic Segment Configuration with VLAN Translation 6-30 Subject/Domain Names List 6-33 Domain Names List 6-34 IP Address Lists 6-35 Cipher Suites Lists 6-36 Host Categorization Lists 6-36 Download the Host Categorization Database 6-37 Use the Host Categorization Lists 6-38 Examples of Category Usage in Policy 6-40 Rename a Category 6-40 Traffic Classes Lists 6-41 6-42 Policy Examples 6-42 PKI Management 6-42 Resigning Certificate Authorities 6-43 Certificate Tools 6-43 External Certificate Authorities 6-43 Certificate Revocation Lists 6-44 Trusted Certificates 6-46 Known Certificates and Keys 6-46 Cisco SSL Appliance Admistration & Deployment Guide v Contents Client Certificates 6-47 HSM Appliances 6-48 Platform Management 6-48 Information 6-48 Management Network 6-49 Configure SNMP Access 6-53 Notes 6-53 Get the MIBs 6-54 Download the MIBs 6-54 Configure the SNMP System 6-54 About SNMP v3 6-57 SSL Appliance SNMP Traps 6-60 Remote Logging 6-61 Date/Time 6-61 TACACS Servers 6-63 TACACS Administrator Privilege Mapping 6-64 Users 6-65 Alerts 6-67 License 6-69 Backup/Restore 6-70 Halt/Reboot 6-72 Import UI Certificate/Key 6-72 Update 6-73 Login Banner 6-74 Preferences 6-76 User Management 6-76 Change Password 6-77 Logout 6-77 Troubleshoot the System 7-1 Supported Network Protocols and Frame Encapsulations 7-1 Supported SSL/TLS versions 7-1 Support for Client Certificates 7-1 Supported Cipher Suites 7-2 Support for SSL Record Layer Compression 7-5 Support for Stateless Session Resumption (RFC5077) 7-5 Steps to Troubleshoot SSL Decryption 7-5 Monitor Network Port Statistics 7-5 Monitor the SSL Statistics 7-5 Cisco SSL Appliance Admistration & Deployment Guide vi Contents Monitor the SSL Session Log 7-5 Verify that the Inspection Policy is Set Up Correctly 7-6 Known Server vs Trusted Server Certificates 7-6 Caveats when Enabling/Disabling SSL Inspection 7-6 Generating the Resigning CA Certificates 7-7 Access to Microsoft Windows Update Denied 7-7 Issues with Alerts 7-7 Procedure for Reporting an Issue 7-8 Preparing for Hardware Diagnostics or Maintenance 7-8 Command Line Diagnostics Interface 7-8 Additional Screens in the WebUI 7-16 SSL Session Log 7-17 SSL Version 7-17 Cipher Suite 7-18 Flags 7-18 Debug 7-18 License 7-19 Sensor Thresholds 8-1 Units of Measurement 8-1 Safety Information 9-1 Safety Instructions 9-1 Technical Support 10-1 Cisco SSL Appliance Admistration & Deployment Guide vii Contents Cisco SSL Appliance Admistration & Deployment Guide viii 1 CH A P T E R Introduction The following conventions are used throughout this document. Note This style indicates a "note" providing additional information that the reader might be interested in. Caution This style indicates a "warning" providing additional information that the reader needs to pay attention to. Elements you see on the WebUI such as the names of screens, fields, and options appear in this typeface. This guide covers all SSL Appliances and their variations. Where differences exist, the models are called out. Throughout this document the term SSL is used to mean both SSL and TLS, unless explicitly indicated. Secure Socket Layer (SSL) has been largely replaced by Transport Layer Security (TLS) which is the more up to date standard derived from SSL. Both SSL and TLS traffic are present in networks today and the SSL Appliance is capable of inspecting both types of traffic. The SSL Appliance software is subject to licensing by Cisco. See System Status, page 4-6 of this document for details on licensing. Note The act of “inspecting” SSL traffic might be subject to corporate policy guidelines and/or national legislation. It is your responsibility to ensure that your use of the SSL Appliance is in accordance with any such legal or policy requirements. SSL Inspection Overview As organizations become dependent on IP based applications and services, the demand for secure reliable communications has never been higher. The increase in CPU performance has made client-based encryption a viable solution for enterprise communications. SSL is the dominant client based encryption protocol and now constitutes a significant and growing percentage of the traffic in the enterprise LAN and WAN, as well as throughout service provider networks. SSL is used as a VPN technology to allow users to securely communicate with the enterprise. It is also used for secure communications from inside of the enterprise to Internet-based applications and services (banking, e-commerce, web mail, cloud applications and personal e-mail). Cisco SSL Appliance Administration & Deployment Guide 1-1 Chapter 1 Introduction SSL Inspection Overview The privacy benefits provided by SSL can quickly be overshadowed by the risks it brings to the enterprise network. SSL encryption can: • Mask threats, such as viruses, spam and malware (cid:129) Make corporate acceptable use policies less effective (cid:129) Increase the likelihood of accidental or intentional leakage of confidential information SSL Inspection enables existing security and network appliances to access the plaintext within SSL flows thereby enabling the security appliance to do its job, even with SSL encrypted traffic. Unmodified applications running on devices attached to the SSL Appliance gain visibility into the content of the SSL traffic. SSL Inspection is a complex and computationally intensive process that can easily become a performance bottleneck unless implemented with appropriate hardware acceleration techniques. There are two different mechanisms that can be used in order to "inspect" SSL traffic depending on what information is available and how the inspection device is deployed in the network. (cid:129) Known server key mechanism relies on the inspecting device having a copy of the servers private key and certificate (cid:129) Certificate resign mechanism relies on the inspecting device having a trusted CA certificate that can be used to sign SSL server certificates that have been intercepted and modified There are three basic connectivity modes that define how the SSL inspecting appliance and the associated security appliance are connected to each other and to the network. These modes are identified as: (cid:129) Active-Inline (cid:129) Passive-Inline (cid:129) Passive-Tap The Active / Passive designation refers to the associated security appliance and how it behaves while the Inline/Tap designation refers to how the SSL inspecting device is connected to the network. An "Active" associated appliance processes traffic from the SSL inspecting device and then returns the traffic to the device while a "Passive" appliance simply consumes traffic. The SSL Inspecting device can be either "In-line" or can be connected to a network span or tap port. Note SSL Inspection using "certificate resign" and SSL policy enforcement can only be done if the SSL Inspecting device is connected "inline" in the network. Note Only "known server key" mode can be used to inspect SSL traffic when the inspecting device is connected to a network tap. Inspection is not possible if the session uses Diffie-Hellman or Elliptic Curve Diffie-Hellman for key exchange. SSL inspection enables the identification and elimination of risks, such as regulatory compliance violations, viruses/malware, and intrusion attempts normally hidden within SSL. The privacy and integrity of SSL encrypted communications are maintained by making the plaintext available only to the Cisco SSL Appliance Administration & Deployment Guide 1-2
Description: