Firewalls & SSL Decryption

TL;DR

Modern firewalls can decrypt SSL/TLS packets for inspection, but it’s not automatic and requires configuration. It involves using a feature called SSL inspection or deep packet inspection (DPI). There are security and privacy implications to consider.

Understanding the Problem

SSL/TLS encrypts data between your computer and websites, protecting sensitive information like passwords and credit card details. Firewalls traditionally block or allow traffic based on ports and IP addresses, without looking inside encrypted packets. To inspect this traffic for threats, firewalls need to decrypt it.

How Firewalls Decrypt SSL

1. SSL Inspection/DPI: This is the core feature. The firewall acts as a ‘man-in-the-middle’.
2. Certificate Generation: The firewall creates its own certificate, which it presents to your computer instead of the website’s real certificate.
3. Trusting the Firewall Certificate: Your computer needs to trust the firewall’s certificate for decryption to work. This usually means installing the firewall’s root certificate into your browser or operating system’s trusted store. This is a critical security consideration (see ‘Risks’ below).
4. Traffic Interception: When you connect to an HTTPS website, the firewall intercepts the connection.
5. Decryption & Inspection: The firewall decrypts the traffic, inspects it for malware or other threats, and then re-encrypts it using the website’s original certificate before sending it on.

Configuring SSL Inspection (Example – Fortinet Firewall)

The exact steps vary depending on your firewall vendor. Here’s a simplified example for a Fortinet firewall:

1. Create a Certificate: In the FortiGate GUI, go to System > Certificates and create a new self-signed certificate.
2. Enable SSL Inspection: Go to Security Profiles > SSL Inspection and enable it. Configure settings like accepted cipher suites and categories of traffic to inspect.
3. Create an SSL Forward Proxy Policy: This policy defines which traffic will be inspected. You’ll specify source/destination IPs, ports (usually 443 for HTTPS), and the SSL inspection profile you created.
4. Install Firewall Certificate: Distribute the firewall’s certificate to client devices (browsers, operating systems). This is often done via Group Policy or a similar mechanism.

Note: This is a very basic overview. Consult your firewall documentation for detailed instructions.

Checking if SSL Inspection Works

1. Browser Certificate Warning: If the inspection isn’t working correctly, you may see a warning in your browser about an untrusted certificate (the firewall’s certificate).
2. Firewall Logs: Check the firewall logs for events related to SSL inspection. Look for errors or warnings.
3. Packet Capture: Use a packet capture tool like Wireshark to examine traffic. If decryption is working, you should see unencrypted data within the HTTPS stream (be careful handling sensitive information in packet captures!).

   tcpdump -i eth0 port 443

Risks

• Privacy Concerns: The firewall can see all your unencrypted traffic, raising privacy issues.
• Security Risks: If the firewall is compromised, attackers could intercept and modify your data.
• Performance Impact: Decryption is resource-intensive and can slow down network performance.
• Compatibility Issues: Some websites or applications may not work correctly with SSL inspection.

Alternatives

• Reputation-Based Filtering: Block traffic from known malicious sites instead of decrypting everything.
• TLS 1.3 Support: TLS 1.3 offers improved security features that make interception more difficult.