쫑콩아빠의 지금 이 순간...

GigaVUE H Series nodes support Secure Sockets Layer (SSL) decryption. SSL is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them. Out-of-band SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network.

SSL decryption is a pillar of the GigaSECURE Security Delivery Platform. For an overview of GigaSECURE, refer to the “GigaSECURE Security Delivery Platform” section in the GigaVUE-FM User’s Guide.

Configure Out-of-Band SSL Decryption Examples
The following sections provide examples of out-of-band SSL decryption. Refer to the following:

• Example 1: Out-of-Band SSL Decryption with a Regular Map
• Example 2: Out-of-Band SSL Decryption with De-Duplication
• Other Usage Examples
For details on the CLI commands used in the following sections, refer to apps ssl, gsparams, and gsop in the reference section.

Example 1: Out-of-Band SSL Decryption with a Regular Map
In Example 1, a regular map is configured to use with out-of-band SSL decryption.

Step

Description

Command

1. Upload a key and create a service. Refer to Working with Keys and Services on page 732.

(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem
(config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443

2. Configure a GigaSMART group.

(config) # gsgroup alias gsgrp1 port-list 1/1/e1

3. Specify the GigaSMART group alias.

(config) # gsparams gsgroup gsgrp1

4. Specify a failover action.

(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop

5. Configure session timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60
(config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300
(config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20

6. Configure cache timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000
(config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000

7. Configure a key/service mapping that maps how a key is assigned to an IP address of a server.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1

8. Enable out-of-band SSL decryption.

(config gsparams gsgroup gsgrp1) # ssl-decrypt enable

9. Exit the GigaSMART group configuration mode.

(config gsparams gsgroup gsgrp1) # exit
(config) #

10. Configure a GigaSMART operation for out-of-band SSL decryption.

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1

In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.

Next, configure a traffic map, as follows:

Step

Description

Command

1. Specify a map alias (m1) and specify the map type and subtype.

(config) # map alias m1

(config map alias m1) # type regular byRule

2. Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map.

(config map alias m1) # use gsop gdssl1

3. Specify a map rule.

(config map alias m1) # rule add pass ipver 4

4. Specify the destination for packets matching this map.

(config map alias m1) # to 1/1/g2

5. Specify the source port(s) for this map.

(config map alias m1) # from 1/1/g1

6. Exit the map prefix mode.

(config map alias m1) # exit
(config) #

7. Display the configuration.

(config) # show gsop
(config) # show map
(config) # show gsparams

Example 2: Out-of-Band SSL Decryption with De-Duplication
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Other Usage Examples
Two typical usage examples are as follows:

• Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic.
• Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any.

Example 7—Protected Flexible Inline, Out-of-Band Copy

Example 7 demonstrates a flexible inline map with OOB copy configuration as follows:

• an example of the source as a protected inline network and the destination as a hybrid port
• an example of the source as a tool member in the a-to-b list and the destination as a regular tool port
• an example of the source as a tool member in the a-to-b list and the destination as a GigaStream
Use the following steps to configure Example 7:

 

Step

Description

Command

1.    
Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x1..x4 type inline-tool
(config) # port 1/3/x1..x4 params admin enable

2.  
Configure inline tools, specify that the inline tool is going to be shared by different sources, specify heart-beat, and enable inline tools.

(config) # inline-tool alias it1 pair tool-a 1/3/x1 and tool-b 1/3/x2
(config) # inline-tool alias it1 shared true
(config) # inline-tool alias it1 heart-beat
(config) # inline-tool alias it1 enable

(config) # inline-tool alias it2 pair tool-a 1/3/x3 and tool-b 1/3/x4
(config) # inline-tool alias it2 shared true
(config) # inline-tool alias it2 heart-beat
(config) # inline-tool alias it2 enable

3.  
Configure hybrid port, port type (hybrid), and administratively enable hybrid port. The flexible inline map will configure out-of-band (OOB) traffic to this hybrid port.

(config) # port 1/3/x19 type hybrid
(config) # port 1/3/x19 params admin enable

4.  
Configure regular tool ports, port type (tool), and administratively enable tool ports. The flexible inline map will configure out-of-band (OOB) traffic to a regular tool port. Two other tool ports will be used in a GigaStream.

(config) # port 1/3/x20..x22 type tool
(config) # port 1/3/x20..x22 params admin enable

5.  
Create a GigaStream using two of the regular tool ports.

(config) # gigastream alias gs1 port-list 1/3/x21,1/3/x22

6.  
Configure the flexible inline map from the default inline network to inline tools in both directions, specify a rule, and a user-defined tag. Then configure out-of-band traffic as follows:

• from a protected inline network to a hybrid port using the same VLAN tag as the flexible inline map
• from the first tool member in the a-to-b list to a regular tool port without a VLAN tag. The tag can be configured to none, because traffic goes to a different destination, it1.
• from the second tool member in the a-to-b list to a GigaStream using the same VLAN tag as the flexible inline map
Finally, enable the map.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline byRule
(config map alias FLEX1) # from default_inline_net_1_4_1
(config map alias FLEX1) # rule add pass vlan 500
(config map alias FLEX1) # a-to-b it1,it2
(config map alias FLEX1) # b-to-a same
(config map alias FLEX1) # tag 11
(config map alias FLEX1) # oob-copy from default_inline_net_1_4_1 to 1/3/x19 tag as-inline
(config map alias FLEX1) # oob-copy from it1 to 1/3/x20 tag none
(config map alias FLEX1) # oob-copy from it2 to gs1 tag as-inline
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

7.  
Configure the path of the traffic to inline tools.

(config) # inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool

8.  
Disable physical bypass on the default inline network.

(config) # inline-network alias default_inline_net_1_4_1 physical-bypass disable