Block YouTube without SSL-decryption

Let’s say you want to block YouTube, and you started making a rule, it would probably look something like this:

yb1

Block Youtube and Youtube-base and set it to deny, but this will not work if you are not running SSL-decryption:

yb2

The application signatures is not able to identify the traffic correctly, since it’s inside an ssl-tunnel, and in the logs we can see this instead:

yb7

This gives us little to no information, so we need another way to do it..

First some recon on the traffic:

yb8

This gives us some context we can work with, that are not encrypted.

So what do we do with it?

First we need to create a new custom application:

Objects -> Applications -> Add

yb5

Put in some information on what the application is doing and what the characteristics are, don’t just throw this together because it can end up matching an Application filter you don’t want it to match. Mine is a good example to start out with.

yb6

Next step is to add a new signature to actually identify Youtube traffic, and then add the conditions, so it matches the picture.

The signature is based on identifying the word youtube and googlevideo in both the SSL Client Hello and in the Certificate, this makes it possible for us to find and stop traffic to and from servers affiliated with Youtube.

yb4

We then changes the application in our “Block Youtube” rule, and see what happens..

Chrome:

yb9

We still get into Youtube, due to how Chrome works, but we are able to block the videos.

Firefox:

yb10

Totally blocked.

Internet Explorer:

yb11

So, we are able to block it, and we can see the result in the logs:

yb3

Link to my custom App-ID: appid_youtube_ssl

Disclaimer:
I don’t take any responsibility if this custom application breaks anything else except youtube. The signature is based on names in the certificate and client hello, so if you have other services using googlevideo or youtube, then they will also be blocked.

 

 

 

 

Firefox and SSL-decryption

I have worked with SSL-decryption for several years, and one of my biggest issues during that time was the abundance of browsers that people use.
We have IE, Chrome, Firefox, Safari, Opera and many more, and they all have their own ideas on how things should work.

But the biggest issue I had was Firefox.
All the other browsers uses the built in certificate stores of both Mac OS X and Windows, this made it trivial to push out Certificates that would be used for SSL-decryption via GPO.
But not Firefox, they uses their own internal certificate store, that is not that trivial to push certificates to in an enterprise environment. This lead to companies to just discontinue any support for Firefox, why waste time on complex scripts or 3rd party products to manage at free browser, when both IE and Chrome just works?

A lot of users was not happy about this, old habits are hard to change, and browsers are one of the hardest it seems based on all the complaints I saw..

But finally, Mozilla has made some recent changes that will finally enable enterprises to support Firefox in environments with SSL-decryption! Let’s see how it works:

decrypt1

Lets start with my current decrypt policy:

  1. Rule based on data from MineMeld that updates my PA-200 with IP’s that Office365 runs on.
  2. Can’t decrypt my XboxOne traffic.. what if I disconnect in a FIFA 17 game? Would be devastating!
  3. My own list of IP’s based on applications that won’t work with SSL-decryption
  4. Catch all rule on port 443, even my online bank is being decrypted. You can never be to safe! 🙂

This policy works without any issues on Chrome and IE, since I have imported the “ssl.test.no” certificate into my Trusted Root Certificate Store. But let’s see what happens when I put Firefox to the test?:

decrypt2

Yeah, just as expected. Firefox have no knowledge of the imported certificate, so it stops me from even getting to the site, since it’s clearly a man-in-the-middle(MitM) attack!

The next step in the old days would to import the certificate manually, or get some 3rd party product installed in your domain to do it via GPO..
But now in version 49 and upwards, we have a new cool feature!

Browse to about:config in the search bar:

decrypt3

Right click anywhere in the list, and choose “New -> Boolean”

Enter the following text into the popup:
decrypt4

security.enterprise_roots.enabled

Then set it to “true”, and it should look like this:

decrypt5

This setting will make Firefox actually go and check the Windows\Mac OSX certificate store for any Root certificates that it does not have. So basically, it will work like IE and Chrome does!

Restart Firefox, and then browse to a https:// site to see if it works!

decrypt6

And behold, it worked like a charm. I did not have to import anything into Firefox, so it just works! The only downside is that you are not able to see any of the imported certificates in Firefox. This is something that will be added down the line.

But this is one BIG step in the right direction to get Firefox easier to work in environments where SSL-decryption is active.  Just remember this is for version 49 and newer!

If you want more information about how to tune Firefox for your enterprise look here:

https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment

Customizing Firefox – Default Preference Files

Reducing the attack surface!

Reducing the attack surface is something I have read, heard and said myself plenty of times.

It’s the strategy I belive in when it comes to security in both business and home networks.
I am also a visual guy that likes to use pictures to show what I mean:

ittoonideafinal_5

This is a picture I got made from a cartoonist, and its a good representation on how I visualize IT-security looks from an attackers perspective.
Which one do you think an attacker will focus on? They are people just like me and you, they work on the clock and have lives as well. So they will of course go for the one requiring least effort! Why waste time?

This is why I mean that reducing the Attack surface is so important, and the only way to achieve this goal is to have total control on your network! Cause, how can you reduce something you don’t know everything about?

  • How many web-serveres do you have? On what ports?
  • Do we have any FTP traffic in or out of our network?
  • What kind of traffic are we seeing over Port 443? Is it only SSL? If yes, what’s inside that SSL-traffic?
  • DNS. Can clients use whatever DNS server they want?
  • Web-browsing. Is it controlled in any way? URL-filter?
  • Applications. What kind of applications are people using, is everyone work related and safe?
  • SaaS. Are people using Dropbox? Google Drive? Outlook 365 private?
  • Remote Access. Do people use remote access tools like TeamViewer?
  • Internet of Things. What is connected or not? Is the Coffee machine connected? And if yes, what does it do?

This is just some examples you need to know about your network to actually be able to reduce the attack surface. Take control, and find out what is actually happening. And then activate enforcement and control on what you want to go in and out of your network!

You don’t let everyone in to your office!? That’s why we have physical barriers with a receptionist checking who you are before you can get in! Why should you not do the same with your network traffic?

02-resepsjon

The higher level of control and enforcement you have in your network, the bigger the cost to the attacker to actually be able to breach you! And if the cost is to high, then he will just move over to an easier target.

My point is simple, and can be summarized in one joke:

Do you know how to avoid being eaten by a shark?

Swim faster than the other guy!