Barracuda 610Vx Web Filter, Forcepoint Triton AP-Web Cloud, Fortinet FortiGate 5.4.0, Juniper SRX Forward SSL Proxy, Sophos SSL Inspection, and Untangle NG Firewall got C grades. Barracuda and Forecepoint appliances were vulnerable to the Logjam attack, the others advertised RC4 ciphers.
The default configurations for all the appliances tested, other than Blue Coat, weakened connection security, the researchers found. Both the installation process and configuration are difficult on these appliances, and the poor usability is likely the reason why there were so many “abysmal configurations” in real-world networks, the researchers said.
Several manufacturers told the researchers that “secure product configuration was a customer responsibility and that they would not be updating their default configuration.” Contrast that to A10’s response, which introduced a configuration wizard recommending a “more sane set of cipher suites” last May.
Cipher support
Ten of the appliances supported vulnerable RC4-based ciphers, and five did not support modern ciphers. This means the client may initiate the connection using a strong cipher, but the appliance would downgrade the connection to a weaker one to finish the rest of the path to the server. Several of the manufacturers told researchers they have deployed updates, and others indicated plans to deprecate RC4 and support modern cipher suites. For example, Fortinet patched the Logjam vulnerability in version 5.4.1, which was released in September 2016.
Administrators using any of the HTTPS inspection products tested in this paper should check version numbers since it’s possible the problems have been addressed since the original testing period. If updates are available, they should be applied.
Will Dormann, a senior vulnerability analyst at CERT, echoed the researchers’ warnings that inspection products frequently make poor security decisions, such as improperly verifying the server’s certificate chain before re-encrypting and forwarding traffic, so clients don’t know if they connected to the legitimate server. Some products don’t forward the results of the certificate-chain verification, so everyone thinks everything went smoothly even if there were issues with that session. Another common mistake was completing the connection to the target server before displaying the warnings, at which point an attacker can still modify or view the information.
“Organisations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client,” Dormann wrote.
Test and verify
There is tendency within the security world to react to warnings in an all-or-nothing fashion. The fact that there are concerns about inspection tools doesn’t mean enterprises should stop HTTPS inspection altogether or that visibility over encrypted traffic is bad. Administrators need to be able to see what’s happening when an employee uses the internet and when an endpoint has been infected with malware.
Zscaler’s Deepen Desai describes how attackers are increasingly hiding their activities within encrypted traffic in the below video, making this kind of inspection important.
TLS/SSL inspection also lets administrators examine application, cross-network, cross-cloud, cross-data centre and IoT communications for threats. If these communications aren’t being inspected, then all the other security defences in place become less effective.
“Recent discussions about the potential vulnerabilities connected with looking inside of encrypted SSL/TLS traffic ignore the critically important role of SSL inspection,” said Kevin Bocek, chief security strategist at Venafi, a certificate and key management company. “SSL inspection is the only way to protect against threats hiding in incoming and cross-network encrypted traffic.”
Recommendations
Even CERT is not saying enterprises should rip these products out of the network. Instead, the recommendation is to use badssl.com to verify whether the HTTPS inspection products are properly verifying certificate chains. If any of the tests on this site prevent a client with direct internet access from connecting because of deprecated protocol versions or weak ciphers, then those same clients should also refuse connection when behind an HTTPS inspection product.
“At the very least, system administrators could contact the vendors of SSL inspection software to have them confirm the proper configuration options and behaviours,” wrote Dormann.
Administrators can also use CERT Tapioca, a network-layer MITM proxy virtual machine that can check for apps that fail to validate certificates. Based on UbuFuzz, Tapioca is preloaded with the mitmproxy tool to investigate traffic. CERT also recommended taking other steps to secure end-to-end communications, such as upgrading to TLS 1.1 or higher, disabling SSL v1/2/3 and TLS 1.0, utilising certificate pinning, and implementing DNS-based Authentication of Named Entities.
The CERT advisory has a list of 58 applications “that may be affected by a number of the above-outlined vulnerabilities,” but noted they have not been tested, and their presence on the list does not mean they are degrading HTTPS connections. Administrators should perform their own tests or contact vendors.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers