쫑콩아빠의 지금 이 순간...

Gigamon-HC1 (config) # show running-config
##
## Running database "initial"
## Generated at 2023/03/09 22:37:25 +0000
## Software version on which this output was taken: GigaVUE-OS 5.13.03.04 347192 2022-08-29 17:34:04
## Hostname: Gigamon-HC1
##
## Note: If you are not an admin user some command invocations may be omitted
## because you do not have permissions to see them.
##
##
## Network interface configuration
##
interface eth0
  no dhcp
  ip address 10.10.10.125 /24
  exit
##
## Routing configuration
##
ip default-gateway 10.10.10.254 eth0
##
## Other IP configuration
##
hostname Gigamon-HC1
ip name-server 8.8.8.8
##
## Local user account configuration
##
username admin password 7 $1$Awce0nPW$l7aLonymvDzWfArYQcLAs.
##
## AAA remote server configuration
##
# ldap bind-password ********
# radius-server shared-secret ********
# tacacs-server shared-secret ********
##
## Chassis level configurations
##
chassis box-id 1 serial-num H013C type hc1 gdp disable
##
## Card level configurations
##
card slot 1/1 product-code 132-00D7
card slot 1/2 product-code 132-00D9
card slot 1/3 product-code 132-00D8
card slot 1/cc1 product-code 132-00D6
##
## Port level configurations
##
port 1/1/g1 type network
port 1/1/g2 type network
port 1/1/g3 type network
port 1/1/g4 type network
port 1/1/x1 type inline-tool
port 1/1/x1 params admin enable
port 1/1/x2 type inline-tool
port 1/1/x2 params admin enable
port 1/1/x3 type inline-tool
port 1/1/x3 params admin enable
port 1/1/x4 type inline-tool
port 1/1/x4 params admin enable
port 1/1/x5 type inline-tool
port 1/1/x5 params admin enable
port 1/1/x6 type inline-tool
port 1/1/x6 params admin enable
port 1/1/x7 type inline-tool
port 1/1/x7 params admin enable
port 1/1/x8 type inline-tool
port 1/1/x8 params admin enable
port 1/1/x9 type network
port 1/1/x10 type network
port 1/1/x11 type network
port 1/1/x12 type network
port 1/2/x1 type network
port 1/2/x2 type network
port 1/2/x3 type network
port 1/2/x4 type network
port 1/2/x5 type inline-net
port 1/2/x5 params admin enable speed 1000
port 1/2/x6 type inline-net
port 1/2/x6 params admin enable speed 1000
port 1/2/x7 type inline-net
port 1/2/x7 params admin enable speed 1000
port 1/2/x8 type inline-net
port 1/2/x8 params admin enable speed 1000
port 1/3/g1 type network
port 1/3/g1 params taptx passive
port 1/3/g2 type network
port 1/3/g2 params taptx passive
port 1/3/g3 type network
port 1/3/g3 params taptx passive
port 1/3/g4 type network
port 1/3/g4 params taptx passive
port 1/3/g5 type network
port 1/3/g5 params taptx passive
port 1/3/g6 type network
port 1/3/g6 params taptx passive
port 1/3/g7 type network
port 1/3/g7 params taptx passive
port 1/3/g8 type network
port 1/3/g8 params taptx passive
##
## Gigastream hash configurations
##
gigastream advanced-hash slot 1/cc1 default
##
## Apps SSL configuration
##
apps inline-ssl profile alias iSSL-Profile
  certificate expired drop
  certificate invalid drop
  certificate revocation crl disable
  certificate revocation ocsp disable
  certificate self-signed drop
  certificate unknown-ca drop
  decrypt tcp inactive-timeout 5
  decrypt tcp portmap default-out-port disable
  decrypt tool-bypass disable
  default-action decrypt
  ha active-standby disable
  monitor inline
  network-group multiple-entry disable
  no-decrypt tool-bypass disable
  non-ssl-tcp tool-bypass disable
  one-arm disable
  ria disable
  split-proxy disable
  split-proxy server non-pfs-ciphers disable
  tcp delayed-ack disable
  tcp syn-retries 3
  tool early-engage disable
  tool fail-action bypass-tool
  url-cache miss action no-decrypt
  exit
apps inline-ssl signing for primary key ucontech
##
## Gsgroup configurations
##
gsgroup alias iSSL-GS port-list 1/1/e1 hash advanced
##
## Gs params configurations
##
gsparams gsgroup iSSL-GS
  3gpp-node-role disable
  5g-flow timeout 48
  apptcp-lb application broadcast
  apptcp-lb control broadcast
  apptcp-lb disable
  cpu utilization type total rising 80
  dedup-action drop
  dedup-ip-tclass include
  dedup-ip-tos include
  dedup-tcp-seq include
  dedup-timer 50000
  dedup-vlan ignore
  diameter-packet timeout 2
  diameter-s6a-session limit 10000
  diameter-s6a-session timeout 30
  eng-watchdog-timer 60
  erspan3-timestamp format none
  flow-mask disable
