쫑콩아빠의 지금 이 순간...

GigaVUE H Series nodes support Secure Sockets Layer (SSL) decryption. SSL is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them. Out-of-band SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network.

SSL decryption is a pillar of the GigaSECURE Security Delivery Platform. For an overview of GigaSECURE, refer to the “GigaSECURE Security Delivery Platform” section in the GigaVUE-FM User’s Guide.

Configure Out-of-Band SSL Decryption Examples
The following sections provide examples of out-of-band SSL decryption. Refer to the following:

• Example 1: Out-of-Band SSL Decryption with a Regular Map
• Example 2: Out-of-Band SSL Decryption with De-Duplication
• Other Usage Examples
For details on the CLI commands used in the following sections, refer to apps ssl, gsparams, and gsop in the reference section.

Example 1: Out-of-Band SSL Decryption with a Regular Map
In Example 1, a regular map is configured to use with out-of-band SSL decryption.

Step

Description

Command

1. Upload a key and create a service. Refer to Working with Keys and Services on page 732.

(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem
(config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443

2. Configure a GigaSMART group.

(config) # gsgroup alias gsgrp1 port-list 1/1/e1

3. Specify the GigaSMART group alias.

(config) # gsparams gsgroup gsgrp1

4. Specify a failover action.

(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop

5. Configure session timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60
(config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300
(config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20

6. Configure cache timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000
(config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000

7. Configure a key/service mapping that maps how a key is assigned to an IP address of a server.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1

8. Enable out-of-band SSL decryption.

(config gsparams gsgroup gsgrp1) # ssl-decrypt enable

9. Exit the GigaSMART group configuration mode.

(config gsparams gsgroup gsgrp1) # exit
(config) #

10. Configure a GigaSMART operation for out-of-band SSL decryption.

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1

In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.

Next, configure a traffic map, as follows:

Step

Description

Command

1. Specify a map alias (m1) and specify the map type and subtype.

(config) # map alias m1

(config map alias m1) # type regular byRule

2. Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map.

(config map alias m1) # use gsop gdssl1

3. Specify a map rule.

(config map alias m1) # rule add pass ipver 4

4. Specify the destination for packets matching this map.

(config map alias m1) # to 1/1/g2

5. Specify the source port(s) for this map.

(config map alias m1) # from 1/1/g1

6. Exit the map prefix mode.

(config map alias m1) # exit
(config) #

7. Display the configuration.

(config) # show gsop
(config) # show map
(config) # show gsparams

Example 2: Out-of-Band SSL Decryption with De-Duplication
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Other Usage Examples
Two typical usage examples are as follows:

• Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic.
• Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any.

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/ssl-tls-decryption.html

SSL/TLS as a Potential Threat Vector

SSL/TLS encryption is rising as enterprises face more stringent security mandates, need to ensure optimal SEO rankings, deploy more workloads to the cloud and make wider use of software-as-a-service (SaaS) applications. In fact, over 90 percent of internet traffic around the globe is now encrypted.[1]

Unfortunately, encryption isn’t limited to well-meaning parties. Consider that over 2.8 Million cyber-attacks in 2018 were hidden in encrypted traffic.[2] Cybercriminals use encryption to conceal malware, hide command-and-control traffic and cloak the exfiltration of stolen data.

Given the amount of encrypted traffic, including with the latest TLS 1.3 cryptographic protocol, the threat vector it now poses and the importance of traffic inspection for a  Zero Trust Posture, you need a way to efficiently decrypt SSL traffic, share it with tools and then re-encrypt it.

What is SSL Decryption/TLS Decryption?

To protect vital data, businesses and other organizations implement Transport Layer Security (TLS), commonly referred to as the superseded Secure Socket Layer (SSL), to encrypt data as it is exchanged over IP networks. SSL/TLS creates a secure channel between the server and the end users’ computer or other devices as they exchange information over the internet.

TLS is an industry standard based on a system of trusted rules and certificates issued by certificate authorities and recognized by servers. SSL was replaced by the TLS standard in 2015. In 2018, TLS 1.3 was standardized which mandates the use of Perfect Forward Secrecy for maximum security. Up to 40 percent of large enterprises have already instituted this latest incarnation.[3]

While protecting data, encryption also blinds network security and application monitoring tools. The decryption of SSL/TLS traffic is crucial for these tools. However, it is extremely computationally intensive and can introduce network latency.

The best architecture minimizes the decryption required to inspect all relevant traffic while offering legal and privacy controls. The centralized approach to decrypting SSL offered by Gigamon, decrypt once and feed all tools, provides such an architecture.

REQUEST A DEMO

GigaSMART Decryption

GigaSMART® SSL/TLS Decryption is a licensed application that enables information security, NetOps and applications teams to obtain complete visibility into SSL/TLS traffic regardless of protocol or application, so that they can monitor application performance, analyze usage patterns and secure their networks against data breaches and threats using encrypted communications.  Gigamon supports both inline/Man in the middle and passive/out-of-band decryption of SSL/TLS, meeting the diverse needs of your organization. Gigamon supports the latest TLS 1.3.

• SSL/TLS detection on any port or application
• 10 Mb to 100Gb interface support
• Decrypt once, share with any tools as many times as you need
• Strong crypto support including Diffie-Hellman Ephemeral, Elliptic Curves, Poly1305/ChaCha20
• Power controls over certificate validation, extending Certificate Revocation Lists and Online Certificate Status Protocol (OCSP)
• Integration with the Venafi Trust Protection Platform™ to centralize key management and validation
• Meet privacy and compliance requirements: included support for URL categorization

Take advantage of our new bundled GigaSMART apps and stay secure!

Flexible Inline include ISSL

HC2 (config) # show running-config 

##
## Running database "initial"
## Generated at 2019/10/15 06:08:25 +0000
## Software version on which this output was taken: GigaVUE-OS 5.7.01 142718 2019-09-23 23:23:16
## Hostname: HC2
##
## Note: If you are not an admin user some command invocations may be omitted
## because you do not have permissions to see them.
##

##
## Network interface configuration
##
interface eth0
  no dhcp
  ip address 10.10.7.153 /24
  exit

##
## Network interface IPv6 configuration
##
interface eth0
  no ipv6 dhcp client enable
  exit

##
## Routing configuration
##
ip default-gateway 10.10.7.1 eth0

##
## Other IP configuration
##
hostname HC2
ip name-server 8.8.8.8

##
## Logging configuration
##
logging 10.10.100.91
logging 10.10.100.91 trap warning
logging 10.10.8.101
logging 10.10.8.101 trap warning

##
## Local user account configuration
##
username admin password 7 $1$XBdHVwxp$qYIP.qDwIMWaZHgYfeDjD0

##
## AAA remote server configuration
##
# ldap bind-password ********
# radius-server key ********
# tacacs-server key ********

##
## Chassis level configurations
##
chassis box-id 1 serial-num C109B type hc2 gdp disable

##
## Card level configurations
##
card slot 1/1  product-code 132-00BK
card slot 1/3  product-code 132-00BQ
card slot 1/5  product-code 132-00AT
card slot 1/cc1  product-code 132-00AN

