This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-26 07:06 AM

"HTTPS lite" - would you trust it?

Bit of a philosophical question. 

There are many ways to filter your internal traffic going out to internet, i.e.

  • IP based filtering
  • good old explicit proxy, with or without TSL interception
  • transparent proxy / gateway with TLS interception
  • or combination of both

All have pros and cons. IP based being least efficient. Explicit proxy often is a burden to automation or impossible to apply in certain instances, whereas transparent option with TLS interception is less "visible" to client itself but issues with certificates keep causing headaches plus interception is resource intensive and expensive.

One option to avoid these challenges would be using "HTTPS lite" or Categorization of HTTPS sites without HTTPS inspection. So clients don't need to specify a proxy nor there is a "man in the middle" messing with certificates.

But of course the downside is the information available in logs - you don't get full URLs, but service names worked out from TLS handshake as seen below. It does limit your ability to determine all risks associated with that connection.

image.png

 

Would you accept this as a"sufficient information" log in your organisation? As highlighted above, classification is not 100%. Is that OK? 🙂 

just wondering how you do it 🙂

 

6 Replies
PhoneBoy
Admin
Admin
‎2021-04-26 08:39 AM

Keep in mind we’re also using SNI information in current releases and we actually verify the SNI out-of-band.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-26 08:47 AM
In response to PhoneBoy

Yes indeed, I have taken that into account and that's also the reason to compare different options available. HTTPS lite would be "cheaper" and faster but with less logging and filtering options

0 Kudos
Marcel_Gramalla
Advisor
‎2021-04-26 11:33 AM

Hi,

first I have so tay that the categorization with SNI works very well on the Check Point gateways from my experience. But I also have to say that the depth of the logs wouldn't be enough for a detailed analysis when needed. For example in case of an security incident we might have to know the exact URLs that were used or see precise GET/POST messages.

Also the ability to block specific file types and scan for malware etc. would be a reason alone to not trust the categorization mode in the environments I know. But these are always scenarios with many clients involved and a high chance of a human click on the wrong URLs etc. 

But to be honest we are not super happy with the full HTTPS Inspection either with Check Point. The main reason is because of Content Awareness (very few default Data Types, problems with some file types and the bad experience with UserCheck (the UserCheck Client helps but it's not very user friendly in general) and the lack of TLS 1.3 ("supported" in R81 but a feature that isn't enabled in default always sounds like a beta feature and also only with User-Mode).

 

All experiences are based on R80.40.

Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-26 01:16 PM
In response to Marcel_Gramalla

Thanks @Marcel_Gramalla ! Exactly what I want to hear - real life stories 🙂

Yes indeed both pinned sites and TLS 1.3 will make life even more challenging and pushing more security to the endpoint itself. 

Indeed, logging detail is the biggest challenge in our PoC. But else it seems to work quite ok. With exception of Trusted CA list updates, that part seems a bit wobbly

0 Kudos
Marcel_Gramalla
Advisor
‎2021-04-26 01:26 PM
In response to Kaspars_Zibarts

Happy to share some opinions in the community. We are working with TAC on two cases with problems in Content Awareness - the last one was handled very fast and good (had some bad experiences in the past as well). In one server only environment we don't use Content or Identity Awareness and that makes life so much easier and was also very easy to deploy.

Regarding the Trusted CA issue in the other thread I have to say that I never experience any real world issues there. Have to check, if I can validate your findings. Maybe I will post some insight there tomorrow as well 🙂

Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-27 05:59 AM
In response to Marcel_Gramalla

These are the ones that I have added so far:

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events