Advanced Web Security with WSA

Shaun Coulter, Consulting Systems Engineer

Objectives
After attending this session, the attendees will be able to:
- Deploy WSA in a Dual Stack environment
- Know how to leverage Kerberos for authentication
- Know how to work with Encrypted Traffic
Agenda
• WSA in Dual Stack
• Kerberos Authentication
• xBQcQ8HVFbUb8vjqQmx7fw==
• Conclusion
Abstract
• This Session is about Advanced Deployment of the Web Security Appliance
(WSA).
We will first take a a look on deploying the WSA in Dual-Stack Environments
with IPv6.
After this first Section we will get into Authentication and especially focus on
Kerberos as the authentication method.
The third section will be a deep dive into handling SSL Traffic and Decryption.
This Session is targeted at Security Administrators that are deploying the WSA
and are familiar with the basic installation of the WSA.
Related Sessions are : BRKSEC-2695 Embrace Cloud Web Security with your
Cisco Network.”
WSA in Dual Stack
Explicit Proxy
• Client requests a website
• Browser connects first to WSA
• WSA connects to website
• Firewall usually only allows webtraffic for proxy
• DNS Resolution is done by WSA

Web Security Appliance

Internet Web
server

Internet

ASA 5500
Firewall
 Explicit Proxy with IPv4 and IPv6
• Client requests a website
• Browser connects first to WSA using IPv4 or IPv6
• WSA does DNS lookup
- A record returned and/or AAAA record returned
• Depending on WSA setting, WSA builts outgoing connection either on IPv4 or
IPv6
Web Security Appliance
Internet Web
server
IPv6

IPv4

Internet
ASA 5500
Firewall
Explicit Mode with IPv4 and IPv6
• Setting IPv6 Adresses on the Interfaces
Explicit Mode with IPv4 and IPv6
• Setting IPv6 Routes
Explicit Mode with IPv4 and IPv6
• Setting DNS Servers

Which Protocol should be

prefered in case of A and AAAA
record returned?
Packet Capture with IPv6
• Filter can be applied to IPv6
addresses
• Display of packets done via standard
Wireshark
CLI
• Neighbour Cache in IPv6 is equivalent to the arp cache in IPv4

Display the arp-cache

Display the neighbour table

 Transparent Proxy via WCCP
• Client requests a website
• Browser tries to connect to Website
• Network Device redirects traffic to WSA using WCCP
• WSA proxies the request
• DNS Resolution is done by the Client

Web Security Appliance

IPv6 Internet Web
IPv4 server

Internet

ASA 5500
Firewall
WCCP IPv6
ipv6 wccp 91 redirect-list wsav6
!
Internet interface Vlan10
ip address 172.16.10.10
255.255.255.0
ipv6 address 2001:db8:1:10::66/64
VLAN40 ipv6 nd ra suppress
ipv6 wccp 91 redirect in

VLAN10 ipv6 access-list wsav6

permit tcp 2001:DB8:1:10::/64 any
eq www
permit tcp 2001:DB8:1:10::/64 any
eq 443
WCCP IPv6 and IPv4
Different service groups for IPv4 & IPv6

Internet ip wccp 90 redirect-list wsav4

ipv6 wccp 91 redirect-list wsav6
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
VLAN40 ipv6 address 2001:db8:1:10::66/64
ipv6 nd ra suppress
ip wccp 90 redirect in
ipv6 wccp 91 redirect in
VLAN10 ipv6 access-list wsav6
permit tcp 2001:DB8:1:10::/64 any eq www
permit tcp 2001:DB8:1:10::/64 any eq 443
!
ip access-list extended wsav4
permit tcp any any eq 80
permit tcp any any eq 443
WCCP IPv6 and IPv4 – WSA Side of things….

In Dual-Stack Environments, two WCCP Service Groups are required.

WCCP IPv6 and IPv4 – WSA Side of things….

IPv6 Address of the Switch / Router

 WCCP with L3 Switch – IPV6
Redirect - Verification
munlab-c6504#sh ipv6 wccp 90 det
WCCP Client information:
WCCP Client ID: 2001:420:44E6:2013::45
Protocol Version: 2.01 Version & State
State: Usable
Redirection: L2
Packet Return: L2 Redirect
Assignment: MASK
Connect Time: 00:13:25 Method
Redirected Packets:
Process: 0 Assignment
CEF: 0
GRE Bypassed Packets:
Method
Process: 0
CEF: 0
Mask Allotment: 4 of 4 (100.00%)
Assigned masks/values: 1/4
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: :: 300:: 0x0000 0x0000 Mask Value
19
WCCP Dual-Stack with Router – ISRG2
Lab Setup with ISR G2
ip wccp source-interface GigabitEthernet0
Internet ip wccp 91 redirect-list IPv4-WCCP
ipv6 unicast-routing
ipv6 cef
P2 ipv6 wccp source-interface GigabitEthernet0
ipv6 wccp 90 redirect-list IPv6-WCCP
P1 !
interface GigabitEthernet0
Gi0 description WCCP-REDIR
ip address 172.16.201.1 255.255.255.0
duplex auto
speed auto
Fa0 ipv6 address FD00:ABCD:1:2::1/64
ipv6 nd ra suppress all
!

20
WCCP Dual-Stack with Router – ISRG2 (2)
Lab Setup with ISR G2
interface Vlan200
Internet description WCCP Inside
ip address 172.16.200.1 255.255.255.0
ip wccp 91 redirect in
P2 ipv6 address FE80::1 link-local
ipv6 address FD00:ABCD:1:1::1/64
P1 ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise
ipv6 wccp 90 redirect in
Gi0 !
interface FastEthernet0
switchport mode trunk
no ip address
Fa0

21
WCCP and IPv6 - PMTUD

• In IPv6, Fragmentation of Packets is only done by the END-Host.

• Network Devices on the Path are NOT allowed to do any Fragmentation
• Path MTU Discovery is used to determine the MTU on the Path from the
Host to the Destination

• Explicit Mode:
• Works straight forward as the Client (End-Host) talks to the Proxy
(End-Host)
• Proxy establishes a new Connection to the Destination Server
(Separate Session)
WCCP and IPv6 - PMTUD

• Client sends HTTP GET to

Internet Destination IP
• Request is intercepted by Switch and
redirected to the WSA
VLAN40
R2 (WCCP) • WSA forwards the request to the
Destination Server on the Internet.
Source IP is now either WSA or
Client (with IP Spoofing)
R1
• Traffic sent back to WSA from Server
VLAN10 • WSA forwards traffic to the client,
spoofing the source of the
Destination Server
WCCP and IPv6 - PMTUD (2)

• If a device on the path from WSA to

Internet the Client (R1) has a lower MTU, it
will send a ICMP Type 3 Code 1
(Packet-too-Big).
VLAN40 • Because the SOURCE IP of the
R2 (WCCP) Packet is the DESTINATION Server
(WSA is spoofing it…) the ICMP
Packet too big will not reach the
WSA.
R1
• Solution:
VLAN10 Take Care about the MTU Size in
your internal network
Redundancy Using CARP
Common Address Redundancy Protocol

• CARP provides virtual IP

Internet • Works with IPv4 and IPv6
• Requires L2 Connectivity
• Communication done via
Multicast
• One Master, multiple Slaves
L2 Network
Virtual IP

25
Redundancy Using CARP (2)

Redundancy Group for IPv4 &

IPv6

26
Redundancy Using CARP (3)

Higher Value = Master

Redundancy Using CARP (4)
Testing via CLI – “TESTFAILOVERCONFIG”

28
Redundancy using CARP (5)
Testing via CLI – “TESTFAILOVERCONFIG”

CARP using mcast for keepalive

29
 IPv6 Links to Try
• http://www.ripe.net
• Displays your incoming IPv6
Address
• http://test-ipv6.com/
• Check if your Computer is IPv6
capable
• http://sixy.ch
• Search Engine for IPv6
Enabled Websites
• http://loopsofzen.co.uk/
• Game only reachable over IPv6
• http://6only.6now.net/
• Print a T-Shirt with the IPv6
Address you used to reach the
Website
• http://6lab.cisco.com
• Check IPv6 Adoption
• http://www.kame.net/
• The dancing turtle…

