Firewall decisions based on SNI field?

Vladimir_Ostrovsky · ‎12-19-2019

Hi all,

Does anybody know if FortiGate can be configured to do this?

[ul]

When a client opens a TCP connection to predefined port (typically, HTTPS), respond to the TCP handshake on behalf of a server.

Accept the "Client Hello" TLS message from the client,

Read the server's hostname specified in the SNI field of the "Client Hello".

Check the hostname against "destination" of the firewall policies - maybe by performing its own DNS resolution to see if the IP falls into allowed ranges, or maybe by textual comparison if the destination is set as some regexp object?

Make a Allow/Block decision based on the result?[/ul]

Today, when virtually any TLS client supports the SNI field, this would be very useful feature.

Thanks,

Vladimir.

boneyard · ‎12-20-2019

FortiGate should look at the SNI by default for webfiltering according to this article:

https://kb.fortinet.com/k....do?externalID=FD34661

your feature to use it in the ipv4 policy is sort of using a webfilter profile with fixed entries in my opinion. but to have it happen automatically is not something how the fortigate operates on layer 4.

the question to keep in mind is how long this be useful, SNI is close to getting encrypted, once that happens the feature becomes useless.

View solution in original post

Vladimir_Ostrovsky · ‎01-06-2020

romanr, emnoc - thank you, gentlemen. :)

I just ran a small proof-of-concept - defined a Static URL Filter that allows traffic to single site only, testsite.com, and blocks all others. Then associated it to firewall policy, which, on the contrary, allow traffic to ALL:

config webfilter urlfilter edit 1 set name Test_Static_URL_Filter config entries edit 1 set url testsite.com set action allow next edit 2 set url * set type wildcard set action block next end next end

config firewall policy edit 0 set name Clients_to_Static_URLs set srcintf Clients_zone set dstintf Internet_zone set srcaddr Clients set dstaddr all set action accept set schedule always set service ALL set utm-status enable set webfilter-profile Test_Static_URL_Filter set ssl-ssh-profile certificate-inspection next end

Verified that this works. Then redefined IP address of testsite.com on the client machine by adding into its hosts file:

11.22.33.44 testsite.com

As long as the client connects to 11.22.33.44 with SNI "testsite.com" (or no SNI at all), and this server responds with a certificate that has "testsite.com" in CN/SAN fields, the connection will succeed - because FortiGate doesn't check whether testsite.com indeed resolves to this IP.

So this can be used to circumvent FortiGate limitations. Let's say, I'm on the network whose admin allows access to particular categories of sites only, such as banking. If I have an OpenVPN server outside, which can present a certificate with a name of a bank, and if I can edit my hosts file, I can establish outgoing VPN connection from this network.

Regards,

Vladimir.

localhost · ‎01-09-2020

This is an interesting case

Could you give this a try?

Enable Full SSL inspection on the profile. Block untrusted certificates and exempt all web categories from SSL inspection.

Since your certificate is not signed by a trusted CA and should be blocked by the Fortigate.

I wonder if this blocks your bypass attempt and at the same time allows access to other sites and services without doing any deep ssl inspection.

