Re: paloalto firewall

[Jeff Holden <JHolden () MTSAC EDU>]

As far as I know there is no passive way to do a successful man in the
middle attack on SSL.  The client will get a warning that the certificate
isn't valid.  You can make the certificate look convincing and most users
will just accept it, but you still get the warning that the site is not
trusted.

You have three things that must be true for a SSL certificate.

A. the certificate has been signed by a recognized certificate authority
B. the certificate is currently valid and has not expired
C. the common name on the certificate matches the DNS name of the server

You can achieve these 3 requirements with an active method were you
install a certificate authority certificate on all your client machines
that the proxy server will use with satisfies A.  You intercept the DNS
request and return the IP of the proxy server to satisfy C , then the
proxy server fetches the pages and sends them to the client encrypted with
the self signed certificate which satisfies B.


Thanks,
Jeff Holden, CISSP, RHCE
Manager, Network & Data Security
Mt. San Antonio College
(909) 594-5611




Alex <alex.everett () UNC EDU>
12/20/2007 10:48 AM
Please respond to
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] paloalto firewall






I thought I might add to the speculation :)
The key (I hope) issue is that the end-user (Client) will need to be
prevented with a valid SSL cert.
The SSL Cert is tied to a host, typically a fully qualified domain name.
Of course, for #2 you must be in the flow of traffic (active).

It seems you could do this a few ways:
Passive or Active
1. Have the private keys for all sites using SSL
                 a. Decrypt PKI messages to obtain symmetric keys
                 b. Decrypt messages encrypted with the symmetric key.

Active
2. Have the man-in-the-middle present the end-user with a valid
certificate
                 a. Act as a proxy for SSL connectionsby establishing two
seperate
SSL sessions.
                 b. DNS points to man-in-the-middle as the web server (or
just drop
end-user's traffic and spoof responses)
                 b. Present the end-user with a valid certificate (maybe a
wildcard
cert)
                 c. Most servers dont require the client to have cert, so
act as a
client to the web-server(s). Here you are creating sessions to the real
web-server.
                 d. Pass data back and forth between client and server.

Comments?

-Alex

-----Original Message-----
From: Mike Corcoran [mailto:mike.corcoran () WRIGHT EDU]
Sent: Thursday, December 20, 2007 1:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] paloalto firewall

David Morton wrote:

> Mike do you have more info on their capabilities?

I went to a presentation by PaloAlto in Cincinnati, OH on 10/3/07.  The
presenter was Nir Zuk (formerly of CheckPoint).
He explained the SSL decryption using "man in the middle."
Since we have not demo'd the box yet I don't have much information to
share.
I can only suggest the web site http://www.paloaltonetworks.com/ for more
information.

Mike
--
Mike Corcoran, Systems Security Engineer Wright State University, CaTS
Voice:937-775-2431, Fax:937-775-4049 http://www.cats.wright.edu/