2.Check Point to the maximum. HTTPS inspection

  • Tutorial

In the previous lesson, we touched on the problem of the human factor in information security. As a result, we concluded that it does not matter how much quality and expensive equipment you use, because everything "rests" in the setting, which must be done correctly. In this tutorial, we will take a look at https inspection . Quite a few underestimate the importance of this feature without which modern network protection is unthinkable. But first things first.

Web traffic protection


Almost all modern NGFW or UTM solutions have the functionality of checking web traffic. This includes categorizing sites and checking downloadable content and defining web applications. Moreover, the last point (web applications) is very important, because a huge number of services can work through the same port. And if almost all vendors have no problems with checking HTTP traffic, then HTTPS is a real challenge for modern security tools.

Https


I think that it makes little sense to tell what HTTPS is and how important it is for organizing a secure Internet. Thanks to HTTPS, you can be sure that between the client (browser) and the server (web-server) it is impossible to intercept or change the transmitted information. According to statistics for 2017, the share of HTTPS traffic exceeded 50%.



Moreover, modern browsers (for example google chrome) will mark http-sites with an authorization form as untrusted, and google will lower them in search results. All this will provoke an even more rapid increase in the share of HTTPS traffic.

As mentioned earlier, HTTPS is used for secure communication between two nodes on the Internet. At the same time, HTTPS is not some new protocol, in general it is just HTTP, just SSL or TLS is used as a transport protocol to protect traffic. It is these protocols that are responsible for authentication, encryption and traffic integrity. We will not consider in detail the operation of these protocols, but to anyone interested, I highly recommend this article . In a rough approximation, the work of HTTPS is as follows:



Those. the client initiates a TLS request to the Web server and receives a TLS response, and also sees a digital certificate, which naturally needs to be trusted. An example certificate when accessing vk.com is shown above. It contains secure connection settings and a public key. In addition, the browser may “tell” which version of TLS is being used. Again, this is a very simplified description of the operation of TLS.

After a successful TLS Handshake, encrypted data transfer begins. It would seem that this is very good (the way it is). However, for the “safe” in the company is a real headache. Since he does not “see” this traffic and cannot check its contents with either antivirus, intrusion prevention system (IPS), or DLP system, nothing ... And this, in turn, is a very serious vulnerability. Because Since most sites switch to HTTPS, without an HTTPS inspection, your Internet gateway cannot check most of the Web traffic (because it is encrypted). In addition, cybercriminals are increasingly using cloud-based file storages to spread viruses that also work over HTTPS. Thus, no matter how high-quality and expensive your firewall is (be it a UTM or NGFW solution), it will skip absolutely all viruses and malware without HTTPS inspection enabled. Even the notorious test virus EICAR, which is detected by any antivirus, will successfully pass your protection through HTTPS. We will definitely consider this as an example.

HTTPS inspection


The HTTPS inspection technology is designed to solve the security problem. Its essence is ugly simple. In fact, the device that organizes the HTTPS inspection makes a man-in-the-middle attack . It looks like this:



I.e. Check Point intercepts a user’s request, raises an HTTPS connection with it, and from itself raises an HTTPS session with the resource that the user accessed. In this case, the client is presented with a certificate issued by Check Point itself. It goes without saying that this certificate must be trusted. For this, Check Point has the ability to import a certificate from a trusted CA (subordinate certificate). When importing, make sure that the certificate has a signature algorithm of at least sha256 , because if he will for examplesha1 , then modern browsers will “swear” at such certificates. Or you can generate a self-signed certificate, which then needs to be trusted for all computers. This method we will consider using an example.

Thus, being in the middle between two encrypted connections, Check Point is able to scan traffic and all files, both with the help of antivirus and the rest of the blades (IPS, Threat Emulation, etc.). You can read more about Check Point HTTPS inspection here .

Limitations of HTTPS Inspection


However, not all so simple. The man-in-the-middle method does not always work. There are cases when it is simply impossible to decrypt https traffic. Here are some examples:

1) Domestic cryptographic algorithms (GOST) are used instead of standard SSL / TLS.
At the moment, no foreign solution can correctly decrypt such HTTPS traffic (although I personally do not know any domestic solutions that can do such a https inspection). As a solution, you can configure exceptions in the HTTPS inspection for sites of this category.

2) Used Certificate Pinnig.
Those. the client application knows in advance the server certificate that it is accessing. The serial number of the certificate is usually checked. In this case, the application simply will not look into the local store of trusted certificates and an error will naturally occur when trying to replace it. Most often, this problem applies to fat clients (such as Skype, Telegram) that use SSL / TLS as a transport. In addition, just the other day I discovered that the updated version of google chrome also began to use certificate pinning technology for its services (youtube, google drive, gmail and so on). This makes it impossible to use https inspection. Google actively cares about user safety, but significantly complicates the life of security guards. In this case, there are two outputs:

  • Set up exclusions in https inspections for Google services. I am sure that this is extremely undesirable for companies.
  • Use a different browser ... For example, Firefox.

I am sure that many are interested in the problem of applications such as telegram, etc. Unfortunately (or fortunately) at the moment it is not possible to decrypt this traffic. Or you block these applications, because it is impossible to “see” this traffic at the network level, or you use an additional level of protection in the form of some agents on users' computers, for example, CheckPoint SandBlast Agent , which will be able to scan for traffic that has already been decrypted (for example, received files via the messenger).

3) Authentication is used not only the server, but also the client.
This is typical for sites from the financial services category, when a client uses a special key or token to access a bank portal. Naturally, in this case, a device that performs HTTPS inspection simply will not be able to organize an https connection to the server, because does not have the right key. The problem is solved only by setting exceptions in the HTTPS inspection.

4) A protocol other than SSL / TLS is used.
In this case, we are no longer talking about GOST encryption, but about a relatively new protocol from google - quic. The Google company begins to actively transfer its services to this protocol. At the same time, it is currently impossible to decrypt it. The only solution in this case is to block the quic protocol, after which google services begin to use standard SSL / TLS.

Customization


Describing the setting in text format is quite difficult, so we made a short video. In the first part, the theory described above is described, and in the second part we try to download the virus via HTTPS, and then configure the HTTPS inspection and compare the result.



Conclusion


The most important thing to learn from this lesson is that the HTTPS inspection is a MANDATORY component of modern protection. Without this feature, your network has a huge black hole in terms of security. And this applies not only to Check Point, but also to all other solutions. Be sure to test your network in this way. All that is needed is some kind of test virus and a client machine, preferably without an antivirus, so that it cannot block file downloading (for the purity of the experiment).
This concludes the second lesson, thank you for your attention!

You can conduct a free audit of Check Point security settings here.

PS I would like to thank Alexey Beloglazov for help in preparing the lesson.

Only registered users can participate in the survey. Please come in.

Do you use HTTPS inspection on the network perimeter?

  • 27.4% Yes 14
  • 39.2% No, but I plan 20
  • 33.3% No and don't plan 17

Also popular now: