In this case, how can we sure that , if the connection is breaking because of SHA384 signature algorithm, I would like to know where the connection will break.
from client > WAF or WAF> webserver? how can we identify from a Wireshark capture?
Original Message:
Sent: 05-15-2020 11:39
From: Jason Park
Subject: Transparent Reverse Proxy
What you are missing is often the most important traffic, because it cannot decrypt the HTTPS traffic, so many of your policies are not applied when it comes to the application layer protection you are expecting from the WAF. If you have HTTPS, it is likely this is your most important traffic to inspect and protect. Even now with the shift to encrypting everything by default, you would lose more and more visibility over time even if it is not particularly important traffic.
What CA do you use? The certificate chaining is of primary importance. Normally TRP works well to allow inspection of HTTPS traffic, but you have to use it right, and there are some key issues depending on your situations. First is that in current versions of SecureSphere TRP does not support some encryption such as SHA384 chaining, so make sure your certificates all along the chain are supported (primary and intermediate(s)), such as using SHA256. Authorities such as Sectigo/Comodo have now defaulted to intermediate authorities that are SHA384, which can break TRP. To get around this you can do three things (number three is at the bottom of this response, but here are the first two), ask the CA to issue a chain that complies with the SHA256 for all primary and intermediate chained certificates (that you install into your environment), or select a different CA which is fully chained with supported certificate types (which is not a great recommendation depending on your corporate policies, but I had to put it out there). There are plans to update this for the coming versions of SecureSphere, but it has yet to be released.
We have inline bridge mode and are extensively using TRP, and with a few issues it is quite successful, if implemented properly.
Check you chaining and make sure it is consistent, get certificates that have all the chaining that will be installed at the WAF in supportable formats (such as SHA256 chains), and you should be able to be successful without all of the breaking that you mentioned. It took us some effort to find this issue, but once we did, we have hundreds of sites in TRP and can still inspect critical traffic. With the upcoming promised releases, this will be even easier and more supported.
Or your only other third alternative, depending on the size and scale of your deployment, is to switch to KRP (Kernel Reverse Proxy) mode which supports this process natively (no reason to use TRP because it is already being performed by the KRP), but this has several implications on your environment including the physical design of your networking, making sure your applications process the headers correctly to log appropriate access, reporting hosts to use a different gateway, etc. Depending on the size and scope of your deployment, this is a business decision on whether or not the amount of effort to make that change is right for you.
------------------------------
Jason Park
County of Los Angeles
CA
Original Message:
Sent: 05-15-2020 00:25
From: Pankaj Chouhan
Subject: Transparent Reverse Proxy
Hi Pal,
Thanks for your reply !
I have some doubts related to TRP.
Please help to clear them.
1. Is TRP only required for key exchange?
2. If we dont enable TRP for the application running on HTTPS , are we under big threat?
Just want to clear if we dont enable TRP, still WAF will protect the application from all attacks over port 80 and 443?
It is because i have faced issues with TRP many times like application running behind WAF with TRP enabled suddenly goes inaccessible.
Fortunately we have SSL Negotiation Settings now available but still there are some applications which are not accessible when TRP enabled. ( I am working with support for them).
Thats why we have to disbale the TRP for those application to make them accessible.
Thanks !
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
Original Message:
Sent: 05-14-2020 09:14
From: Pal Balint
Subject: Transparent Reverse Proxy
Hi Pankaj,
TRP is only necessary if you want to inpect HTTPS traffic that uses Diffie-Hellman key exchange.
If your site use only RSA key exchange, no need for TRP.
------------------------------
Pal Balint
Original Message:
Sent: 05-14-2020 03:45
From: Pankaj Chouhan
Subject: Transparent Reverse Proxy
Dear Team,
Please help to understand the following -
Is it necessary to enable TRP to inspect HTTPS traffic ?
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------