Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2
Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2
For part 1, click here:
http://forum.ivorde.ro/juniper-srx-branch-blocking-https-websites-using-the-appfw-application-firewall-feature-part-1-t14981.htmlFor the client part, I won't be using a browser, but command line
openssl s_client:
Code:
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify arg - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-psk_identity arg - PSK identity
-psk arg - PSK in hex (without 0x)
-srpuser user - SRP authentification for 'user'
-srppass arg - password for 'user'
-srp_lateuser - SRP username into second ClientHello message
-srp_moregroups - Tolerate other than the known g N values.
-srp_strength int - minimal mength in bits for N (default 1024).
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file:file:...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
The actual openssl command to generate HTTPS with SNI traffic through the SRX doing Layer 7 inspection is:
Code:
# setfib 2 /usr/local/bin/openssl s_client -connect 10.1.120.2:443 -tls1 -servername www.backbook.com
WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1374924103
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Below is a tcpdump (malformed output) that shows what's happening on the wire:
Code:
# tcpdump -nni vlan121
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan121, link-type EN10MB (Ethernet), capture size 65535 bytes
13:23:42.032961 IP 10.1.121.2.61349 > 10.1.120.2.443: Flags [S], seq 632218288, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val 87727648 ecr 0], length 0
13:23:42.035726 IP 10.1.120.2.443 > 10.1.121.2.61349: Flags [S.], seq 1302576609, ack 632218289, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val 1252343843 ecr 87727648], length 0
13:23:42.035795 IP 10.1.121.2.61349 > 10.1.120.2.443: Flags [.], ack 1, win 4163, options [nop,nop,TS val 87727651 ecr 1252343843], length 0
13:23:42.037656 IP 10.1.121.2.61349 > 10.1.120.2.443: Flags [P.], seq 1:254, ack 1, win 4163, options [nop,nop,TS val 87727652 ecr 1252343843], length 253
E..1..@.@.).
.y.
.x..z....S..n.b...Ci......
.;24...............Q....Y....._.(....N%."|*......q...h...
...!.9.8.........5...............
... .....3.2.....E.D...../...A................... ................b.........www.backbook.com.........
......... .
...................................#.......
^C
13:23:42.042740 IP 10.1.120.2.443 > 10.1.121.2.61349: Flags [.], ack 254, win 4147, options [nop,nop,TS val 1252343850 ecr 87727652], length 0
13:23:42.848677 IP 10.1.120.2.443 > 10.1.121.2.61349: Flags [R.], seq 1, ack 254, win 8192, length 0
As you can recall from part 1 of this article, the signature matching "backbook.com" domain name is contained by an application firewall rule whose action is "reject":
Code:
... rule 0 {
match {
dynamic-application block-backbook-uri;
}
then {
reject;
}
}...
The last packet of this TCP conversation is an [R.] packet and it is the effect of the "reject" rule.
Let's take a look at application identification cache and application firewall statistics on the Juniper SRX firewall:
Code:
root@SRX-1> show services application-identification application-system-cache
Application System Cache Configurations:
application-cache: on
nested-application-cache: on
cache-unknown-result: on
cache-entry-timeout: 3600 seconds
pic: 0/0
Logical system name: 0
IP address: 10.1.120.2 Port: 443 Protocol: TCP
Application: SSL:BACKBOOK Encrypted: Yes
root@SRX-1> show security application-firewall rule-set all
Rule-set: filter-http
Rule: 0
Dynamic Applications: block-backbook-uri
Action:reject
Number of sessions matched: 1
Default rule:permit
Number of sessions matched: 0
Number of sessions with appid pending: 0
And below is a snapshot of the data plane debugging on the SRX for application identification and application firewall:
Code:
[0214] T01 ai_ssl_process_client_hello: compression method length 2
[0215] T01 ai_ssl_process_client_hello: read_len 144, msg_len 244, extensions expected
[0216] T01 ai_ssl_process_client_hello: extension length 98
[0217] T01 ai_ssl_process_client_hello: Extension Type: 0x0
[0218] T01 ai_ssl_process_client_hello: Extension Length: 0x15
[0219] T01 ai_ssl_process_client_hello: Extension: SERVER_NAME
[0220] T01 ai_decoder_add_context: checking 'SSL', 'ssl-server-name', 'CTS', 16 byte(s)
[0221] T01 77 77 77 2e 62 61 63 6b 62 6f 6f 6b 2e 63 6f 6d www.backbook.com
[0222] T01
[0223] T01 ai_decoder_add_context: updated cts_context_reported 0x00000000 00000001, is_any=1
[0224] T01 ai_decoder_add_context: updated stc_context_reported 0x00000000 00000001, is_any=1