  flow-sampling-rate 5
  flow-sampling-timeout 1
  flow-sampling-type device-ip
  generic-session-timeout 5
  gtp-control-sample enable
  gtp-flow timeout 48
  gtp-persistence disable
  gtp-persistence file-age-timeout 30
  gtp-persistence interval 10
  gtp-persistence restart-age-time 30
  gtp-randomsample disable
  gtp-randomsample interval 12
  ip-frag forward enable
  ip-frag frag-timeout 10
  ip-frag head-session-timeout 30
  lb failover disable
  lb failover-thres lt-bw 80
  lb failover-thres lt-pkt-rate 1000
  lb replicate-gtp-c disable
  lb use-link-spd-wt disable
  mobility-sam disable
  resource buffer-asf disable
  resource cpu overload-threshold 90
  resource hsm-ssl buffer disable
  resource hsm-ssl packet-buffer 1000
  resource inline-ssl standalone enable
  resource metadata disable
  resource packet-buffer overload-threshold 80
  resource xpkt-pmatch num-flows 0
  session logging level none
  sip-media timeout 30
  sip-nat disable
  sip-session timeout 30
  sip-tcp-idle-timeout 20
  ssl-decrypt decrypt-fail-action drop
  ssl-decrypt enable
  ssl-decrypt hsm-pkcs11 dynamic-object enable
  ssl-decrypt hsm-pkcs11 load-sharing enable
  ssl-decrypt hsm-timeout 1000
  ssl-decrypt key-cache-timeout 10800
  ssl-decrypt non-ssl-traffic drop
  ssl-decrypt pending-session-timeout 60
  ssl-decrypt session-timeout 300
  ssl-decrypt tcp-syn-timeout 20
  ssl-decrypt ticket-cache-timeout 10800
  tunnel-health-check action pass
  tunnel-health-check disable
  tunnel-health-check dstport 54321
  tunnel-health-check interval 600
  tunnel-health-check protocol icmp
  tunnel-health-check rcvport 54321
  tunnel-health-check retries 5
  tunnel-health-check roundtriptime 1
  tunnel-health-check srcport 54321
  xpkt-pmatch disable
  exit
##
## Gsop configurations
##
gsop alias iSSL-GSOP inline-ssl iSSL-Profile port-list iSSL-GS
##
## Vport configurations
##
vport alias VP1 gsgroup iSSL-GS
vport alias VP1 failover-action vport-bypass
vport alias VP1 outer-traffic-path to-inline-tool
vport alias VP1 inner-traffic-path to-inline-tool
vport alias VP1 deferred-binding disable
vport alias VP1 mmon disable
vport alias VP1 insight-sensor disable
vport alias VP2 gsgroup iSSL-GS
vport alias VP2 failover-action vport-bypass
vport alias VP2 outer-traffic-path to-inline-tool
vport alias VP2 inner-traffic-path to-inline-tool
vport alias VP2 deferred-binding disable
vport alias VP2 mmon disable
vport alias VP2 insight-sensor disable
##
## Inline-network configurations
##
inline-network alias default_inline_net_1_2_1
  pair net-a 1/2/x5 and net-b 1/2/x6
  physical-bypass disable
  traffic-path to-inline-tool
  exit
inline-network alias default_inline_net_1_2_2
  pair net-a 1/2/x7 and net-b 1/2/x8
  physical-bypass disable
  traffic-path to-inline-tool
  exit
##
## Inline-tool configurations
##
inline-tool alias DEC1
  pair tool-a 1/1/x1 and tool-b 1/1/x2
  enable
  exit
inline-tool alias DEC2
  pair tool-a 1/1/x5 and tool-b 1/1/x6
  enable
  exit
inline-tool alias ENC1
  pair tool-a 1/1/x3 and tool-b 1/1/x4
  enable
  exit
inline-tool alias ENC2
  pair tool-a 1/1/x7 and tool-b 1/1/x8
  enable
  exit
##
## Traffic map connection configurations
##
map alias map11
  roles replace admin to owner_roles
  rule add pass portdst 443 bidir
  to VP1
  from default_inline_net_1_2_1
  exit
map alias map21
  roles replace admin to owner_roles
  rule add pass portdst 443 bidir
  to VP2
  from default_inline_net_1_2_2
  exit
map alias map12
  roles replace admin to owner_roles
  use gsop iSSL-GSOP
  to DEC1
  from VP1
  exit
map alias map22
  roles replace admin to owner_roles
  use gsop iSSL-GSOP
  to DEC2
  from VP2
  exit
map-scollector alias map33
  roles replace admin to owner_roles
  from default_inline_net_1_2_2
  collector ENC2
  exit
map-scollector alias map13
  roles replace admin to owner_roles
  from default_inline_net_1_2_1
  collector ENC1
  exit
##
## X.509 certificates configuration
##
#
# Certificate name system-self-signed, ID 6e7c2be346db77d241a438646adbe073ff1e1ab8
# (public-cert config omitted since private-key config is hidden)
##
## Web configuration
##
# web proxy auth basic password ********
##
## E-mail configuration
##
# email auth password ********
# email autosupport auth password ********
Gigamon-HC1 (config) #

