DEPLOYMENT GUIDE SSL Insight Deployment for Thunder ADC Deployment Guide | SSL Insight Deployment for Thunder ADC Table of Contents 1 Overview ...................................................................................................................................................................................................................................4 2 Deployment Prerequisites ..............................................................................................................................................................................................4 3 Architecture Overview ......................................................................................................................................................................................................4 3.1 SSL Insight with an Inline Security Deployment ...................................................................................................................................5 4 New SSL Insight Features ...............................................................................................................................................................................................6 4.1 Features ...........................................................................................................................................................................................................................6 4.2 CA Certificate ..............................................................................................................................................................................................................6 5 Configuration Overview ..................................................................................................................................................................................................7 5.1 Thunder ADC Appliance Configuration Overview ...............................................................................................................................7 6 Configuration Steps for Thunder ADC Appliances ..........................................................................................................................................8 6.1 Network Configuration on the Thunder ADC Appliances ...............................................................................................................9 6.2 Configure VLANs and add Ethernet and Router Interfaces.............................................................................................................9 6.3 Configure IP Addresses on the VLAN Router Interfaces .................................................................................................................10 6.4 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................10 7 Configuration Steps for Security Device .............................................................................................................................................................18 8 Summary ................................................................................................................................................................................................................................19 Appendix .......................................................................................................................................................................................................................................20 Appendix A. Complete Configuration File for the Thunder ADC Appliance .......................................................................................20 Appendix B. Webroot BrightCloud URL Classification ......................................................................................................................................21 Appendix C. Dynamic Port Intercept ...........................................................................................................................................................................23 Configuration Samples for Dynamic Port Intercept ....................................................................................................................................23 Appendix D. Single Appliance SSL Insight Solution ...........................................................................................................................................24 Appendix E. Appendix ICAP Support in Client Authentication Architecture .....................................................................................25 ICAP Workflow .....................................................................................................................................................................................................................25 Configuration Requirements .....................................................................................................................................................................................26 Appendix F. Bypass Client Certificate Authentication ......................................................................................................................................26 Configuration for Bypassing SSL Insight for Client Authentication Traffic ....................................................................................27 Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic ..................................................................27 Appendix G. Explicit Proxy .................................................................................................................................................................................................29 Explicit Proxy Configuration .......................................................................................................................................................................................29 Appendix H. Detailed Walkthrough of SSL Insight Packet FLow ................................................................................................................31 Appendix I. SSL Insight Certificate Installation Guide ........................................................................................................................................32 Generating a CA Certificate ........................................................................................................................................................................................32 Installing a Certificate in Microsoft Windows 7 for Internet Explorer ...............................................................................................33 Installing Certificate in Google Chrome ............................................................................................................................................................39 Installing a Certificate in Mozilla Firefox ..............................................................................................................................................................42 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions. 2 Deployment Guide | SSL Insight Deployment for Thunder ADC Appendix J. SSL Insight 4.0.3 Features .........................................................................................................................................................................44 OCSP Certificate Validation .........................................................................................................................................................................................44 OCSP Certificate Validation Process .......................................................................................................................................................................45 SSL Debug Alert Messages .................................................................................................................................................................................................47 Forward Proxy Failsafe ...........................................................................................................................................................................................................48 Command to disable Forward Proxy Failsafe: ................................................................................................................................................48 Forward Proxy Inspect ...........................................................................................................................................................................................................48 Internal Thunder ADC Ends-with Class-list Sample ...........................................................................................................................................49 Internal Thunder ADC Key-string Length Class-list Sample ..........................................................................................................................49 Appendix K. Reference Topologies ................................................................................................................................................................................50 SSL Insight – Inline Single Appliance Deployment......................................................................................................................................50 SSL Insight – Inline and Passive Mode Security Devices ..........................................................................................................................50 SSL Insight – Network and Passive Mode Security Devices ...................................................................................................................50 SSL Insight – Inline Mode with Explicit Proxy ..................................................................................................................................................51 SSL Insight – ICAP Topology with Explicit Proxy ............................................................................................................................................51 SSL Insight in Passive Inline with Explicit Proxy ..............................................................................................................................................52 Inline Mode with Bypass Switch/AFO ................................................................................................................................................................52 HA Inline Mode with Bypass Switch/AFO .......................................................................................................................................................52 About A10 Networks .............................................................................................................................................................................................................53 3 Deployment Guide | SSL Insight Deployment for Thunder ADC 1 Overview Security devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic. Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve this challenge, A10 Networks® Thunder® ADC line of application delivery controllers’ SSL Insight™ feature eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that enable security devices to inspect encrypted traffic – not just clear text. The Thunder ADC SSL Insight feature acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again, and sends it to the remote destination. Using A10’s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for encryption, decryption, and load balancing. 2 Deployment Prerequisites Here are the requirements for an SSL Insight deployment: • Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS®) version 4.0.3 SP9 or later • Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention platform • Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only) Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 4.0.1 SP9. There are some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is only available for CLI configuration. 3 Architecture Overview This section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution, using two Thunder ADC appliances for SSL decryption and re-encryption. For additional SSL Insight deployment options, please refer to Appendix J. Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode. Security Internal Appliance External Client Internet Figure 1. SSL Insight and Firewall Load Balancing topology example 4 Deployment Guide | SSL Insight Deployment for Thunder ADC ADP 1 ADP 2 “Internal” “External” ÒClient ÒFirewall ÒFirewall ÒRouter Client Internet Security Appliance Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution 3.1 SSL Insight with an Inline Security Deployment The main feature of SSL Insight is to transparently intercept SSL traffic, decrypt it and send it through the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is re- encapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this process in greater detail. There are three distinct stages for traffic in such a solution, depicted in Figure 2: 1. Encrypted: From client to the internal Thunder ADC appliance, where traffic is encrypted. 2. Decrypted: From the internal Thunder ADC appliance to the external Thunder ADC appliance, through the security device. Traffic is in clear text in this segment. 3. Encrypted: Traffic from the external Thunder ADC appliance to the remote server, where traffic is encrypted again. Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide1 for additional details on the SSL Insight feature. Application Server Internet 3 Encrypted External Thunder ADC Inspection and Protection DLP UTM 2 Decrypted IDS Others Internal Thunder ADC 1 Encrypted Client Figure 3. SSL Insight overview 1 Go to https://www.a10networks.com/support to download/view this guide. Site registration is required. 5 Deployment Guide | SSL Insight Deployment for Thunder ADC 4 New SSL Insight Features With the growing request of SSL Insight features, A10 has proactively delivered a new set of SSL Insight features in ACOS 4.x releases. Each upgrade release within 4.x has its special features and administrator must determine the build release based on solution needs. Upgrading to 4.0.3 build will cover all the features of 4.0.1. 4.1 Features 4.1.1 Enhancements for ACOS 4.0.3 • OCSP Support for Server Certificate Validation – this feature is an enhancement version of the server certificate validation introduced in 4.0.3. This feature is used to validate a server certificate before enabling an SSL session with a remote server. This provides support for OCSP and OCSP stapling. • Debug Messages for SSL Failures – this feature enables TLS alerts to be logged when an SSL session fails, and can be deployed on a client or server SSL template. • Forward Proxy Failsafe – this feature is a bypass option when an SSL forward proxy fails. Enabling this feature will bypass SSL Insight traffic when SSL handshake fails. • Forward Proxy Inspect – this feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the class-list entries. Note: The features described above are shown in detail in Appendix J. 4.1.2 Enhancements for ACOS 4.0.1 With ACOS 4.0.1, A10 introduced significant new features and capabilities that lay the foundation of a rapid services integration platform for enterprise, cloud, and service provider networks. Within the A10 SSL Insight framework, the following features have been added: • URL Classification Web Category – Classifies all traffic that passes through the A10 device with the capability to bypass specific, sensitive data (for example, healthcare websites due to HIPAA regulations). Refer to Appendix B for more information. • Single Appliance SSL Insight Feature – Supports internal and external partitions deployed in a single A10 appliance. Refer to Appendix D for more information. Hypervisor-based SSL Insight Support – Supports SSL Insight on ESXi, KVM and Hyper-V hypervisors through A10 Networks vThunder® line of virtual appliances. • Dynamic Port Intercept – dynamically detects and intercepts the use of SSL, regardless of the protocol running on top of TCP. Refer to Appendix C for more information. • ICAP Support in Client Authentication Architecture – Enables the A10 device to support Internet Content Adaption Protocol (ICAP) on HTTP/HTTPS sessions. ICAP typically serves to provide data loss prevention (DLP) and antivirus services. • Explicit Proxy Support for SSL Insight – Enables the Thunder ADC device to control client access to hosts based on lists of allowed traffic source (clients) and destination (hosts). • Bypass Client Authentication Traffic - Enables the A10 device to bypass certain HTTPS traffic that requires client certificate authentication (CAC/PKI). When subjecting this type of traffic to SSL Insight, the CAC transaction will fail. Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide2. These features are all available in the 4.0.1 SP9 build. 4.2 CA Certificate A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self- signed CA certificate generated on the A10 Thunder ADC appliance or on a Linux system. The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC appliance: 2 Go to https://www.a10networks.com/support to download/view this guide. Site registration is required. 6 Deployment Guide | SSL Insight Deployment for Thunder ADC slb ssl-create certificate <certificate name> The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL package installed: openssl genrsa -out <name>.key openssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using SFTP or SCP. import ssl-cert <certificate name> scp://[user@]host/<source file> This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or UNIX clients. Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.aspx 5 Configuration Overview Configuration options for the SSL Insight feature are as follows: 1. Network configuration on the Thunder ADC appliance 2. SSL Insight configuration on the Thunder ADC appliance 3. Configuration on the third-party security device 5.1 Thunder ADC Appliance Configuration Overview The following sections provide more information about the Thunder ADC configuration items listed in the previous section. 5.1.1 Network Configuration Overview This solution has one Thunder ADC appliance in the external zone of the security devices and another Thunder ADC appliance in the internal zone of the security devices. This solution assumes that the security devices are configured in L2 transparent mode. Therefore, the Thunder ADC interfaces can be configured in one of the following modes: • As untagged VLAN interfaces with L3 Virtual Ethernet (VE) configured in the same subnet • As tagged VLAN interfaces with L3 VEs configured in the same subnet • As L3 PHY interfaces without requiring any VLANs This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN interfaces. 