##
## Port level configurations
##
port 1/1/x1 type network
port 1/1/x2 type network
port 1/1/x3 type network
port 1/1/x4 type network
port 1/1/x5 type network
port 1/1/x6 type network
port 1/1/x7 type network
port 1/1/x8 type network
port 1/1/x9 type network
port 1/1/x10 type network
port 1/1/x11 type inline-tool
port 1/1/x11 params admin enable
port 1/1/x12 type inline-tool
port 1/1/x12 params admin enable
port 1/1/x13 type inline-tool
port 1/1/x13 params admin enable
port 1/1/x14 type inline-tool
port 1/1/x14 params admin enable
port 1/1/x15 type inline-tool
port 1/1/x15 params admin enable
port 1/1/x16 type inline-tool
port 1/1/x16 params admin enable
port 1/3/x1 type network
port 1/3/x2 type network
port 1/3/x3 type network
port 1/3/x4 type network
port 1/3/x5 type network
port 1/3/x6 type network
port 1/3/x7 type network
port 1/3/x8 type network
port 1/3/x9 type network
port 1/3/x10 type network
port 1/3/x11 type network
port 1/3/x12 type network
port 1/3/x13 type network
port 1/3/x14 type network
port 1/3/x15 type network
port 1/3/x16 type network
port 1/3/x17 type inline-net
port 1/3/x18 type inline-net
port 1/3/x19 type inline-net
port 1/3/x20 type inline-net
port 1/3/x21 type inline-net
port 1/3/x22 type inline-net
port 1/3/x23 type inline-net
port 1/3/x24 type inline-net

##
## Gigastream hash configurations
##
gigastream advanced-hash slot 1/cc1 default

##
## Apps SSL configuration
##
apps inline-ssl profile alias FmAuto-sslProfile-iSSL-Profile-80a3ca9c-8a17-4957-9af0-ce3dddddfe07
  certificate expired drop
  certificate invalid drop
  certificate revocation crl disable
  certificate revocation ocsp disable
  certificate self-signed drop
  certificate unknown-ca drop
  decrypt tcp inactive-timeout 5
  decrypt tcp portmap default-out-port disable
  decrypt tool-bypass disable
  default-action decrypt
  ha active-standby disable
  monitor disable
  network-group multiple-entry disable
  no-decrypt tool-bypass disable
  non-ssl-tcp tool-bypass disable
  tcp delayed-ack disable
  tcp syn-retries 3
  tool fail-action bypass-tool
  url-cache miss action decrypt
  exit
apps inline-ssl signing for primary key isd

##
## Gsgroup configurations
##
gsgroup alias GS1 port-list 1/1/e1

##
## Gs params configurations
##
gsparams gsgroup GS1
  cpu utilization type total rising 80
  dedup-action drop
  dedup-ip-tclass include
  dedup-ip-tos include
  dedup-tcp-seq include
  dedup-timer 50000
  dedup-vlan ignore
  diameter-packet timeout 2
  diameter-s6a-session limit 10000
  diameter-s6a-session timeout 30
  eng-watchdog-timer 60
  erspan3-timestamp format none
  flow-mask disable
  flow-sampling-rate 5
  flow-sampling-timeout 1
  flow-sampling-type device-ip
  generic-session-timeout 5
  gtp-control-sample enable
  gtp-flow timeout 48
  gtp-persistence disable
  gtp-persistence file-age-timeout 30
  gtp-persistence interval 10
  gtp-persistence restart-age-time 30
  gtp-randomsample disable
  gtp-randomsample interval 12
  ip-frag forward enable
  ip-frag frag-timeout 10
  ip-frag head-session-timeout 30
  lb failover disable
  lb failover-thres lt-bw 80
  lb failover-thres lt-pkt-rate 1000
  lb replicate-gtp-c disable
  lb use-link-spd-wt disable
  node-role disable
  resource buffer-asf disable
  resource cpu overload-threshold 90
  resource hsm-ssl buffer disable
  resource hsm-ssl packet-buffer 1000
  resource inline-ssl standalone enable
  resource metadata disable
  resource packet-buffer overload-threshold 80
  resource xpkt-pmatch num-flows 0
  session logging level none
  sip-media timeout 30
  sip-nat disable
  sip-session timeout 30
  sip-tcp-idle-timeout 20
  ssl-decrypt decrypt-fail-action drop
  ssl-decrypt enable
  ssl-decrypt hsm-pkcs11 dynamic-object enable
  ssl-decrypt hsm-pkcs11 load-sharing enable
  ssl-decrypt hsm-timeout 1000
  ssl-decrypt key-cache-timeout 10800
  ssl-decrypt non-ssl-traffic drop
  ssl-decrypt pending-session-timeout 60
  ssl-decrypt session-timeout 300
  ssl-decrypt tcp-syn-timeout 20
  ssl-decrypt ticket-cache-timeout 10800
  tunnel-health-check action pass
  tunnel-health-check disable
  tunnel-health-check dstport 54321
  tunnel-health-check interval 600
  tunnel-health-check protocol icmp
  tunnel-health-check rcvport 54321
  tunnel-health-check retries 5
  tunnel-health-check roundtriptime 1
  tunnel-health-check srcport 54321
  xpkt-pmatch disable
  exit