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/ssl-tls-decryption.html

SSL/TLS as a Potential Threat Vector

SSL/TLS encryption is rising as enterprises face more stringent security mandates, need to ensure optimal SEO rankings, deploy more workloads to the cloud and make wider use of software-as-a-service (SaaS) applications. In fact, over 90 percent of internet traffic around the globe is now encrypted.[1]

Unfortunately, encryption isn’t limited to well-meaning parties. Consider that over 2.8 Million cyber-attacks in 2018 were hidden in encrypted traffic.[2] Cybercriminals use encryption to conceal malware, hide command-and-control traffic and cloak the exfiltration of stolen data.

Given the amount of encrypted traffic, including with the latest TLS 1.3 cryptographic protocol, the threat vector it now poses and the importance of traffic inspection for a  Zero Trust Posture, you need a way to efficiently decrypt SSL traffic, share it with tools and then re-encrypt it.

What is SSL Decryption/TLS Decryption?

To protect vital data, businesses and other organizations implement Transport Layer Security (TLS), commonly referred to as the superseded Secure Socket Layer (SSL), to encrypt data as it is exchanged over IP networks. SSL/TLS creates a secure channel between the server and the end users’ computer or other devices as they exchange information over the internet.

TLS is an industry standard based on a system of trusted rules and certificates issued by certificate authorities and recognized by servers. SSL was replaced by the TLS standard in 2015. In 2018, TLS 1.3 was standardized which mandates the use of Perfect Forward Secrecy for maximum security. Up to 40 percent of large enterprises have already instituted this latest incarnation.[3]

While protecting data, encryption also blinds network security and application monitoring tools. The decryption of SSL/TLS traffic is crucial for these tools. However, it is extremely computationally intensive and can introduce network latency.

The best architecture minimizes the decryption required to inspect all relevant traffic while offering legal and privacy controls. The centralized approach to decrypting SSL offered by Gigamon, decrypt once and feed all tools, provides such an architecture.

REQUEST A DEMO

GigaSMART Decryption

GigaSMART® SSL/TLS Decryption is a licensed application that enables information security, NetOps and applications teams to obtain complete visibility into SSL/TLS traffic regardless of protocol or application, so that they can monitor application performance, analyze usage patterns and secure their networks against data breaches and threats using encrypted communications.  Gigamon supports both inline/Man in the middle and passive/out-of-band decryption of SSL/TLS, meeting the diverse needs of your organization. Gigamon supports the latest TLS 1.3.

• SSL/TLS detection on any port or application
• 10 Mb to 100Gb interface support
• Decrypt once, share with any tools as many times as you need
• Strong crypto support including Diffie-Hellman Ephemeral, Elliptic Curves, Poly1305/ChaCha20
• Power controls over certificate validation, extending Certificate Revocation Lists and Online Certificate Status Protocol (OCSP)
• Integration with the Venafi Trust Protection Platform™ to centralize key management and validation
• Meet privacy and compliance requirements: included support for URL categorization

Take advantage of our new bundled GigaSMART apps and stay secure!