Scribd
Upload
75 views29 pages

CPX 2023 HTTPS Best Practices v3

The document discusses best practices for inspecting HTTPS traffic. It covers performance concerns with HTTPS inspection and provides results from testing throughput, connections per second, and CPU load when inspecting HTTPS traffic using Check Point's Quantum Maestro. It also discusses the financial risks of not inspecting HTTPS traffic versus investing in prevention techniques.

Uploaded by

Raghavendra Bhat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views29 pages

CPX 2023 HTTPS Best Practices v3

The document discusses best practices for inspecting HTTPS traffic. It covers performance concerns with HTTPS inspection and provides results from testing throughput, connections per second, and CPU load when inspecting HTTPS traffic using Check Point's Quantum Maestro. It also discusses the financial risks of not inspecting HTTPS traffic versus investing in prevention techniques.

Uploaded by

Raghavendra Bhat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

HTTPS Inspection Best Practices – Preventing Attacks

Peter Elmer | Principle Security Expert | Office of the CTO


December 2022

©2022 Check Point Software Technologies Ltd. 1





Thanks to Tom Kendrick


for supporting the Maestro lab testing!

©2022 Check Point Software Technologies Ltd. 2


81% of Internet traffic is HTTPS
Are you looking inside?

©2022 Check Point Software Technologies Ltd. 3


Most customers don’t inspect HTTPS
• Performance concerns

• Potential impact on business applications

©2022 Check Point Software Technologies Ltd. 4


©2022 Check Point Software Technologies Ltd. 5
Performance Concerns
Are datasheets helpful understanding the impact?
Numbers with limited context
Application Control? Connection
Zero-Day Prevention? Rate?

Throughput?

Source: Fortinet, public web site


©2022 Check Point Software Technologies Ltd. 6
CPU load

Connections
per second

Throughput

Throughput Connections per second CPU load

©2022 Check Point Software Technologies Ltd. 7


Throughput Connections per second CPU load

©2022 Check Point Software Technologies Ltd. 8


Testing HTTPS Inspection Performance
Quantum Maestro (recommended Release R81.10)
Online collaboration
DNS
• Interactive
SSH
• File Sharing Executing Access Control
and Threat Prevention HTTPS
Video CIFS
• HTTPS securing video 4x SecureXL
Distributors
12x CoreXL
FW_workers
76% HTTPS
HTTPS
• HTTPS applications HTTPS 1k
100k HTTPS
10k

2000 Clients 100 Servers


TLS_RSA_WITH_AES_256_GCM_SHA384 (Cipher ID 0x00009D)

Throughput
860 MbpsConnections
2200 conx/sec
per second
82 % CPU
CPU load
©2022 Check Point Software Technologies Ltd. 9
Testing HTTPS Inspection Performance

No failures
asg perf –v --delay 4

Throughput

Connections/second

CPU Load (average)


No failures

4x SecureXL
Distributors

12x CoreXL
FW_workers

860 Mbps 2200 conx/sec 82 % CPU


©2022 Check Point Software Technologies Ltd. 10
Take Aways?
Financial Risk Management – Investing vs. ‘Expecting the Breach’
Inspecting only clear traffic

DNS
120
SSH
100
HTTPS
80
Video CIFS
76% HTTPS
HTTPS
HTTPS

60
HTTPS
40
HTTPS 1k
20 100k HTTPS
10k
0
Preventing Being blind to most of attacks
Percentage of traffic secured CPU Load

860 Mbps 2200 conx/sec 21 % CPU


©2022 Check Point Software Technologies Ltd. 11
Take Aways?
Financial Risk Management – Investing vs. ‘Expecting the Breach’
Investing in prevention is based on dialog
Expecting the breach: $4.35 Mio
Average cost of a data breach (IBM Data Breach Report, 2022)

DNS
120
SSH
100
HTTPS
80
Video CIFS
76% HTTPS
HTTPS
60 $?
$ HTTPS
40
HTTPS 1k
20 100k HTTPS
10k
0
Preventing Being blind to most of attacks
Percentage of traffic secured CPU Load

860 Mbps 2200 conx/sec 82 % CPU


©2022 Check Point Software Technologies Ltd. 12
CONTROLLING HTTPS INSPECTION
ENSURING BUSINESS CONTINUITY

©2022 Check Point Software Technologies Ltd. 13


Understanding Policies Matching

HTTPS Inspection Policy

Gateway Topology
Access Control Policy

Threat Prevention Policy

©2022 Check Point Software Technologies Ltd. 14


Outbound HTTPS Inspection
How does it work?
• TLS Client Hello issued by client computer
• Intercepted by gateway Cert
Cert
CA
CA
• Gateway issues TLS Client Hello using the Cloud Service
source IP address of client computer Certificate Authority
• Service sending TLS Server Hello including
the certificate Security Cert
+ HTTPS Inspection
gwCA gwCA
• Gateway verifies this certificate
• Gateways internal CA issues a new certificate
for subject ‘Cloud Service’
• Signing is performed by the gateways’ CA
Trusted Root Certificates Store
• Client computer verifies certificate presented gwCA
in TLS Server Hello
Certificate verification requires DNS to work correctly (mapping of FQDNs to Subject field)

©2022 Check Point Software Technologies Ltd. 15


Agile Policies
Granular Control
Updatable Objects and Domain Objects in FQDN mode are supported
• This eases the description of cloud hosted services

Updatable Objects and Domain Objects in FQDN mode are now supported

This eases the description of cloud hosted


services

Configure a ‘catch all’ rule - administrative visibility

Integrating the HTTPS Inspection Policy into the SmartConsole


helps understandng it in the context of Access Control and Threat Prevention Policies
©2022 Check Point Software Technologies Ltd. 16
Agile Policies
Updatable Objects
• Ease configuration for traffic directed to cloud hosted services
Remember:
Updatable Objects
don‘t require policy
installation once used
New objects can be
added to the tree
without updateing
the SmartConsole
Updatable Objects
describing sites using
Certificate Pinning

Refer to sk112214 for examples of sites impacted by certificate pinning


©2022 Check Point Software Technologies Ltd. 17
Updatable Objects Support in HTTPSi Policy
DNS Passive Learning
Gateway intercepting DNS requests
• Gateway should use same DNS server used by clients
• If clients use a different DNS server configure a host Cloud Service
object with ‘DNS Server’ option enabled
DNS

Security + HTTPS Inspection

sk161612

©2022 Check Point Software Technologies Ltd. 18


Updatable Objects Support in HTTPSi Policy
DNS Passive Learning
Monitor DNS Passive Learning
• doamins_tool
Cloud Service

DNS

Security + HTTPS Inspection

domains_tool -d www.example.com

sk161632

©2022 Check Point Software Technologies Ltd. 19


HTTPS Inspection Policy In SmartConsole
Integrated in the context of Access Control and Threat Prevention
• HTTPS Inspection Policy shown in policy package

CPX 360

©2022 Check Point Software Technologies Ltd. 20


Working With Custom Site Objects
Understand performance impact of regular expressions
Keep the object content simple
• Use wildcards – less URLs
• Respect Regex sk106623

Don‘t nest group objects sk165094

sk106623

©2022 Check Point Software Technologies Ltd. 21


HTTPS Inspection
Trusted root CA certificate list
• Trusted root CA certificate list is used by HTTPS inspection and by ‘Categorize HTTPS websites’

• “Download and install updates automatically” is enabled by default on fresh installs R81 and later
sk173629

©2022 Check Point Software Technologies Ltd. 22


• Supported since R81
• Enabled by default since R81.10
• User Mode based
• New WTLSD engine
Check Admin Guide:

©2022 Check Point Software Technologies Ltd. 23


• HTTP/2 supported since R80.40
sk116022

©2022 Check Point Software Technologies Ltd. 24


Allowing Only TLS 1.2
Binding an HTTPS service object to TLS 1.2 protocol
• Enable Protocol Signature enforcement on
the service object

©2022 Check Point Software Technologies Ltd. 25


Allowing Only TLS 1.2
Binding an HTTPS service object to TLS 1.2 protocol

R81 and later are supporting TLS 1.3

©2022 Check Point Software Technologies Ltd. 26


Prevent Unknown Traffic
Learn what you need - block anything else
Prevent unknown traffic after a monitoring phase
• Start monitoring unknown traffic using ‘Extended Log’ to see each URL accessed
• Measure the traffic volume
• Validate the traffic and decide if it is legitimate
Custom application signatures
• Create allow rules for legitimate traffic above sk103501
• Move to prevent

DROP LOG

©2022 Check Point Software Technologies Ltd. 27


©2022 Check Point Software Technologies Ltd. 28
Peter Elmer | Principle Security Expert | Office of the CTO
December 2022

©2022 Check Point Software Technologies Ltd. 29

You might also like