##
## Gsop configurations
##
gsop alias FmAuto-gsop-iSSL-Profile-c1753004-4ca0-4fea-8a13-457fc6a8fda0 inline-ssl FmAuto-sslProfile-iSSL-Profile-80a3ca9c-8a17-4957-9af0-ce3dddddfe07 port-list GS1

##
## Vport configurations
##
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a gsgroup GS1
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a failover-action vport-bypass
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a outer-traffic-path to-inline-tool
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a inner-traffic-path to-inline-tool
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a deferred-binding disable
vport alias FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a mmon disable
vport alias VP1 gsgroup GS1
vport alias VP1 failover-action vport-bypass
vport alias VP1 outer-traffic-path to-inline-tool
vport alias VP1 inner-traffic-path to-inline-tool
vport alias VP1 deferred-binding disable
vport alias VP1 mmon disable

##
## Inline-network configurations
##
inline-network alias default_inline_net_1_3_1
  pair net-a 1/3/x17 and net-b 1/3/x18
  physical-bypass enable
  traffic-path to-inline-tool
  exit
inline-network alias default_inline_net_1_3_2
  pair net-a 1/3/x19 and net-b 1/3/x20
  physical-bypass enable
  traffic-path bypass
  exit
inline-network alias default_inline_net_1_3_3
  pair net-a 1/3/x21 and net-b 1/3/x22
  physical-bypass enable
  traffic-path bypass
  exit
inline-network alias default_inline_net_1_3_4
  pair net-a 1/3/x23 and net-b 1/3/x24
  physical-bypass enable
  traffic-path bypass
  exit

##
## Inline-tool configurations
##
inline-tool alias iT1
  pair tool-a 1/1/x11 and tool-b 1/1/x12
  enable
  heart-beat
  shared true
  exit
inline-tool alias iT2
  pair tool-a 1/1/x13 and tool-b 1/1/x14
  enable
  heart-beat
  shared true
  exit
inline-tool alias iT3
  pair tool-a 1/1/x15 and tool-b 1/1/x16
  enable
  heart-beat
  shared true
  exit

##
## Traffic map connection configurations
##
map alias FmAuto-HTTPSnIPS_default_inline_net_1-29a24262-3875-4025-8763-f7408995c40f
  type flexinline byRule
  roles replace admin to owner_roles
  comment "CREATED BY GIGAVUE-FM. DO NOT MODIFY OR DELETE, processed map: HTTPSnIPS_default_inline_net_1_3_1 "
  rule add pass portdst 443 bidir
  from default_inline_net_1_3_1
  a-to-b FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a
  b-to-a FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a
  tag 3412
  exit
map alias FmAuto-HTTPnIPS_default_inline_net_1_-cf4a9653-0055-41a3-9618-71661ed81ae8
  type flexinline byRule
  roles replace admin to owner_roles
  comment "CREATED BY GIGAVUE-FM. DO NOT MODIFY OR DELETE, processed map: HTTPnIPS_default_inline_net_1_3_1 "
  rule add pass portdst 80 bidir
  from default_inline_net_1_3_1
  a-to-b iT1,iT2
  b-to-a reverse
  exit
map alias FmAuto-iSSL-Profile-proxyMap-a226be2f-1843-48bf-bbe6-72a84a602f14
  type flexinline collector
  roles replace admin to owner_roles
  comment "CREATED BY GIGAVUE-FM. DO NOT MODIFY OR DELETE, processed map: iSSL-Profile-proxyMap "
  use gsop FmAuto-gsop-iSSL-Profile-c1753004-4ca0-4fea-8a13-457fc6a8fda0
  from FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a
  a-to-b iT1,iT2
  b-to-a iT2,iT1
  tag 4000
  exit
map alias FmAuto-HTTPSnIPS_default_inline_net_1-3a8fac51-d8df-46d0-b9c9-b14512e418ab
  type flexinline network-end
  roles replace admin to owner_roles
  comment "CREATED BY GIGAVUE-FM. DO NOT MODIFY OR DELETE, processed map: HTTPSnIPS_default_inline_net_1_3_1-non-proxy "
  from FmAuto-vport-iSSL-Profile-5103a09b-deac-40c1-bd6c-a0ad12094d8a vlan 3412
  a-to-b iT1,iT2
  b-to-a iT2,iT1
  tag 183
  exit
map alias FmAuto-Collector_default_inline_net_1-9300245f-6b21-44d5-9c8e-d46a3b23139b
  type flexinline collector
  roles replace admin to owner_roles
  comment "CREATED BY GIGAVUE-FM. DO NOT MODIFY OR DELETE, processed map: Collector_default_inline_net_1_3_1 "
  from default_inline_net_1_3_1
  a-to-b iT3
  b-to-a reverse
  exit

##
## Notifications
##
# notifications target host 10.10.100.91 port 5672 non-secure username admin password ****** 
# notifications target host 10.10.8.101 port 5672 non-secure username admin password ****** 

##
## SNMP configuration
##
no snmp-server host 10.10.100.91 disable
snmp-server host 10.10.100.91 traps port 162 version 2c public
no snmp-server host 10.10.8.101 disable
snmp-server host 10.10.8.101 traps port 162 version 2c public
snmp-server throttle event linkspeedstatuschange interval 60 report-threshold 1
snmp-server throttle event packetdrop interval 60 report-threshold 1
snmp-server throttle event rxtxerror interval 60 report-threshold 1
snmp-server traps event fanchange
snmp-server traps event ibstatechange
no snmp-server traps event inlinetoolrecovery
snmp-server traps event linkspeedstatuschange
snmp-server traps event modulechange
snmp-server traps event powerchange
no snmp-server traps event process-cpu-threshold
no snmp-server traps event process-mem-threshold
no snmp-server traps event system-cpu-threshold
no snmp-server traps event system-mem-threshold

##
## X.509 certificates configuration
##
#
# Certificate name system-self-signed, ID 8a7fefc616114b7c23fa68c02d0b3d01d32190bd
# (public-cert config omitted since private-key config is hidden)


##
## Web configuration
##
# web proxy auth basic password ********

##
## E-mail configuration
##
# email auth password ********
# email autosupport auth password ********

HC2 (config) # 

Passive SSL Decryption

SSL Decryption - CLI

# gsgroup alias GS5 port-list 1/5/e1
# gsparams gsgroup GS5
    # ssl-decrypt decrypt-fail-action drop
    # ssl-decrypt enable
    # ssl-decrypt key-map add service Svr3-443 key dc2s3web
    # exit
# gsop alias DecryptSSL ssl-decrypt in-port any out-port auto port-list GS5
# map alias SSL-example
    # use sop DecryptSSL
    # rule add pass ipdst 192.168.1.3/24 bidir
    # rule add pass protest 443 bidir
    # to 1/1/x5
    # from 1/1/x1
    # exit