30
CARP on Virtual Appliances
• vSwitch will by default drop all requests to any MAC address that is
not bound to a physical interface
• Requires to set the Security on ESX to “Promiscous Mode = Accept”

31
CARP – Log Files
Logging to be found in the “system_logs”

32
SPLUNK for WSA with v6
Leveraging field extractions from the Advanced Reporting App for WSA

33
Customising the Access Log
Extremely useful in Dual-Stack
Environments to find out
whether WSA makes the
outgoing connection on IPv4 or
IPv6!

Destination IP = v4 Source IP from Client = IPv6

SPLUNK for WSA with v6

• Extract the Destination IP (previously added to the

access_logs)

• Calculate a new field to determine if the address is

v4 or v6
SPLUNK for WSA with v6

• Define your searches using the previously defined fields:

Destination IP Version Source IP Version

 SPLUNK for WSA with v6
Example Report #1

• Display the V6 to V6
Connections from the last 24
hours

37
SPLUNK for WSA with v6 (2)
Example Report #2

• Display the top Domains that are IPv6 enabled together with the Web Category

38
 SPLUNK for WSA with v6 (2)
Example Report #2

• Display the top Domains that

are IPv6 enabled together
with the Web Category

39
Summary of IPv6 Deployment
• WSA can use IPv4 and IPv6 concurrently
• Setup is done with just a few steps
• If only outgoing is IPv6 enabled, IPv4 clients require zero change
• Easy to make your first step towards IPv6 with the use of WSA!
• Authentication and Decryption work the same with IPv6 as with IPv4
• Transparent redirection via IPv6 requires support of WCCP v2.01
• Take care of MTU size in your network
• Modification of the access log with additional parameters enables good visibility
into IPv6 network traffic using tools like SPLUNK

40
Kerberos Authentication
Kerberos – A Quick Refresher

Key Distribution Centre

1. Auth &
AS_REQ
1 Request TGT
AS_REP Authentication
2
2. Get TGT
Service
3. Request
3 Service Ticket
4 TGS_REQ 4. Get Service
Ticket Granting
Ticket
Service
5 TGS_REP 5. Send Service
Ticket to
6 Service
AS_REQ 6. Use Service
KRB Enabled Web
AS_REP Service
Kerberos and Kerberos Constrained Delegation
• Kerberos Constrained Delegation
• Kerberos usually requires the client and the KDC to be in the
same network
• In case this is not possible (think of ASA with a clientless SSL
Portal), the ASA can request a TGT and Service Ticket on behalf
of the client
• ASA would act as an Authentication Proxy to a “kerberised”
application Server in the Backend

• WSA currently supports Kerberos Authentication of clients but not

Kerberos Constrained Delegation
Kerberos vs. NTLM
A simplified view…
• Standard Protocol
• Available on many platforms
(MAC, Linux, Windows,
iOS,etc.)
• Preferred Protocol by Microsoft
• Less Resource intense
• Authentication in one turn
• Packet is bigger (6-16k)
• Provides SSO for “kerberised”
applications
• Client needs to talk to the AD
Controller and the Authenticating
Server
44
• Microsoft proprietary
• Legacy protocol
• Mostly on Windows Systems
• More Resource intense
• Each Server has to
authenticate separately with
the AD
• Multiple small packets are
exchanged
• Only the Authenticating Server
needs to talk to the AD Controller
• Can traverse proxies
Configuration on WSA
• If you upgraded from 7.x to 8.x, re-join the domain
• After re-join, the Kerberos Scheme is availible
Configuration on WSA (2)
• Edit your Identities to use Kerberos as an authentication Scheme
Multiple Realms within One Identity

