Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 2

 

Introduction

  

 

In the part one of this article series, I presented you what is ISA Server Toolkit and how to install it on your ISA firewall. On the second part, we are going to see how ISA Server handles SSL connections natively and I will focus on one of ISA Server Toolkit components: SSL decoder. How this great security component works and how to configure it?

 

 

Natively, ISA has a limitation to inspect outbound SSL connections. You may wonder how ISA Server handles these requests. It is important to know it to better understand how SSL Decoder works, later on this article.

1.       Client sends a request to access a secure (SSL) web site;

2.       ISA Server forward the request to the specified web server;

3.       The web server responds the request to ISA Server;

4.       ISA server forwards the answer to the client;

5.       The client establishes a secure tunnel with the web server and they start to exchange encrypted data;

As you can notice, after the secure tunnel is established between client and remote web server, ISA only forwards requests between them. This happens because the web server exchanged certificates with the client itself and not ISA, hence ISA Server cannot see what is inside the tunnel.

We can make an analogy with a VPN tunnel connection, using as examples source and destination VPN servers.

 

How ISA handles SSL connections?

  

  

With the addition of SSL Decoder your ISA firewall starts to act like a MITM (Man-in-the-middle), instead of just forwarding requests between client and remote web server:

1.       The client issues a request to a HTTPS web site using CONNECT method;

2.       ISA firewall intercepts the request, copies web site certificate and establish a secure connection with the client machine. ISA impersonates the web site;

3.       Client sends a GET request to “remote web server”, ISA firewall in this case;

4.       ISA firewall establishes a secure connection (SSL handshake) with the remote web server;

5.       ISA receives the result (client request) from remote web server and forwards to client machine;

6.       The object requested by client is re-encrypted before deliver to it.

 

Advantages and Disadvantages

 

Although SSL Decoder brings ISA Server to a new level in terms of security, it also can introduce some drawbacks. Here are some advantages and disadvantages of using SSL Decoder:

Advantages:

          Block unauthorized web sites: One of the most desires of ISA administrators is to block HTTPS web sites, like http://www.imo.im, from user access. Since, ISA cannot do it natively, this is for sure an advantage of using SSL Decoder;

          Get into SSL traffic: block badware (malware) and most of nowadays exploits that are web-based, are some benefits of using SSL Decoder. Additionally, you can block any SSL content using all kind of third-party softwares;

          Confidential information leakage: many webmails are SSL-enabled. This is a problem if a bad-intentioned employee wants to steal valuable information from the company. The companies’ corporate firewall (ISA Server) must be able to inspect this kind of traffic.

 

Disadvantages:

          Slowdown machine’s processor: SSL protocol introduces a great level of security for those who use it. However, as you might know, nothing is all good, the process of encrypt and decrypt traffic introduces a processor overhead;

          Ethical issues: web sites containing personal user information, such as bank web sites, can be an issue, since ISA will see their traffic as regular HTTP connection, giving administrator ability to see what is passing through.

 

Configuring SSL Decoder

 

                Now that we understand how both (ISA Server and SSL Decoder) works with SSL web sites, we can start to configure the software component.

                SSL Decoder works in 4 different ways:

          The first scenario (as referred on ISA Server Toolkit help file) does nothing. It means, that ISA firewall behavior is not changed when you have SSL Decoder installed;

          The second scenario, generally speaking, is intended when you have ISA firewall installed as your edge firewall (most common);

          The third scenario is used when you have ISA firewall acting as a downstream proxy;

          The fourth scenario is used to complete the third scenario. It is used when ISA is acting as a upstream proxy.

The following picture summarizes the above scenarios:

 

In our case we are going to use Scenario 2, since we are using ISA as an edge firewall. When you install SSL Decoder that is the default configuration. To see it, navigate to ISA Server Toolkit node, click on Web Filters tab. On SSL Decoder click Configure… link and then click on Settings button as figure below:

 

Make sure Decrypt and Encrypt (Scenario 2) is selected and click OK.

 

On Root Certificate section click on Settings button, as picture below:

 

At this stage, we are going to create the certificate ISA Server will use to establish a secure connection with client machines on internal network.

We have two options: Generate a New Root Certificate or Load Existing Root Certificate From File. We are going to use the first option in here. But, if you are reinstalling ISA or SSL Decoder, you can use the second option to load a backup certificate file previously created.

 

 

Fill the Root Certificate information, using your company details, like below:

 

At the next screen click on Install Root Certificate button to install certificate on ISA.

 

After certificate is installed we now going to export .cer file to install on client’s Trusted Root Certification Authorities.

 

The other options to configure SSL Decoder are configure Whitelist web sites (for ethical reasons or some other constraint).

 

And configure Additional Settings. The default setting is to Modify Web Proxy log files. It means, ISA web proxy logging will log source client IP address instead of ISA (Localhost) IP address, in order to make the access more traceable. The other option is to Enable connection erros logging, this setting is intended to an advanced debug, if you are having major problems using SSL Decoder. We will leave the default configuration.

 

Summary

At this second part, we checked how ISA Server tunnels HTTPS requests and how SSL Decoder acts like a man-in-the-middle to inspect SSL encrypted traffic. Another topic on this article is to make the major configurations on SSL Decoder.

The next part we will finish SSL Decoder and ISA firewall configuration, also test the configurations. See you them!

 

Advertisements
This entry was posted in ISA Server. Bookmark the permalink.

One Response to Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 2

  1. Pingback: Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 3 | Paulo's Oliveira blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s