Friday, August 21, 2015

What SSL inspection security features ( fortigate )

A discuss was in play on the fortinet  forum about ssl inspection and many questions has risen over the inspections within SSL  & fortigates.

What I've found out;  that the ssl inspection will let any web-client to establish HTTPs sessions to site with small-keysizes,  or using  any weak ciphers. Also Certificate Revocation is not strictly enforced nor is OCSP mandated. So this leave you left  with the security functions of user  web-browser and OS.

Firefox seems to be slightly ahead of the game when compared to Chrome or Opera, but leaving security controls at the hands of the end-user will always equal to a disaster.

For example, I reconfigured my Apache2 webserver with a 384bit key and with SSLv3 enabled-only.

The fortigate allow access to this site with SSL inspections enabled.

The same happen  if we  had   RC4-SHA for cipher suite enabled.  Even a site with revoked CRLs was pass thru blindly.

Firefox will drop  sessions using tls1 and a key-size of 384 bits & provide you a generic warning

All of these would be very bad for a high security website & places the end-user data at risk.


So how do we secure a client from accessing a website with the above?

You will need to use a 3rd party appliance proxy that has tighter acceptance controls.

Just the meer inspecting of certificate serial#,  expiration-DATE,  & CAtrust is not enough. Disallowing  clients access to weak and vulnerable website should be restricted and enforced imho.

Openssl will describe the various ciphers for low medium and high;

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
      /  \

1 comment: