Scribd
Upload
48 views44 pages

09c Alteon 500-201 Alteon Outbound SSL Detailed Configuration v1

The document provides a comprehensive step-by-step guide on SSL Inspection, detailing the key drivers for inspecting outbound SSL traffic, challenges, and requirements for effective implementation. It introduces Radware's SSL Inspection solution, deployment modes, and configuration steps necessary for setting up SSL traffic inspection. Additionally, it outlines the process of creating and exporting certificates for SSL inspection and includes specific configurations for various deployment scenarios.

Uploaded by

Mustafa ÇİÇEK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
48 views44 pages

09c Alteon 500-201 Alteon Outbound SSL Detailed Configuration v1

The document provides a comprehensive step-by-step guide on SSL Inspection, detailing the key drivers for inspecting outbound SSL traffic, challenges, and requirements for effective implementation. It introduces Radware's SSL Inspection solution, deployment modes, and configuration steps necessary for setting up SSL traffic inspection. Additionally, it outlines the process of creating and exporting certificates for SSL inspection and includes specific configurations for various deployment scenarios.

Uploaded by

Mustafa ÇİÇEK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 44

SSL Inspection

Step-by-Step Guide

Radware Training &


JulyCertification
23, 2025
Key Drivers for Inspecting Outbound SSL Traffic

Eliminate blind spots of SSL encrypted communication to/from the enterprise


Maintaining information’s communication’s privacy
Compliance and regulatory need for information disclosure
– Log all information access details (what, who when and from where)
– Prevent unauthorized (source or destination) data communication

Prevent data leakage of business critical information


Prevent ingress of malware and advanced persistent threats
– through SSL encrypted channel

Monitor traffic to/from cloud applications and services


– Enforce the organization’s data privacy policies on cloud applications as well
Challenges & Requirements

Gain visibility on SSL traffic


– For inbound traffic, where the organization owns the SSL key
– For outbound traffic, where the organization doesn’t own the SSL key

Transparent traffic inspection


– Seamless implementation, eliminating any user client reconfiguration
– Enables traffic inspection of various profiles (not just SSL traffic on port 443)

Support for more than one security solution, with minimal latency impact
– Enable security services chaining (e.g. DLP, anti-malware, instruction detection)
– Flexible security policies – per service, user profile etc.

Ensure high availability of connectivity


– Even when security solutions suffer from outages

Scalable solution, capable of supporting multi-gig of SSL traffic


– Supporting security solution scalability as well
Introducing Radware’s SSL Inspection Solution

WAN Perimeter LAN

Security
Server facing Appliances Client facing
(i.e. DLP)
SSL handshake SSL handshake
(client emulation) Steer traffic to (server emulation)

security appliances

Re-encrypt traffic, to Transparently Intercept target data flows


maintain privacy and decrypt SSL traffic
VAS
SSL Inspection – Deployment Modes
One leg IPS deployment mode
– HTTPS traffic from client is decrypted and forwarded to VAS
– VAS configured in L3 for IPS analysis
Client

VAS

Two leg IPS deployment mode


– HTTPS traffic from client is decrypted and forwarded to VAS
– VAS is configured as transparent L2
(no IP connectivity from Alteon to VAS) Client
SSL Inspection Lab Setup VAS
IP: 20.20.20.20
GW: 20.20.20.1
SSL inspection demo setup
Web Server
– VLAN 100, Alteon port 3
Client PC
– VLAN 101, Alteon port 5
VAS
– VLAN 111, Alteon port 8
Alteon v30.2.0 and up with SSL license activated
Web Server Client
IP:10.0.0.80 IP: 192.168.100.2
Note: For Web server please use any web server that you feel comfortable with using HTTPS GW: 10.0.0.1 GW: 192.168.100.1

To simulate VAS, please use any Linux based server with IP forwarding function enabled
Configuration Steps

1. Set IP interfaces and VLANs for Web server, Client and VAS
2. Set frontend and backend SSL policies
3. Set real server for VAS and assign to server group
4. Create filter “redirect” from client to VAS
5. Create filter “allow” from VAS to Server
6. Enable filters on client/server/VAS ports (port processing)
7. Create new certificate for SSL inspection
8. Load the certificate to the client’s browser trusted CA certificate
Frontend SSL Policy Configuration

Configure SSL policy for


frontend SSL traffic
– From local clients to
Alteon
Frontend SSL Policy Configuration

Disable Backend SSL


– Forwarded to the VAS for
inspection
Backend SSL Policy Configuration

Configure SSL policy for


Backend SSL traffic
Traffic coming from the VAS
after inspection and need
to be encrypted again
Disable frontend SSL
Backend SSL Policy Configuration

