Risks associated with DPI-SSL exlusion list
Why kind of certificate 'failures' are deemed low-risk? I'm certainly not a security expert but it seems there are basically 3 categories of CA failures: (1) bad/missing/expired CA from a legitimate site, (2) CA failure due to SSL Pinning (preventing MITM inspection) from a legitimate site, and (3) bad/missing/expired CA or SSL pinning from a malicious site. It seems reasonable to consider bypassing DPI-SSL for category (2), and possibly (1), especially if we need to "do business" with that particular site.
When we add a URL to the DPI-SSL exlusion list list, we're basically saying, "we know there are going to be certificate issues with this site, so we just won't do the DPI on encrypted traffic" - potentially giving a malicious site easy opportunity to drop a malicious payload from an encrypted stream.
Of course, the low-risk path is to not bypass a site with certificate issues. But with browsers now enforcing encrypted connections, legitimate sites that didn't bother with certs before are now getting their affairs in order, and the major sites are also doing SSL pinning, to eliminate the possibility of MITM inspection. Once "most" of the Web is serving up encrypted traffic, and even doing SSL pining, what power will advanced firewalls have in that situation? (This is more of philosophical question than technical - maybe?)
So for the near term, for legitimate sites that are (or expected to be) doing SSL pinning, what do we look for in the CA failure message? Is it failure in the initial handshake? Simmilary for possible "bad guy" sites, what are the certificate failures that might be a red flag to not add to the DPI bypass list? TIA!
TKWITS Community Legend ✭✭✭✭✭
Yes and no.
A UTM would NOT be able to use it's DPI-SSL and security engines to investigate that traffic in the instance mentioned. BUT having DPI-SSL enforced would cause the connection to DROP becuase the UTM wouldn't be able to complete the handshake due to the SSL pinning.
So technically it's performing the preferred action (drop the traffic), but not because its inspecting the traffic with its security services.1
You are approaching GRC concepts which are generally outside the topic of conversation here.
Risk factors are determined by the organization, not by a standards body or government group (not even NIST CSF). So answers to these questions are up to the Security / Compliance officer of the company.
Business agreements should include some kind of protection required by those partner organizations (you'll see this with F500 / larger companies). Trusted SaaS's should have some kind protection utilized (think Defender for O365). If you must bypass DPISSL for traffic to / from your partners than the risk is low.
UTM firewalls will still have power in that environment because of their ability to inspect traffic for the UNKNOWNS. Malware groups will use legitimate SSL certs for distribution. Without DPI-SSL & GAV / GAS & Content Filtering the risk goes up.
If you haven't read: https://www.sonicwall.com/support/knowledge-base/dpi-ssl-troubleshooting/170505454091338/
Initial handshake messages aren't always indicative of something that should be bypassed. Unfortunately most of my DPI-SSL troubleshooting has come down to trial and error.
So I think the question still stands - if a malicious site has a legit CA and is doing SSL pinning, can these sophisticated firewalls do anything to prevent 'bad things' from happening?