You can enable Advanced TLS traffic inspection for the intrusion prevention module.
 |
NoteAdvanced TLS traffic inspection and SSL inspection do not support compressed traffic.
|
For an overview of the intrusion prevention module, see Block exploit attempts using intrusion prevention.
Enable Advanced TLS traffic inspection
Advanced TLS traffic inspection offers a few benefits over the legacy SSL inspection
implementation:
- Removes the need to configure TLS credentials manually
- Supports more ciphers than SSL inspection, including Perfect Forward Secrecy (PFS) ciphers
See Supported cipher
suites for a full list of the supported ciphers.
Advanced TLS traffic inspection is enabled by default when the intrusion prevention
module is turned on. You can verify the status of the feature by viewing the policy
properties: .
Use Advanced TLS traffic inspection to inspect traffic
Advanced TLS traffic inspection does not require configuration to function. Only inbound
traffic on Windows and Linux platforms is currently supported. See the Supported features by platform topic for more details.
On Windows, Advanced TLS traffic inspection only supports traffic using Windows-native
TLS communication channels (Secure Channel). For example, traffic produced by the following applications:
- IIS
- Microsoft Exchange
- Remote Desktop Protocol (RDP)
On Linux, Advanced TLS traffic inspection only supports traffic by popular web applications:
NGINX, Apache HTTP Server, and HAProxy.
|
NoteIf you need to inspect TLS traffic that is not supported by Advanced TLS traffic inspection,
or
TLS traffic on other operating systems, you can configure
the legacy SSL inspection instead.
|
Configure SSL inspection (legacy)
You can configure SSL inspection for a given credential-port pair on one or more
interfaces of your protected computer.
Credentials can be imported in PKCS#12 or PEM format. The credential file must
include the private key. Windows computers can use CryptoAPI directly.
-
In the Server & Workload Protection console, select the computer to configure and click Details to open the computer editor.
-
In the left pane of the computer editor, click and click View SSL Configurations to open the SSL computer Configurations window.
-
Click New to open the SSL Configuration wizard.
-
Specify the interface to which to apply the configuration on this computer:
- To apply to all interfaces on this computer, select All Interface(s).
- To apply to specific interfaces, select Specific Interface(s).
-
Select Port(s) or Ports List and select a list, then click Next.
-
On the IP Selection screen, select All IPs or provide a Specific IP on which to perform SSL inspection, then click Next.
-
On the Credentials screen, select how to provide the credentials:
-
I will upload credentials now
-
The credentials are on the computer
Note
The credential file must include the private key.
-
-
If you chose the option to upload credentials now, enter their type, location, and pass phrase (if required). If the credentials are on the computer, provide Credential Details.
- If you are using PEM or PKCS#12 credential formats stored on the computer, identify the location of the credential file and the file's pass phrase (if required).
- If you are using Windows CryptoAPI credentials, choose the credentials from the list of credentials found on the computer.
-
Provide a name and description for this configuration.
-
Review the summary and close the SSL Configuration Wizard. Read the summary of the configuration operation and click Finish to close the wizard.
Change port settings
Change the port settings for the computer to ensure that the agent is performing the
appropriate Intrusion Prevention filtering on the SSL-enabled ports. The changes you
make are applied to a specific application type, such as Web Server Common, on the
agent computer. The changes do not affect the application type on other computers.
- Go to Intrusion Prevention Rules in the computer's Details window to see the list of Intrusion Prevention rules being applied on this computer.
- Sort the rules by Application Type and locate the "Web Server Common" application type. (You can perform these changes to similar application types as well.)
- Right-click a rule in the application type and click Application Type Properties.
- Override the inherited "HTTP" Port List so that you include the port you defined during the SSL Configuration setup as well as port 80. Enter the ports as comma-separated values. For example, if you use port 9090 in the SSL configuration, enter 9090, 80.
- To improve performance, on the Configuration tab, deselect Inherited and Monitor responses from Web Server.
- Click OK to close the dialog.
