What are the high-level differences between SSL inspection modes on FortiGates?
An introduction to different SSL inspection modes.
It's also worth noting that the security industry has an unfortunate habit of sticking with legacy abbreviations. Despite the name "SSL Inspection", the actual cryptographic protocol being used isn't often "Secure Socket Layer". These days, it's typically TLS (transport layer security).
In the network security space, the term "SSL Inspection" gets thrown around quite a bit. Not all inspection techniques are the same though. There's always going to be trade-offs: some approaches are more comprehensive and offer deeper security insight... but can be more challenging to implement. In this article, we'll talk through a couple popular inspection modes for firewalls. I'll focus on FortiGates since I've been working with them more frequently, but keep in mind that these features and capabilities apply to other vendors as well.
High-level Background
Firstly, a quick refresher on the moving pieces here:
- A digital certificate is a mechanism for establishing trust. It's a collection of formatted data that provides context and detail about something. Yeah, I know. That sounds incredibly vague.
- A certificate has fields (attributes) which describe an entity and the data within the certificate. If it helps, you can think of this as being similar to a driver's license:
- Instead of human names, the certificate could have "common name" and "distinguished name" attributes which identify server resources.
- Instead of a license expiration date, the certificate can have a validity period.
- Instead of a license being issued by a state or government public authority, digital certificates can be produced and certified by "certificate authorities".
- Instead of vehicle classes and categories, certificates can have attribute values for "Extended Key Usage" which explain the intended use of the certificate.
Hopefully that analogy resonates. Even though drivers licenses and digital certificates are completely different things in real life, their underlying intent is the same: they are mechanisms for establishing and verifying trust.
(*cue cheesy infomercial tagline: "but wait, there's more!")
In addition to verifying identity, certificates often contain/transport important cryptographic keys used for encryption and data security.
Encryption is great... when used for legitimate purposes. It can also be risky though because it could be used to hide otherwise malicious and dangerous content. So, what can we do about this?
SSL Certificate Inspection Mode
FortiGates have two different inspection modes that help enforce security on encrypted network traffic. The first approach/mode is called "Certificate Inspection".
I like analogies so let's consider another one here: think of certificate inspection like handing an envelope to a postal worker and asking them to mail it to a research station in Antarctica. Even without knowing the precise contents of the letter, the postal worker will still have quite a bit of insight including source, destination, urgency, relative volume/dimensions of content, and suspected nature of communication (if it's going to Antarctica it's probably not a local utility bill payment 😄).
Certificate inspection involves FortiGates extracting the fully qualified domain name of the destination from a couple places:
- The server name indication (SNI) attribute (if available) at the beginning of a TLS connection (client hello).
- The subject or Subject Alternative Name (SAN) fields in a certificate itself (which would be exchanged in the early parts of an encrypted network transaction)
Once it has one (or both) of these data points, that's enough for the firewall to have a broad idea of the nature of a transaction. Based on the address and connection-level data, the firewall can perform web filtering or application control. Again though, to be clear: this technique does not actually decrypt any of the low-level data. It's just making a security judgement call based on what it can see in the clear.
Full SSL Inspection Mode
Up until this point, the actual encrypted content wasn't exposed to the firewall. But what if we DO want to go deeper? For that, FortiGate has another inspection mode called "Full SSL Inspection". In order to do this, the firewall establishes/maintains two encrypted sessions (one between the source client and the firewall... and another session between the firewall and the remote destination). This separation of sessions allows the FortiGate to impersonate both sides of the conversation to the opposite party, and in so doing, completely encrypt and decrypt data with it's own keys. Cool huh.
Continuing our analogy, this approach is similar to a postal worker completely opening the letter they receive... reading the full contents inside the letter... considering whether it's safe to deliver... and then placing the contents in an entirely new envelope/package before mailing it off again.
This level of visibility gives the firewall much more flexibility, granularity, and protection. This level of deep inspection can be combined with multiple other security profiles in FortiGate including AntiVirus, web filter, application control, or IPS.
Exceptions and caveats
So at first glance, it would seem like the best choice is always "Full SSL Inspection" mode, right? I mean, why wouldn't someone want their firewall to have maximum visibility? Well, as always, it depends 😄. There can be some sticky issues to be mindful of:
- Law and privacy alignment - In some countries, inspecting certain types of traffic (e.g. bank-related, healthcare, etc) is prohibited.
- Technical blockers and conflicts - Since Full SSL Inspection mode is effectively impersonating a remote server/resource, some software clients (and protocols) can be understandably paranoid. Industry techniques like certificate pinning and HSTS can intervene to protect users if something is suddenly claiming to be a remote resource (check the links below for more details on these concepts).
Conclusions
This article barely scratches the surface for the topic of deep packet inspection and encryption session handling. Hopefully though, it helped to introduce the concept. If you're curious, check out the following resources for additional info...
shlipsey3
Mike
