SSL Interception

From The MetaFlows Security System Documentation
Jump to: navigation, search

SSL Interception

SSL Packets routed through the MetaFlows' sensor can be intercepted by a man-in-the-middle SSL proxy which offers the decrypted SSL traffic to the sensor for analysis.

In order to inspect SSL traffic it is necessary to setup all user machines to proxy https traffic through:<sensorip>:8080. It is preferable to only proxy https traffic and not http traffic to reduce the load on the proxy.

If setting the SSL proxy on all user machines is not feasible, it is possible to achieve the same result by changing IP routing and send all traffic through <sensorip> . This has the advantage of avoiding configuring the proxy settings on the individual client machines but it has the disadvantage of having to route all traffic (including non SSL traffic) through the sensor thus potentially increasing latency for all applications. If you are interested in this alternate configuration, please contact support@metaflows.com

Software Installation

The SSL interception software is not bundled with the rest of the MetaFlows sensor Software. Please conatct support@metaflows.com to obtain a copy. Download the sofware to the sensor and execute the command:

mitmproxy.sh

This installation script will guide you through the installation steps.

Manual Proxy Mode

In manual proxy mode the machines on your network on which you wish to perform SSL interception need to proxy secure traffic through <sensorip:8080> This can be achieved by either configuring each machine individually or by changing a group policy. Regular HTTP traffic does not need to be proxied through the SLL interception, although the HTTP traffic will be processed by the MetaFLows sensor unchanged.

Upstream Proxy

This configuration also supports having another proxy upstream. It is therefore possible to use SSL proxy in conjunction with other proxies such as squid.

Transparent Proxy Mode

In transparent mode the traffic is routed through the MetaFlows sensor as the default route. All non SSL traffic will be simply forwarded to the real IP gateway while SSL traffic will be intercepted and then routed through to the real IP gateway. In this mode, the users machines do not need to be configured to proxy traffic. The proxying happens transparently. As in the case of the Manual proxy mode, it is not necessary to route all traffic through the MetaFlows sensor. It is possible to only route SSL traffic through the sensor while leaving all traffic going through the normal IP gateway.

Root Certificate Installation

Once proxying is enforced, the user machines will not be able to access most sites unless the proxy's root certificate is installed Other users cannot intercept each other connections.The certificate you install on the clients has been uniquely generated on this MetaFlows sensor and is not shared between other installations.

Windows

  • From the user's machines use Internet Explorer and go to the url: http://<sensorip>:81
  • Download the certificate and the open it to import it into the system

Apple

  • Download PEM file from the url: http://192.168.1.220
  • Double-click the PEM file
  • The "Keychain Access" applications opens
  • Find the new certificate "mitmproxy" in the list
  • Double-click the "mitmproxy" entry
  • A dialog window opens up
  • Change "Secure Socket Layer (SSL)" to "Always Trust"
  • Close the dialog window (and enter your password if prompted)

Browser based

  • From the user's machines use their choice of browsers and go to the url: http://<sensorip>
  • A window dialog will pop up. Check the appropriate options and save it

Proxy Management

Once the SSL proxy is installed on the sensor, user will be able to manage the proxy configuration through the page Historical->SSL interception. This page allows managing a regular expression which identifies the set of domains whose traffic should not be decrypted/inspected by the SSL proxy. These domains can be exempted either for policy reasons or because they use certificate/public key pinning and therefore cannot be processed by the SSL proxy. These exceptions are still proxied but the SSL payload is left encrypted end-to-end.

This page also has convenient links to install the local Root certificate.