Use Intrusion Prevention when traffic is encrypted with Perfect Forward Secrecy (PFS)
Perfect Forward Secrecy (PFS) can be used to create a communication channel that cannot be decrypted if, at a later
time, the server's private key is compromised. Since the intent of Perfect Forward
Secrecy is to prevent decryption after the session is over, it also prevents the Intrusion
Prevention module from seeing the traffic through SSL inspection.
|
NoteUsing the Advanced TLS traffic inspection feature, the Intrusion Prevention module
will be able to analyze traffic encrypted with PFS ciphers without additional configuration.
|
To use PFS ciphers with SSL inspection instead, you can do the following:
- Use Perfect Forward Secrecy for TLS traffic between the Internet and your load balancer (or reverse proxy).
- Terminate the Perfect Forward Secrecy session at your load balancer (or reverse proxy).
- Use a non-PFS cipher suite (see SSL inspection supports the following cipher suites below) for traffic between the load balancer (or reverse proxy) and the web server or application server, so that the Intrusion Prevention module on the server can decrypt the TLS sessions and inspect them.
- Restrict traffic to the web server for application server ports that do not use Perfect Forward Secrecy.
Special considerations for Diffie-Hellman ciphers
|
NoteThis section only applies when using SSL inspection instead of Advanced TLS traffic
inspection.
|
Perfect Forward Secrecy relies on the Diffie-Hellman key exchange algorithm. On some
web servers, Diffie-Hellman might be the default, which means that SSL inspection
won't work properly. It is therefore important to check the server's configuration
file and disable Diffie-Hellman ciphers for TLS traffic between the web server and
load balancer (or reverse proxy). For example, to disable Diffie-Hellman on an Apache
server:
- Open the server's configuration file. The file name and location of web server configuration
files vary by operating system (OS) and distribution. For example, the path could
be:
- Default installation on RHEL4:
/etc/httpd/conf.d/ssl.conf - Apache 2.2.2 on Red Hat Linux:
/apache2/conf/extra/httpd-ssl.conf
- Default installation on RHEL4:
- In the configuration file, find the "
SSLCipherSuite" variable. - Add
!DH:!EDH:!ADH:to these fields, if this string does not already appear. (The "!" tells Apache to "not" use this cipher.) - For example, you might edit the Apache configuration file's cipher suite to look like this:
SSLCipherSuite !DH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
For more information, see the Apache Documentation for SSLCipherSuite Directive.
Supported cipher suites
|
Hex Value
|
OpenSSL Name
|
IANA Name
|
NSS Name
|
Advanced TLS Inspection
|
SSL inspection (legacy)
|
|
0x00,0x04
|
RC4-MD5
|
TLS_RSA_WITH_RC4_128_MD5
|
SSL_RSA_WITH_RC4_128_MD5
|
✔
|
✔
|
|
0x00,0x05
|
RC4-SHA
|
TLS_RSA_WITH_RC4_128_SHA
|
SSL_RSA_WITH_RC4_128_SHA
|
✔
|
✔
|
|
0x00,0x09
|
DES-CBC-SHA
|
TLS_RSA_WITH_DES_CBC_SHA
|
SSL_RSA_WITH_DES_CBC_SHA
|
✔
|
✔
|
|
0x00,0x0A
|
DES-CBC3-SHA
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
✔
|
✔
|
|
0x00,0x2F
|
AES128-SHA
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
✔
|
✔
|
|
0x00,0x33
|
DHE-RSA-AES128-SHA
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
✔
|
|
|
0x00,0x35
|
AES256-SHA