[0225] T01 ai_decoder_add_context: dfa group, signature 's01' member 'm01' matched
[0226] T01 ai_nested_check_match: 's01', single, index in protocol 0, member index in signature 0
[0227] T01 ai_nested_check_match: updated match state 0x0001
[0228] T01 ai_nested_check_match: signature 's01' COMPLETELY MATCHED, 'BACKBOOK'(418) order 33734
[0229] T01 ai_nested_check_match: saved match 'NULL'(0) order 0, replaced
[0230] T01 ai_ssl_process_client_hello: Extension Type: 0xb
[0231] T01 ai_ssl_process_client_hello: Extension Length: 0x4
[0232] T01 ai_ssl_process_client_hello: Extension Type: 0xa
[0233] T01 ai_ssl_process_client_hello: Extension Length: 0x34
[0234] T01 ai_ssl_process_client_hello: Extension Type: 0x23
[0235] T01 ai_ssl_process_client_hello: Extension Length: 0x0
[0236] T01 ai_ssl_process_client_hello: Extension Type: 0xf
[0237] T01 ai_ssl_process_client_hello: Extension Length: 0x1
[0238] T01 ai_tcp_stream_remove_consumed: current packet consumed
[0239] T01 ai_tcp_stream_remove_consumed[cts]: 10.1.121.2:61349 -> 10.1.120.2:443 [6], seq=1190790513-1190790765, unconsumed=1190790766
[0240] T01 ai_decode: cts 0 bytes, stc 0 bytes inspected in transaction
[0241] T01 ai_decode: context reported cts 0x00000000 00000001, stc 0x00000000 00000001
[0242] T01 ai_decode: context valid cts 0x00000000 00000001, stc 0x00000000 00000001
[0243] T01 ai_decode: all context(s) reported in this transaction
[0244] T01 ai_nested_run: CTS 'SSL' packet size 253, 2 DFA(s)
[0245] T01 16 03 01 00 f8 01 00 00 f4 03 01 51 f3 ad 47 90 ...........Q..G.
[0246] T01 58 19 4d d4 b5 38 5e f0 34 a9 b2 2c b3 58 96 09 X.M..8^.4..,.X..
[0247] T01 2f 21 69 a8 bc ac f3 64 54 70 45 00 00 68 c0 14 /!i....dTpE..h..
[0248] T01 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f ...".!.9.8......
[0249] T01 c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 ...5............
[0250] T01 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e ................
[0251] T01 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2.....E.D....
[0252] T01 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 ./...A..........
[0253] T01 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 ................
[0254] T01 00 06 00 03 00 ff 02 01 00 00 62 00 00 00 15 00 ..........b.....
[0255] T01 13 00 00 10 77 77 77 2e 62 61 63 6b 62 6f 6f 6b ....www.backbook
[0256] T01 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00 34 .com...........4
[0257] T01 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 .2..............
[0258] T01 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 ................
[0259] T01 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f ................
[0260] T01 00 10 00 11 00 23 00 00 00 0f 00 01 01 .....#.......
[0261] T01
[0262] T01 ai_nested_run: cts current 0 limit 500, stc current 0 limit 112
[0263] T01 ai_module_match_packet: current packet consumed, no need to clone
[0264] T01 ai_module_appid2name: id '79' -> name 'SSL'
[0265] T01 ai_module_appid2name: id '32768' -> name 'BACKBOOK'
[0266] T01 10.1.121.2:61349 -> 10.1.120.2:443 [6] len 253 remain 0 ==> appid SSL:BACKBOOK state PRE_MATCH:TRANSACTION_FINAL sig_type BOTH partial no mindata c2s 144 s2c 144
[0267] T01 appid_ha_send_match_result: session 0xef, sid 0xef, state 0x80002064, app_id 79, app_ext_id 32768, message length 76
[0268] T01 appid_ha_send_match_result: HA is off
[0269] T01 sc_msvcs_appid_data_event_handler: ctx 0x4dd90b88
[0270] T01 sc_msvcs_appid_data_event_handler: MSVCS_DATA_EV_PKT_PROC
[0271] T01 sc_appid_process_packet[cpu 1]: lsys_id 0----------APPID PACKET RECEIVE EVENT----------
This article explains how to block HTTPS websites based on the SNI without doing SSL/TLS proxy.
Note 1: For older browsers that do not support SNI, this approach will not have effect. Need to use a 3rd party proxy or a High End Juniper SRX device able to do SSL Forward Proxy.
Note 2: For some situations it is probably more convenient to block the IP address of the destination HTTPS server, I'm not saying that this is the best method, take it as a proof of concept article.
Note 3: The signature as well as the ideas in this article are exemplary and they do not express Juniper point of view.
Links that will provide more info on Juniper's AppID and AppFW features:
Juniper IDP Application Identification for Security Devices
http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-idp-application-identification.pdfJuniper Application firewall
http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-application-firewall.pdf
News 
Site map 
SitemapIndex 
RSS Feed 