• WSA can only use one NTLM Realm within one Authentication
Sequence
• WSA can use multiple Kerberos Realms in one Authentication
Sequence
Multiple Realms within One Identity
• Config Sequence
1. Create each Realm on the WSA
2. Create a sequence on all the Realms
3. Create Identity

Client-1 W2003 Client-3

W2012

Client-2 W2008 Client-4

W2008R2

WSA
Configuration on WSA (3)

• Strongly recommended to add %m to the accesslog

(=Authentication Method)

• BASIC. The user name was authenticated using the Basic authentication scheme.
• NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.
• NEGOTIATE. The user name was authenticated using the KERBEROS authentication scheme.
• SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using
transparent user identification.
• SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure
Mobility.
• SSO_ISE. The user was transparently authenticated by ISE
• FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a
application.
• GUEST. The user failed authentication and instead was granted guest access.
Client Tickets on a Windows7 Machine
Command : ”klist tickets’

Ticket-Granting Ticket

Ticket for WSA

50
Client Tickets with AES Encryption
CSCuo74136 – fixed in 8.0.7 / 8.5.0

• Computer Object generated when joining

domain has:
- msDS-SupporteEncryptionTypes
- operatingSystemVersion

set to <null>
• Result: Clients requesting Ticket for the WSA
Service will get Default Tickets with DES / RC4
• Object msDS-SupportedEncryptionTypes must
be set to ‘0x1C’
• OS Version must be ‘6’ or higher

51
Example #1: Join the AD domain with your MAC

• Joining the MAC to the AD Domain will create a computer account on the
AD Server

Join the AD Domain

• After successful join, log out and log in again with your AD Account
• When opening Safari, you will get authenticated to the WSA without
prompt 
• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf
Kerberos Authentication with WCCP
• When using transparent redirection and Kerberos, non-windows Clients
like MAC OS X sometimes have problems with the redirection
• Make sure the WSA Hostname is the same than the redirection name

• WSA only accepts FQDN as Hostname  -> Redirection Name as FQDN

might cause trouble with Windows Clients
• Windows Clients require the redirection hostname added to the
“Intranet Zone”
IE Config for Kerberos

• Add the WSA to the local Intranet Zone and enable

automatic logon
Firefox Config for Kerberos

• Add the WSA as a trusted URL for Kerberos when

prompted:
WSA Logs

AD-User Kerberos
Dual Stack with Kerberos

• Windows AD by default does not include the Client IP in the Client Ticket
http://support.microsoft.com/kb/837361
• Ticket can be used for IPv4 & IPv6 Connections

1417685846.682 43 2001:420:44e6:2013:811e:aaa2:287e:f45c TCP_MISS/304

210 GET http://www.ripe.net/favicon.ico "MUNSEC\evyncke@MUNSEC"
DIRECT/www.ripe.net - DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-
NONE-NONE-DefaultGroup <IW_comp,4.9,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-
,IW_comp,-,"-","-","Unknown","Unknown","-","-",39.07,0,-,"Unknown","-",-,"-",-,-,"-","-
"> - NEGOTIATE DestIP: 2001:67c:2e8:22::c100:68b AUTH: 0 DNS: 0 REP: 1
SFBR: 20 CFBWR: 0 AMP: - - - - - -
SPLUNK for Authentication Reports
• Extract the authentication type (add to the access_logs with the %m
Parameter)

• Define a simple search

SPLUNK for Authentication Reports

• Display the different Authentication Methods used

Kerberos - Summary
• WSA can authenticate users using Kerberos
• Need to re-join the Domain if the “Kerberos” scheme is not displayed
• Windows Clients will automatically try Kerberos first then fall back to
NTLM
• Modify your accesslog with the “%m” Parameter to check the
authentication method
• Enables Users to authenticate with non-windows clients like MAC, LINUX
• Works on IPv4 and IPv6
• Authenticate once and use ticket for multiple sites
• Useful when using several WSA such as with a loadbalancer * or
WCCP
• CARP does not work with Kerberos currently.
* Has to support KDC
xBQcQ8HVFbUb8vjqQmx7fw==
Flow for Decryption
Identity

Authentication
HTTP Proxy HTTPS Proxy

Access Pol Decryption Policy

Block Monitor Warn Pass Decrypt Drop Monitor

Cont. Evaluation of
Block Page Cont Encrypted Decryption Policies
Warn Page Goto
displayed Evaluation displayed Page
Access If “Decrypt for EUN”
of Access displayed
Policy Selected (in 7.7)
Policies
Page Page Block Page
blocked allowed displayed
 Flow for Decryption (2)

Access Pol Decryption Policy

Monitor Monitor

Applications WBRS Check : has Score

Granular Block Monitor Passthrough Decrypt Block

Control (if
availible)
Block page Continue Eval
displayed of Access
Policies WBRS Check : has No Score

Default Action
Certificate Installation and Usage - Recap
• The WSA needs a CA Certificate to be installed
• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for
this! 
• After receiving the HTTPS Request, the WSA will grab the Server
Certificate from the Destination
• It will create a new Certificate with (nearly) all the fields and sign this with
its own Certificate
• CRL is not replicated because it would not match the “new”
Certificate
• Client needs to trust the Certificate from the WSA
• Use a trusted subordinate CA Certificate or roll out your self-signed
Cert to the Clients via GPO
Decryption Policy
• Policy can be based on
• Identification Profile (Identity)
• URL Category
• Web Reputation
• Additional Options
Certificate Error Handling
Settings on the WSA

• Default Values provide a good balance between Security and User Experience
• End-User Notification in case of a “DROP” requires “DECRYPTION”

66
 Decrypting Web Category “Search Engines”
Explicit Mode

1414066212.006 552 10.61.70.30 TCP_MISS_SSL/200 39 CONNECT

tunnel://www.google.de:443/ "hsimpson@MUNSEC" DIRECT/www.google.de -
DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
<IW_srch,5.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search
Engine","Encrypted","-",0.57,0,-,"-","-",-,"-",-,-,"-","-"> - BASIC DestIP:
2a00:1450:4013:c00::5e AUTH: 0 DNS: 19 REP: 24 SFBR: 0 CFBWR: 49 AMP: - - - - - -

1414066212.218 204 10.61.70.30 TCP_MISS_SSL/200 29694 GET

https://www.google.de:443/?gws_rd=ssl "hsimpson@MUNSEC" DIRECT/www.google.de
text/html DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-
DefaultGroup <IW_srch,5.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-
","Google","Search Engine","-","-",1164.47,0,-,"Unknown","-",1,"-",-,-,"-","-"> - BASIC DestIP:
2a00:1450:4013:c00::5e AUTH: 0 DNS: 0 REP: 0 SFBR: 143 CFBWR: 51 AMP: 1 - - - - -

67
 Decrypting Web Category “Search Engines”
Transparent mode

1417171197.329 66 172.16.10.30 TCP_MISS_SSL/200 0 TCP_CONNECT 85.17.181.244:443

"MUNSEC\administrator@munsec" DIRECT/www.startpage.com - DECRYPT_WEBCAT_7-
DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup <IW_srch,4.9,1,"-",-,-,-,-,"-",-,-,-
,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Unknown","Unknown","-","-",0.00,0,Local,"-","-",-,"-",-,-,"-","-">
- NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 0 CFBWR: 0 AMP: - - - -
--

1417171197.338 23 172.16.10.30 TCP_MISS_SSL/200 518 GET

https://www.startpage.com:443/js/abp.js?adType=1&advertiser=1&advertising=1
"MUNSEC\administrator@munsec" DIRECT/www.startpage.com application/javascript
DEFAULT_CASE_12-PO.MUNSEC-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
<IW_srch,4.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_srch,-,"Unknown","-","Generic Search
Engine Traffic","Search Engine","-","-",180.17,0,Local,"Unknown","-",1,"-",-,-,"-","-"> -
NEGOTIATE DestIP: 85.17.181.244 AUTH: 0 DNS: 0 REP: 0 SFBR: 20 CFBWR: 1 AMP: 1 - -
---
68
ACL Tag Decoded