Configure backend SSL


policy
Enable backend SSL
Configure Real Server for VAS

Create new real server


Add real server to Servers
group
Filter from Client to VAS

Match Settings Configuration:


Filter detect traffic destined to TCP
port 443 and redirect it to the VAS
group
Traffic type is HTTP only
Filter from Client to VAS

Action Settings:
Delayed Bind – Forceproxy
Real Server Port – 80
Return to Last Hop – Enable
Reverse Session – Enable
Hash Based Group Metrics – Both
Filter from Client to VAS

SSL:
SSL Inspection – Enable
Select the Frontend SSL policy
defined previously
Filter from VAS to Server

Match Settings Configuration:


Filter “Allow” detect traffic destined
to TCP port 80
Traffic type is HTTP only
Filter from VAS to Server

Action Settings:
Delayed Bind – Forceproxy
Real Server Port – 443
Return to Last hop – Enable
Reverse Session – Enable
Filter from VAS to Server

SSL:
SSL Inspection – Enable
Select the Backend SSL policy
defined previously
Port Processing Configuration
Client Port Processing
VAS Port Processing
Client Port Processing Configuration
Enable Filter/Outbound LLB
Add the “Client to VAS” filter
VAS Port Processing Configuration
Enable Filter/Outbound LLB
Add the “VAS to Server” filter
Server Port Processing Configuration
Enable Filter/Outbound LLB
Port Processing Configuration
Create New Certificate For Inspection

Create new certificate for SSL inspection


Set the “common name”
Generate the certificate from the “certificate
repository window”
Certificate Repository – Outcome
SSL Inspection Configuration

Under SSL Inspection configuration


Select previously generated Key and Certificate
Export Certificate to Client’s Browser

Under SSL configuration


Export the certificate to a file
Load the certificate to the client’s browser trusted
CA certificate
Add certificate to client’s PC

Under control panel


Internet Options 
Content 
Certificates
Select Trusted Root
Certification
Authorities 
Import
The settings is
applicable for IE and
Chrome
Example for FireFox:
Options  Advanced
Certificates  View certificates
Authorities  Import
Select the inspection
certificate created previously
Dummy VAS Configuration

In order for traffic to be forwarded to VAS and back to the server, a Linux based
server can be used to simulate VAS
Configure the Linux server to forward (simulate router functionality), all incoming
traffic back to Alteon
Use the command “sysctl -w net.ipv4.ip_forward=1” to enable IP forwarding
Check SSL Inspection

From the client’s


browser, connect
to the web server
(https://10.0.0.80)
Check SSL Inspection

Open the secure


connection info
Select More
Information
Check SSL Inspection

The “Issued By” filed is now based


on the CN and Organization of the
inspection certificate generated by
Alteon and configured as the
“Signing CA Certificate”
SSL Inspection – Tow Leg IPS
mode
SSL Inspection – IPS Mode
VAS

SSL inspection demo setup


Web Server
– VLAN 100, Alteon port 3
Client PC 9 7

– VLAN 101, Alteon port 5


3 5
VAS
– Ingress traffic – VLAN 222, Alteon port 7, IP: 3.3.3.3
– Egress traffic – VLAN 333, Alteon port 9, IP: 4.4.4.4
Alteon v30.2.0 and up with SSL license activated Web Server Client
IP:10.0.0.80 IP: 192.168.100.2
GW: 10.0.0.1 GW: 192.168.100.1
IP Interface for VAS Ingress Traffic

Set dummy IP for VAS ingress


traffic coming from clients
IP Interface for VAS Egress Traffic

Set dummy IP for VAS egress traffic


coming from clients
Create Dummy Real Servers For VAS traffic

Create real server for ingress VAS traffic


Under IDS set specific port for which all traffic
will be forwarded
Create Dummy Real Servers For VAS traffic

Create real server for egress VAS traffic


Under IDS set specific port for which all traffic
will be forwarded
Create Real Server Group

Create real
server group
and assign
ingress VAS real
server created
previously
Create new Health Check

Create new logical


expression health check
based on ARP and Link to
monitor the VAS links
Create Real Server Group

Assign the ARP&Link Health


check to the server group
Add Static ARP

Add static ARP to enable Alteon


to pass traffic from ingress VAS
port 7 to egress VAS port 9 by
adding static ARP of the dummy
real server using Alteon MAC
address
Port Processing Configuration

Enable filter on Client port #5


Select “client to VAS” filter which
redirect all HTTPS traffic to the
VAS
Port Processing Configuration

Enable filter on ingress VAS port #7


Port Processing Configuration

Enable filter on egress VAS port #9


Select “VAS to server” filter

You might also like