SSL Proxy
SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. Better visibility into application usage can be made available when SSL forward proxy is enabled.
SSL Proxy Overview
For the complete list of supported features and platforms, see SSL Proxy in Feature Explorer.
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.
SSL proxy is transparent proxy that performs SSL encryption and decryption between the client and the server.
- How Does SSL Proxy Work?
- SSL Proxy with Application Security Services
- Types of SSL Proxy
- Supported SSL Protocols
- Benefits of SSL Proxy
- Logical Systems Support
- Limitations
How Does SSL Proxy Work?
SSL proxy provides secure transmission of data between a client and a server through a combination of following:
Authentication-Server authentication guards against fraudulent transmissions by enabling a Web browser to validate the identity of a webserver.
Confidentiality - SSL enforces confidentiality by encrypting data to prevent unauthorized users from eavesdropping on electronic communications; thus ensures privacy of communications.
Integrity- Message integrity ensures that the contents of a communication are not tampered.
SRX Series Firewall acting as SSL proxy manages SSL connections between the client at one end and the server at the other end and performs following actions:
SSL session between client and SRX Series- Terminates an SSL connection from a client, when the SSL sessions are initiated from the client to the server. The SRX Series Firewall decrypts the traffic, inspect it for attacks (both directions), and initiates the connection on the clients’ behalf out to the server.
SSL session between server and SRX Series - Terminates an SSL connection from a server, when the SSL sessions are initiated from the external server to local server. The SRX Series Firewall receives clear text from the client, and encrypts and transmits the data as ciphertext to the SSL server. On the other side, the SRX Series decrypts the traffic from the SSL server, inspects it for attacks, and sends the data to the client as clear text.
Allows inspection of encrypted traffic.
SSL proxy server ensures secure transmission of data with encryption technology. SSL relies on certificates and private-public key exchange pairs to provide the secure communication. For more information, see SSL Certificates.
To establish and maintain an SSL session between the SRX Series Firewall and its client/server, the SRX Series Firewall applies security policy to the traffic that it receives. When the traffic match the security policy criteria, SSL proxy is enabled as an application service within a security policy.
SSL Proxy with Application Security Services
Figure 1 shows how SSL proxy works on an encrypted payload.
When Advanced Security services such as application firewall (AppFW), Intrusion Detection and Prevention (IDP), application tracking (AppTrack), Content Security, and ATP Cloud is configured, the SSL proxy acts as an SSL server by terminating the SSL session from the client and establishing a new SSL session to the server. The SRX Series Firewall decrypts and then reencrypts all SSL proxy traffic.
IDP, AppFW, AppTracking, advanced policy-based routing (APBR), Content Security, ATP Cloud, and ICAP service redirect can use the decrypted content from SSL proxy. If none of these services are configured, then SSL proxy services are bypassed even if an SSL proxy profile is attached to a firewall policy.
Types of SSL Proxy
SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. SRX acts as the server from the client’s perspective and it acts as the client from the server’s perspective. On SRX Series Firewalls, client protection (forward proxy) and server protection (reverse proxy) are supported using same echo system SSL-T-SSL [terminator on the client side] and SSL-I-SSL [initiator on the server side]).
SRX Series Firewall support following types of SSL proxy:
Client-protection SSL proxy also known as forward proxy—The SRX Series Firewall resides between the internal client and outside server. Proxying outbound session, that is, locally initiated SSL session to the Internet. It decrypts and inspects traffic from internal users to the web.
Server-protection SSL proxy also known as reverse proxy—The SRX Series Firewall resides between the internal server and outside client. Proxying inbound session, that is, externally initiated SSL sessions from the Internet to the local server.
For more information on SSL forward proxy and reverse proxy, see Configuring SSL Proxy.
Supported SSL Protocols
The following SSL protocols are supported on SRX Series Firewalls for SSL initiation and termination service:
-
TLS version 1.0—Provides authentication and secure communications between communicating applications.
-
TLS version 1.1—This enhanced version of TLS provides protection against cipher block chaining (CBC) attacks.
-
TLS version 1.2 — This enhanced version of TLS provides improved flexibility for negotiation of cryptographic algorithms.
-
TLS version 1.3 — This enhanced version of TLS provides improved security and better performance.
Starting with Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, TLS version 1.1 and TLS version 1.2 protocols are supported on SRX Series Firewalls along with TLS version 1.0.
Starting with Junos OS Release 15.1X49-D20 and Junos OS Release 17.3R1, the SSL protocol 3.0 (SSLv3) support is deprecated.
Starting in Junos OS Release 21.2R1, on SRX Series Firewalls, SSL proxy supports TLS version 1.3.
When you use TLS 1.3, the SRX Series Firewall supports the secp256r1 group for key-exchange for establishing connection with the server. If the server supports only secp384r1, then the connection will be terminated.
Starting in Junos OS Release 24.2R1, SRX Series Firewalls support SNI for SSL initiation (SSL-I) process. Server Name Indication (SNI) is an extension of the SSL/TLS header, which carries the destination server's hostname during the HTTPS "Client Hello" exchange in clear text before the SSL handshake is complete.
Benefits of SSL Proxy
Decrypts SSL traffic to obtain granular application information and enable you to apply advanced security services protection and detect threats.
Enforces the use of strong protocols and ciphers by the client and the server.
Provides visibility and protection against threats embedded in SSL encrypted traffic.
Controls what needs to be decrypted by using Selective SSL Proxy.
Logical Systems Support
It is possible to enable SSL proxy on firewall policies that are configured using logical systems; however, note the following limitations:
The “services” category is currently not supported in logical systems configuration. Because SSL proxy is under “services,” you cannot configure SSL proxy profiles on a per-logical-system basis.
Because proxy profiles configured at a global level (within “services ssl proxy”) are visible across logical system configurations, it is possible to configure proxy profiles at a global level and then attach them to the firewall policies of one or more logical systems.
Limitations
On all SRX Series Firewalls, the current SSL proxy implementation has the following connectivity limitations:
The SSLv3.0 protocol support is deprecated.
The SSLv2 protocol is not supported. SSL sessions using SSLv2 are dropped.
Only X.509v3 certificate is supported.
Client authentication of SSL handshake is not supported.
SSL sessions where client certificate authentication is mandatory are dropped.
SSL sessions where renegotiation is requested are dropped.
- On SRX Series Firewalls, for a particular session, the SSL proxy is only enabled if a relevant feature related to SSL traffic is also enabled. Features that are related to SSL traffic are IDP, application identification, application firewall, application tracking, advanced policy-based routing, Content Security, ATP Cloud, and ICAP redirect service. If none of these features are active on a session, the SSL proxy bypasses the session and logs are not generated in this scenario.
- SRX Series Firewalls operating in Multinode High Availability setup do not support the SSL proxy functionality.