Access or
ACL Decission Tag Identity
Decryption Policy

DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup

Outbound
Malware
Data
Scanning External Routing
Security
Policy DLP Policy Policy
Policy
WSA, Authentication and SSL
• In Explicit mode, a CONNECT request is made, giving the full URL to the
WSA together with the CONNECT request
• WSA replies with - 407 Proxy auth required
• At this time, WSA has the following information:
- destination host
- user agent
- user credentials verified
• WSA can decide whether to decrypt based on:
- Destination Host
- User Agent
- Proxy Port
- Subnets
- Time Range
WSA, Authentication and SSL (2)
• In Transparent mode, there is no “CONNECT” but a “TCP_CONNECT”
• Since Client is not aware of WSA it will start a TCP connection to remote
server
• Connection is redirected to WSA, client start an HTTPS/SSL connection
directly
• At this point WSA only knows destination IP and port
• WSA sends HTTPS “probe” (it‘s own Client Hello) to get “Server Hello”
and server certificate
WSA, Authentication and SSL (3)
• With the server certificate, WSA has knowledge of:
- Client IP
- Destination IP
- Server Certificate
- Common Name (CN) from server certificate is used as a request
URL, thus used for URL category matching
• Based on this information WSA can match Identity and Decryption Policy
and determine whether to DECRYPT or PASS THROUGH the request
• All information normally send in the HTTP Header (Cookies, User Agent,
Mime-Type etc) are encrypted in the tunnel and thus not available to the
WSA at this point.
WSA, Authentication and SSL (4)
• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
 WSA, Authentication and SSL (4)
• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
WSA, Authentication and SSL (5)
• Finding out the correct URL Category....
• Solution:
Usage of SNI (Server Name Indication) is required from Proxy
side (supported in v7.7+)
• Most Browser have supported for years
• CLIENT HELLO during TLS sends the Host URL:
Server Name Indication - Test

Connection without SNI…

TMAYER-M-T2AF:iitp hpurple$ openssl s_client -connect

midmarketcioforum.pathable.com:443
CONNECTED(00000003)
62663:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:/SourceCache/OpenSSL098/OpenSSL098-
52.1/src/ssl/s23_clnt.c:585:
…but required by the server
 Server Name Indication – Test (2)
TMAYER-M-T2AF:iitp hpurple$ openssl s_client -servername midmarketciofourm.pathable.com
-connect midmarketcioforum.pathable.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
Connection with SNI
verify return:0
---
Certificate chain
0 s:/serialNumber=YVv3G4-n4KOXYXCLfIddFS92BN4-LPum/OU=GT66017752/OU=See
www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated -
RapidSSL(R)/CN=*.pathable.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
HTTPS Logs on WSA – Level “Trace”

Trying TLS 1.0, Server refuses

Trying SSLv3, Server refuses

Testing the Server for a Specific Protocol

Openssl can test TLS Connection

Check if the Server Supports TLS 1.2
simulating the client side
Testing the Server for a Specific Protocol (2)

Yes, it Does!
Testing the Server for a Specific Protocol (3)
This is how it would look like in case the protocol is not supported…

No, it is not!

81
 Easier to Check a Website
https://www.ssllabs.com/ssltest/

• Check a Website for all things

around TLS
• Ciphers
• Certificates
• Handshake Simulations
• …
• Powered by Qualys

82
Common SSL Troubleshooting Steps
• Check your Access Logs
• Look at ACL Decission tags
• Check the destination url on https://www.ssllabs.com/
• Alternative: SSLYZE from https://github.com/nabla-
c0d3/sslyze/releases

• Try to access the page directly without the WSA in the Path
• Using curl or openssl
• Try to access the page with the WSA in the Path
• Check the https_logs -> put at least into “debug” mode
• Check the PCAPS
HTTP and TLS
 HTTP
“Pipelining”