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
✔
|
✔
|
|
0x00,0x39
|
DHE-RSA-AES256-SHA
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
✔
|
|
|
0x00,0x3C
|
AES128-SHA256
|
TLS_RSA_WITH_AES_128_CBC_SHA256
|
TLS_RSA_WITH_AES_128_CBC_SHA256
|
✔
|
✔
|
|
0x00,0x3D
|
AES256-SHA256
|
TLS_RSA_WITH_AES_256_CBC_SHA256
|
TLS_RSA_WITH_AES_256_CBC_SHA256
|
✔
|
✔
|
|
0x00,0x41
|
CAMELLIA128-SHA
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
✔
|
✔
|
|
0x00,0x67
|
DHE-RSA-AES128-SHA256
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
✔
|
|
|
0x00,0x6b
|
DHE-RSA-AES256-SHA256
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
✔
|
|
|
0x00,0x84
|
CAMELLIA256-SHA
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
✔
|
✔
|
|
0x00,0x9c
|
AES128-GCM-SHA256
|
TLS_RSA_WITH_AES_128_GCM_SHA256
|
TLS_RSA_WITH_AES_128_GCM_SHA256
|
✔
|
✔
|
|
0x00,0x9d
|
AES256-GCM-SHA384
|
TLS_RSA_WITH_AES_256_GCM_SHA384
|
TLS_RSA_WITH_AES_256_GCM_SHA384
|
✔
|
✔
|
|
0x00,0x9e
|
DHE-RSA-AES128-GCM-SHA256
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
✔
|
|
|
0x00,0x9f
|
DHE-RSA-AES256-GCM-SHA384
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
✔
|
|
|
0x00,0xBA
|
CAMELLIA128-SHA256
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
✔
|
✔
|
|
0x00,0xC0
|
CAMELLIA256-SHA256
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
✔
|
✔
|
|
0xc0,0x09
|
ECDHE-ECDSA-AES128-SHA
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
✔
|
|
|
0xC0,0x0A
|
ECDHE-ECDSA-AES256-SHA
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
✔
|
|
|
0xc0,0x13
|
ECDHE-RSA-AES128-SHA
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
✔
|
|
|
0xc0,0x14
|
ECDHE-RSA-AES256-SHA
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
✔
|
|
|
0xc0,0x23
|
ECDHE-ECDSA-AES128-SHA256
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
✔
|
|
|
0xc0,0x24
|
ECDHE-ECDSA-AES256-SHA384
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
✔
|
|
|
0xc0,0x27
|
ECDHE-RSA-AES128-SHA256
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
✔
|
|
|
0xc0,0x28
|
ECDHE-RSA-AES256-SHA384
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
✔
|
|
|
0xc0,0x2b
|
ECDHE-ECDSA-AES128-GCM-SHA256
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
✔
|
|
|
0xc0,0x2c
|
ECDHE-ECDSA-AES256-GCM-SHA384
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
✔
|
|
|
0xc0,0x2f
|
ECDHE-RSA-AES128-GCM-SHA256
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
✔
|
|
|
0xc0,0x30
|
ECDHE-RSA-AES256-GCM-SHA384
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
✔
|
|
|
0xC0,0x9C
|
AES128-CCM
|
TLS_RSA_WITH_AES_128_CCM
|
TLS_RSA_WITH_AES_128_CCM
|
✔
|
✔
|
|
0xC0,0x9D
|
AES256-CCM
|
TLS_RSA_WITH_AES_256_CCM
|
TLS_RSA_WITH_AES_256_CCM
|
✔
|
✔
|
|
0xC0,0xA0
|
AES128-CCM8
|
TLS_RSA_WITH_AES_128_CCM_8
|
TLS_RSA_WITH_AES_128_CCM_8
|
✔
|
✔
|
|
0xC0,0xA1
|
AES256-CCM8
|
TLS_RSA_WITH_AES_256_CCM_8
|
TLS_RSA_WITH_AES_256_CCM_8
|
✔
|
✔
|
|
0xcc,0xa8
|
ECDHE-RSA-CHACHA20-POLY1305
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
✔
|
|
|
0xcc,0xa9
|
ECDHE-ECDSA-CHACHA20-POLY1305
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
✔
|
|
|
0xcc,0xaa
|
DHE-RSA-CHACHA20-POLY1305
|
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
✔
|
Supported protocols
The following protocols are supported:
- TLS 1.0
- TLS 1.1
- TLS 1.2
SSL 3.0 inspection is not supported and will be blocked by default.