config firewall ssl-ssh-profile

edit "test123"
        config ssl
            set inspect-all deep-inspection
            set untrusted-cert block
        end
        config https
        end
        config ftps
        end
        config imaps
        end
        config pop3s
        end
        config smtps
        end
        config ssh
            set ports 22
            set status disable
        end
        config ssl-exempt
            edit 1
                set fortiguard-category 7
            next
            edit 2
                set fortiguard-category 17
            next
            edit 3
                set fortiguard-category 9
            next
            edit 4
                set fortiguard-category 64
            next
            edit 5
                set fortiguard-category 2
            next
            edit 6
                set fortiguard-category 53
            next
            edit 7
                set fortiguard-category 29
            next
            edit 8
                set fortiguard-category 89
            next
            edit 9
                set fortiguard-category 18
            next
            edit 10
                set fortiguard-category 49
            next
            edit 11
                set fortiguard-category 92
            next
            edit 12
                set fortiguard-category 83
            next
            edit 13
                set fortiguard-category 77
            next
            edit 14
                set fortiguard-category 82
            next
            edit 15
                set fortiguard-category 15
            next
            edit 16
                set fortiguard-category 71
            next
            edit 17
                set fortiguard-category 5
            next
            edit 18
                set fortiguard-category 85
            next
            edit 19
                set fortiguard-category 1
            next
            edit 20
                set fortiguard-category 54
            next
            edit 21
                set fortiguard-category 88
            next
            edit 22
                set fortiguard-category 30
            next
            edit 23
                set fortiguard-category 28
            next
            edit 24
                set fortiguard-category 6
            next
            edit 25
                set fortiguard-category 12
            next
            edit 26
                set fortiguard-category 24
            next
            edit 27
                set fortiguard-category 31
            next
            edit 28
                set fortiguard-category 58
            next
            edit 29
                set fortiguard-category 19
            next
            edit 30
                set fortiguard-category 11
            next
            edit 31
                set fortiguard-category 20
            next
            edit 32
                set fortiguard-category 43
            next
            edit 33
                set fortiguard-category 40
            next
            edit 34
                set fortiguard-category 51
            next
            edit 35
                set fortiguard-category 3
            next
            edit 36
                set fortiguard-category 33
            next
            edit 37
                set fortiguard-category 4
            next
            edit 38
                set fortiguard-category 50
            next
            edit 39
                set fortiguard-category 52
            next
            edit 40
                set fortiguard-category 69
            next
            edit 41
                set fortiguard-category 75
            next
            edit 42
                set fortiguard-category 76
            next
            edit 43
                set fortiguard-category 34
            next
            edit 44
                set fortiguard-category 66
            next
            edit 45
                set fortiguard-category 26
            next
            edit 46
                set fortiguard-category 57
            next
            edit 47
                set fortiguard-category 55
            next
            edit 48
                set fortiguard-category 35
            next
            edit 49
                set fortiguard-category 90
            next
            edit 50
                set fortiguard-category 91
            next
            edit 51
                set fortiguard-category 36
            next
            edit 52
                set fortiguard-category 70
            next
            edit 53
                set fortiguard-category 13
            next
            edit 54
                set fortiguard-category 95
            next
            edit 55
                set fortiguard-category 8
            next
            edit 56
                set fortiguard-category 72
            next
            edit 57
                set fortiguard-category 87
            next
            edit 58
                set fortiguard-category 48
            next
            edit 59
                set fortiguard-category 80
            next
            edit 60
                set fortiguard-category 61
            next
            edit 61
                set fortiguard-category 62
            next
            edit 62
                set fortiguard-category 38
            next
            edit 63
                set fortiguard-category 14
            next
            edit 64
                set fortiguard-category 59
            next
            edit 65
                set fortiguard-category 78
            next
            edit 66
                set fortiguard-category 39
            next
            edit 67
                set fortiguard-category 93
            next
            edit 68
                set fortiguard-category 79
            next
            edit 69
                set fortiguard-category 41
            next
            edit 70
                set fortiguard-category 81
            next
            edit 71
                set fortiguard-category 63
            next
            edit 72
                set fortiguard-category 42
            next
            edit 73
                set fortiguard-category 37
            next
            edit 74
                set fortiguard-category 44
            next
            edit 75
                set fortiguard-category 86
            next
            edit 76
                set fortiguard-category 46
            next
            edit 77
                set fortiguard-category 67
            next
            edit 78
                set fortiguard-category 25
            next
            edit 79
                set fortiguard-category 65
            next
            edit 80
                set fortiguard-category 47
            next
            edit 81
                set fortiguard-category 16
            next
            edit 82
                set fortiguard-category 94
            next
            edit 83
                set fortiguard-category 68
            next
            edit 84
                set fortiguard-category 56
            next
            edit 85
                set fortiguard-category 84
            next
            edit 86
                set fortiguard-category 23
            next
        end
    next
end

emnoc · ‎01-09-2020

That might work if the cert is untrusted if that is the case.It would no help if a go out and build a cert for www.gmail.com from a trust CA tho.

Ken Felix

PCNSE

NSE

StrongSwan

Vladimir_Ostrovsky · ‎01-13-2020

localhost, thanks - the "set untrusted-cert block" command in fact can prevent a scenario like the one I described above, but only if deep inspection is enabled.

In fact, this command becomes available in CLI only in conjunction with "set inspect-all deep-inspection" (or "set status deep-inspection" under "config https").

emnoc, if you can get a Gmail cert from a trusted CA, then we have a problem much bigger than the one above. :)

emnoc · ‎01-13-2020

emnoc, if you can get a Gmail cert from a trusted CA, then we have a problem much bigger than the one above. :)

Google uses a CAA records for controlling & preventing that, but 99% of other HTTPs websites do not. So in reality, if I submit a CSR for www.paypal.com to a CA that signs it. Install it on my fake www.paypal.com and intercept your dns, I could send you to fake www.paypal.com and you would not be of any wiser.

Also keep in mind, MiTM inspections devices are doing this certificate forging, so in reality your have no clue if the site you accessing is the real [link=http://www.<inserthostnamehere>.com]www.<insert_host_namehere>.com[/link]

As long as the cert was issued by a trusted CA installed in your OS/WebBrowser, you would trust the the site. This is why the words "HTTPS and security" does not mean the site is really secured.

Just something to thing about. Please google "DNSpionage" to get an ideal of what and who has done this in the past. In a lot of these attempts and attacks, the site was intercept and traffic diverted from the real sites.

So unless you have a "EV" cert or you know the website real certificate by hash/fingerpint/sn# and compare that from the response of the webserver, you would have no clue if the site is really who they are.

btw: I did just this with a common airport internet provider back in the early 2000s, can't go into details and do not want to self incriminate { Statute of limitations} , but it was rather easy to post a fake site to collect a user login attempt ;). Again, the webclients (phone laptops _) in the airport trying to use the free internet, but gave me their username and password that I collected in a simple file. I did this as a PoC by standing up a fake WAP and a faked website page that was copied from the real captive portal site. . Granted today things are much better designed.

So next time you see one of these , be advise ;)

Ken Felix

PCNSE

NSE

StrongSwan