• HTTP 1.0
• One Request -> One Response
• “Head of Line” Blocking Problem (like a Supermarket with only one register)
• HTTP 1.1 “Pipelining”
• Multiple Requests sent at once
• Opening more Registers in the Supermarket…
• Still, Responses have to arrive in the order the Requests were sent….Does
not solve the “Head of Line” Blocking Problem
• Most Browsers might limit the amount of connections you can send at
once.
HTTP
“Pipelining”
Page comes up pretty fast but takes long time to complete:
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
GET picture?user=scoultr <--- takes a long time because database lookup

Page does not display anything in the beginning but then displays all in the end:
GET picture?user=scoultr <--- takes a long time because database lookup
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
 SPDY
“Speedy”

• Three main enhancements over HTTP 1.1

• Header Compression
• True Connection Multiplexing (on the server),
Request as many connections as you want and receive responses in any order by
using only one SPDY Connection
Prioritisation of the responses is left to the client
• PUSH Content to the client
Using a existing SPDY connection without the client need to send a request first.
A lighter Version would just send a “Hint”
 SPDY – HTTP/2
“Speedy”

• SPDY Protocol might be a problem for intermediate Gateways, proxies, … as

they might not be able to understand it.
• To overcome this problem:
• SPDY will use TLS for tunnelling its data between client and server
• Limitations of SPDY
• SPDY uses TLS, no visibility of Gateway, Malware scanners, etc!!
• Multiplexing will only occur on a per host basis
A website that has content from 16 other servers will require the client to
open 16 connections
HTTP/2

• HTTP/2 and HPACK specifications have now been approved by IETF

• Fully supported by Chrome and FF now –
• APPLE AND MS HAVE ANNOUNCED FUTURE SUPPORT
• Review RFC at https://tools.ietf.org/html/draft-ietf-httpbis-http2-17
• FAQ resources - https://http2.github.io/faq/
HSTS
“HTTP Strict Transport Security” - http://tools.ietf.org/html/rfc6797

• Protect secure HTTPS Websites against downgrade attacks

• Web Server can signal to the client that only HTTPS is allowed to interact
• This signal is transported using a HTTPS Response Header
• The client behaves as follows
• Automatically turn any http:// links into https:// links
• If the secure connection cannot be assured (ex: Self Signed Certificate is
used), do not allow the user to override
• If you want to decrypt using a proxy, a valid CA Certificate is required.
Certificate Pinning / SSL Pinning
• Method to actually compare the Certificate presented from the Server to a
“stored” Certificate on the Client. Requires a method to ensure the Client is
running the latest Version of your Software
• Applies to centrally updated Applications that connect to predictable
Servers
• Two ways to do it:
• PIN the Certificate

Certificate might be renewed -> Certificate on Client must be renewed as

well
• PIN the public key

Public Key is likely to stay the same even if the Certificate is renewed
• Chrome connecting to gmail.com, twitter, FF connecting to mozilla.org
https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_st
ate_static.json 91
Example: Firefox

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

0: Pinning disabled
1: Allow User MiTM (with a trusted CA)
2: Strict. Always enforced
3: Enforce Test Mode
Example: Firefox

Strict Pinning
Links for further information
For reading in those nights where you cannot sleep…

• Internet Draft for specifying a Public Key Pinning in HTTP

http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
• OWASP Explanation of Certificate Pinning
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
• HSTS “HTTP Strict Transport Security”
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• Public Key Pinning Extension for HTTP
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
• Internet Advisory Board – Statement on Confidentiality
https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
Summary
• WSA is working very well with IPv4 and IPv6
• Good way to start getting experience with IPv6
• Enables IPv4 clients to reach IPv6 Destinations
• WSA supports Kerberos Authentication
• Useful for transparent authentication of non-windows Systems
• WSA has detailed decryption capabilities
• Granular policies when to decrypt can be made
• However: Big Trend if having much more encrypted connections on the
Internet
Call to Action

• Visit the World of Solutions for

• Web Security/meet the expert
• Technical Solution Clinics
• Web Security Specialists
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.
– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
T-Shirts can be collected Friday 11 March Visit us online after the conference
for full access to session videos and
at Registration presentations.
www.CiscoLiveAPAC.com
Thank you