Imperva Cyber Community

Expand all | Collapse all

Transparent Reverse Proxy

  • 1.  Transparent Reverse Proxy

    Posted 19 days ago
    Dear Team,

    Please help to understand the following -

    Is it necessary to enable TRP to inspect HTTPS traffic ?
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------


  • 2.  RE: Transparent Reverse Proxy

    Imperva Employee
    Posted 18 days ago
    Hi Pankaj,

    TRP is only necessary if you want to inpect HTTPS traffic that uses Diffie-Hellman key exchange.
    If your site use only RSA key exchange, no need for TRP.

    ------------------------------
    Pal Balint
    ------------------------------



  • 3.  RE: Transparent Reverse Proxy

    Posted 18 days ago
    Hi Pal,

    Thanks for your reply !
    I have some doubts related to TRP.
    Please help to clear them.
    1. Is TRP only required for key exchange? 
    2. If we dont enable TRP for the application running on HTTPS , are we under big threat?
        Just want to clear if we dont enable TRP, still WAF will protect the application from all attacks over port 80 and 443?

    It is because i have faced issues with TRP many times like application running behind WAF with TRP enabled suddenly goes inaccessible.
    Fortunately we have SSL Negotiation Settings now available but still there are some applications which are not accessible when TRP enabled. ( I am working with support for them).
    Thats why we have to disbale the TRP for those application to make them accessible.

    Thanks !

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 4.  RE: Transparent Reverse Proxy

    Impervian
    Posted 17 days ago

    What you are missing is often the most important traffic, because it cannot decrypt the HTTPS traffic, so many of your policies are not applied when it comes to the application layer protection you are expecting from the WAF. If you have HTTPS, it is likely this is your most important traffic to inspect and protect. Even now with the shift to encrypting everything by default, you would lose more and more visibility over time even if it is not particularly important traffic.

    What CA do you use? The certificate chaining is of primary importance. Normally TRP works well to allow inspection of HTTPS traffic, but you have to use it right, and there are some key issues depending on your situations. First is that in current versions of SecureSphere TRP does not support some encryption such as SHA384 chaining, so make sure your certificates all along the chain are supported (primary and intermediate(s)), such as using SHA256. Authorities such as Sectigo/Comodo have now defaulted to intermediate authorities that are SHA384, which can break TRP. To get around this you can do three things (number three is at the bottom of this response, but here are the first two), ask the CA to issue a chain that complies with the SHA256 for all primary and intermediate chained certificates (that you install into your environment), or select a different CA which is fully chained with supported certificate types (which is not a great recommendation depending on your corporate policies, but I had to put it out there). There are plans to update this for the coming versions of SecureSphere, but it has yet to be released. 

    We have inline bridge mode and are extensively using TRP, and with a few issues it is quite successful, if implemented properly.

    Check you chaining and make sure it is consistent, get certificates that have all the chaining that will be installed at the WAF in supportable formats (such as SHA256 chains), and you should be able to be successful without all of the breaking that you mentioned. It took us some effort to find this issue, but once we did, we have hundreds of sites in TRP and can still inspect critical traffic. With the upcoming promised releases, this will be even easier and more supported.

    Or your only other third alternative, depending on the size and scale of your deployment, is to switch to KRP (Kernel Reverse Proxy) mode which supports this process natively (no reason to use TRP because it is already being performed by the KRP), but this has several implications on your environment including the physical design of your networking, making sure your applications process the headers correctly to log appropriate access, reporting hosts to use a different gateway, etc. Depending on the size and scope of your deployment, this is a business decision on whether or not the amount of effort to make that change is right for you.

    ------------------------------
    Jason Park
    County of Los Angeles
    CA
    ------------------------------



  • 5.  RE: Transparent Reverse Proxy

    Posted 2 days ago
    Hi Jason,

    In this case, how can we sure that , if the connection is breaking because of SHA384 signature algorithm, I would like to know where the connection will break.

    from client > WAF or WAF> webserver? how can we identify from a Wireshark capture?

    ------------------------------
    Nishanth Minikkaran
    Allianz technology
    ------------------------------



  • 6.  RE: Transparent Reverse Proxy

    Posted 16 days ago
    Hi Pankaj,

    I think the simple answer is yes. Without TRP enabled (in inline bridge mode), securesphere will only be able to inspect HTTP traffic and not HTTPS. 

    Thanks

    ------------------------------
    Shantanu Chaurasia
    ------------------------------



  • 7.  RE: Transparent Reverse Proxy

    Posted 2 days ago
    It can inspect the Https traffic too in bridge mode provide that if the client and server are agreed up on RSA key exchange. In this case the session keys are encrypted and with server public and send to the server so WAF can decrypt the session key with the private key associate with cert and eventually WAF can decrypt the packet and inspect it.

    However incase of Diffi-helman or elliptical-curve cryptography , WAF cannot decrypt the packets as the session keys are never transmitted over a wire. so decryption is not possible in bridge mode in this case. when enabling TRP key exchange are happening between client and WAF so that It can decrypt all the packets irrespective of the key exchange algorithm. 


    ------------------------------
    Nishanth Minikkaran
    Allianz technology
    ------------------------------