5.1.2 SSL Insight Configuration Overview The SSL Insight configuration is slightly different on the external Thunder ADC appliance compared to the internal Thunder ADC appliance. The primary difference is that client-SSL and server-SSL templates are required on the internal and the external Thunder ADC appliance respectively. Only SSL traffic is intercepted. SSL Insight Configuration on Internal Thunder ADC Appliance SSL Insight configuration on the internal Thunder ADC appliance has the following key elements: • SSL traffic entering on port 443 is intercepted. - Port 443 is defined under a wildcard VIP to achieve this. • The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated, except for the issuer and base64 encoded public key. 7 Deployment Guide | SSL Insight Deployment for Thunder ADC - Client-SSL template is used for this. The Client-SSL template includes the required command forward- proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for signing dynamically forged certificates. • The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path. Port 8080 is defined for the security device path. - The command slb server defines a security device path and port number 8080 is added. • Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080. - Service group is defined with port 8080 and bound to the virtual port. • However, the destination IP (i.e. Internet server IP) remains unchanged. • The command no-dest-nat port-translation achieves this. - The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on port 8080 through the security device. SSL Insight Configuration on External Thunder ADC Appliance SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder ADC appliance configuration. This configuration has the following key elements: • Clear-text HTTP traffic entering on port 8080 is intercepted. - Port 8080 is defined under a wildcard VIP to achieve this. • The next-hop gateway (default router) is defined as an SLB server. - The command slb server defines the default router IP address and port number 443 is added. • Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443. - Service group is defined with port 443 and bound to the virtual port. • However, the destination IP (i.e. Internet Server IP) remains unchanged. - The command no-dest-nat port-translation achieves this. • Incoming HTTP traffic is converted into SSL traffic and sent out on port 443. - A server-SSL template is defined and applied to the virtual port. The template includes the command forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL template. 5.1.3 Security Device Configuration Third-party security devices must be configured according to the recommend best practices of the security vendor. The key requirements for enabling SSL Insight in this configuration are: • ARP packets should be allowed for both internal and external Thunder ADC appliances. • Health-check packets should be allowed from the internal Thunder ADC appliance to the external Thunder ADC appliance; unless health-checks are disabled. 6 Configuration Steps for Thunder ADC Appliances This section provides detailed steps for configuring SSL Insight on Thunder ADC. Complete configuration details for both internal and external Thunder ADC appliances are shown in Appendix A. 8 Deployment Guide | SSL Insight Deployment for Thunder ADC 6.1 Network Confi guration on the Thunder ADC Appliances The steps in this section confi gure the following networking parameters: • VLANs and their router interfaces • Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces The goal is to achieve the following IP addressing scheme on both Thunder ADC appliances as shown in Figure 1: VLAN VE IP Address Interface 10 10.10.1.2 /24 eth1 Internal ADC 15 10.15.1.2 /24 eth5 20 20.1.1.2 /24 eth1 External ADC 15 10.15.1.12 /24 eth5 6.2 Confi gure VLANs and add Ethernet and Router Interfaces Confi gure the following VLAN parameters on the internal Thunder ADC appliance as shown in Figure 1: • VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet interface. • VLAN-15: This is the path to the external Thunder ADC appliance through the security device. Add router- interface ve 15 along with the Ethernet interface. Using the CLI: ACOS(confi g)#vlan 10 ACOS(confi g-vlan:10)#untagged ethernet 1 ACOS(confi g-vlan:10)#router-interface ve 10 ACOS(confi g-vlan:10)#exit ACOS(confi g)#vlan 15 ACOS(confi g-vlan:15)#untagged ethernet 5 ACOS(confi g-vlan:15)#router-interface ve 15 ACOS(confi g-vlan:15)#exit Using the GUI: 1. Navigate to Network > VLAN. 2. Click Create. 3. Enter the VLAN ID, select the interfaces. 4. Name (Optional). 5. Check Create Virtual Interface. 6. Click Create VLAN. 7. Repeat for each VLAN. 9 Deployment Guide | SSL Insight Deployment for Thunder ADC 6.3 Confi gure IP Addresses on the VLAN Router Interfaces Verify that you have enabled the promiscuous VIP option under ve10, in order to subject inbound traffi c to wildcard VIP. Using the CLI: ACOS(confi g)#interface ve 10 ACOS(confi g-if:ve10)#ip address 10.10.1.2 /24 ACOS(confi g-if:ve10)#ip allow-promiscuous-vip ACOS(confi g-if:ve10)#exit ACOS(confi g)#interface ve 15 ACOS(confi g-if:ve15)#ip address 10.15.1.2 /24 ACOS(confi g-if:ve15)#exit Using the GUI: 1. Navigate to Network > Interfaces > Virtual Ethernets. The interfaces confi gured above should be visible. 2. Click edit on ifnum “100” and confi gure the general fi elds and IPv4 address. 3. Click update when done. 4. Repeat for each VE. 5. Enter the IP Address and Subnet and click add. 6. Enable “Allow Promiscuous VIP” option. 7. Click update and continue. Repeat the steps above on the external Thunder ADC appliance pair, and make sure to use unique IP addresses. 6.4 SSL Insight Confi guration on the Thunder ADC Appliances SSL Insight configuration on the internal Thunder ADC appliance will intercept traffic on TCP port 443, decrypt it, and send it in clear text over TCP port 8080 to the security device. Consequently, the external Thunder ADC appliance will intercept clear text traffic arriving on TCP port 8080 and encrypt it back before sending it to the remote hosts. All other traffic will be bypassed using wildcard TCP and UDP ports as configured in the following sections. 10