Firewalls and encryptionHow deep the rabbit hole goes?

Introduction

Márton IllésBalaBit

Product Manager

marton.illes@balabit.com

Agenda...

• Bridge of Death, or „you have to know these things when you're a king”

– You have to know these things, when your an Ethical Hacker!

• Modern net-tale about Alice, Bob, Mallory and Trent where it turns out that Mallory might not be such a bad boy and Trent is not as trustworthy as we have thought before...

A word on firewalls

• A firewall is a network-aware access control device, which enforces rules

• Different firewall technologies– Packet Filter– Proxy– Intrusion Prevention System

Our problem

• We want to encrypt our communications

• We want to control all communications on the firewall

• If the communication is encrypted the firewall could not look inside → can not control it!

• Which shell we throw away?– The firewall or the encryption?

How deep the rabbit hole goes?

• Man-in-the-middle „attack”– We stand between client and server– Independent client and server side encryption

• In the middle we do what we want! ;)

• Is Mallory now the good guy?!

Very deep the rabbit hole goes?

• In case of SSL there is no Perfect Forward Secrecy

– Having the private key the encrypted traffic can be check transparently

• Now Mallory is the good guy!

Firewall vs. server vs. encryption

• Against what does a firewall in front of the server protect? - „Az ellen nem véd!” (Bad hungarian humor)

• Besides IP/port filtering what can we do with application layet?

• We got the private key!

SSL client authentication

• It is possible to check and authenticate the certificate of the client

– Mutal X.509 authentication

• Are we positive that the certificate matches the user?

Virus, p0rn and the trojans

• Many „application” uses port 443/tcp

• This is an unfiltered full-speed covert channel– Trojans, backdoors, skype

• Why p0rn sites not available over https?– It is kind a confidental information... :)

• Mallory is here to save us!

Is the man visible in the middle?

• Could the client recognize that the server certificate has changed?

– No, Joe user does not care about such unimporant details.

– Yes, but the certificate is issued by our Trusted Certificate Authority

• We generate a new certificate based on the server's and sign it using our – trusted - authority.

Is the man visible in the middle?

One minute on PKI...

• It should be rather pkI• How much can you trust CAs?

– Who checks and oversees them?– What is the criteria for a CA to be included in

a browser pre-defined trusted CA set?

Life beyond SSL

• There is life beyond SSL– SSH, IPSec, GPG/PGP etc.

• In case of GPG/PGP therea solution called„key escrow”

Lessons learned

• Goal: control enctypted communications

• Control and inspect all the details of the enctypted communication on the firewall

– Rabbit holes are deep...

• MITM could be used for nice purposes!– Mallory is our friend, he is our best friend!

Thanks for listening!