SSL Visibility: The Ultimate Passive Inspection Architecture
Вставка
- Опубліковано 18 вер 2024
- As the march toward a forward secrecy world continues, what options do you have to inspect and act as an intermediary? Join David Holmes as he presents options to maintain visibility in the SSL service chain.
Earlier this year, I had an interview at a Bank; with a manager on one of their security teams.
(let's call them.. _bAlly Bank_ )
He asked me to explain what *"perfect secret forwarding"* was.
🙄🙄
So.. I proceeded to explain that it's the layman's term for *Diffie Helman Ephemeral.*
I then stated that in order to appreciate PFS... you have to understand RSA.
I proceeded to explain the TLS 1.2 handshake process with RSA.
I then explained that the problem with RSA is that a *"bad actor"* (like the NSA) could *still* sit in the MIDDLE and capture ALL your Encrypted Data. .. and at some point... years later... Decrypt the data by deriving the "session key", if they ever got their hands on the original RSA *private key.*
The interview was on zoom... but I'm pretty sure his eyes glazed over.
😆😆
I tried to recover; I made a tangent by talking about how one of the *unforeseen disadvantages* of PFS & TLS 1.3... was that it "locks out" all the legitamate inline inspection functionality that is already in-place.
To that one point,
the manager finally chimed in;
He interjected: "Well thats not really a problem. You can just put a copy of the key on each of the inspection-devices...."
🙄🙄
Let's just saying.... I didn't get the job.
But... I may have *dodged* a bullet.
❤😆❤
Haha yeah, I think you dodged a bullet.
and what happens when the RSA key between the F5 and middle boxes gets leaked?
We can use use PFS instead of RSA between F5 and the middle boxes as it is the case between F5 and the data center
This is exactly the reason why TLS 1.3 is currently delayed. And this will be exactly the reason why TLS 1.4 will be delayed after that
The interesting thing about these F5 videos, how they transposed a transparent whiteboard in front of the speaker. Physically, this is impossible. I presume some video editing tool was used to flip the white board around. It works. But, it is unintuitive to viewers who are used to seeing a screen behind the speaker, while shows the white board between the speaker and the viewers.
Something is not clear here. Why does the F5 traffic interceptor re-encrypt the incoming traffic with RSA when sending to the switch? There is no precedence on using RSA for encrypting session traffic in a network scenario. I think you are implying that the the trust domain that includes F5, IDS, Analytics etc involves the use of an RSA private key, which possible is used for another TLS session. (This point needs clarification in this video).
It is called lightboard. Check the video intro, it is there in plain text ;) It is literally transparent (glass) board in front of the speaker.
It's Not a "transparent whiteboard"...
it's just a regular pane of glass (or similar plastic).
Notice how he writes with his *LEFT* Hand.
It ain't rocket science folks...
🔥🔥
greatly explained
Not quite clearly explained I am aftaid.