Redirection and cipher suite override based on SSL/TLS configuration now available

Print Friendly, PDF & Email

SSL/TLS have been under siege of late, with a massive bombardment of attacks. Since 2009, at least 2 serious vulnerabilities have been discovered in SSL/TLS each year.  We’ve seen side channel attacks, downgrade attacks, protocol and implementation vulnerabilities and, in the process, added Heartbleed, CRIME, BREACH, POODLE, Lucky 13 to our daily vocabulary.

Starting with CVE-2009-3555 (SSL/TLS renegotiation vulnerability), each discovery has continually changed the idea of which protocol and cipher suite combination is still considered secure. The situation changes quite rapidly; in the case of the BEAST attack, the mitigation was to use RC4 cipher suite. However, it was soon seen that RC4 itself is flawed.

In the light of these issues, we have now enhanced the Barracuda WAF with two additional features that provides additional control to system administrators. The first feature is redirection to specific error pages when the disabled SSL/TLS protocols or cipher suites are in use. The second allows the administrator to define cipher suite overrides for each version of the SSL/TLS protocols.

Protocol Based Redirection

When a client initiated the connection with an unsupported protocol or cipher suite, the BWAF would terminate the connection during the initial negotiation itself. The resulting error page was a generic connection failed error, causing some additional work to debug the issue, involving running through the logs or doing a reproduction with the client. In the newly implemented feature, the BWAF verifies the protocol and cipher suites during the initial handshake; if the client is using older or unsupported protocols and ciphers, the BWAF will terminate the connection and redirect the client to a custom error page. The custom error page can be configured to have specific information to show the exact reason for the connection termination for easier troubleshooting.

Configuration of this feature is quite simple. The configuration is performed from the URL Allow/Deny rules in the Website tab. Select the service that you would like to modify, and click on “Add”. Under the “Create ACL” popup, select “Extended Match” and select the “SSL Version” Element Type. Here you have multiple combinations of operations and values to choose from.

The administrator can create custom error pages under “Libraries -> Response Pages” and use them to customize the error message seen by the client.

It must be noted that the configuration above is for the specific service only. They can also be configured globally via “Security Policies -> Global ACL’s”. When configured here, the rules apply to all the services configured on the box.

For the redirection to work, the protocol being redirected should be enabled on the WAF. For instance, if SSLv3 should be redirected, it would need to be enabled on the WAF and the Allow/Deny rule configured. If the protocol is not enabled, the connection will simply terminate and no redirection will occur.

The following is a sample redirect page. The browser is configured to use only SSlv3, and the Barracuda WAF is configured to block and redirect any SSLv3 connections:

Protocol Specific Cipher Suite Overrides

In earlier releases, cipher suite override list on the Barracuda Web Application Firewall was a global list; the cipher suite overrides were configured and they applied to all the protocols that were enabled. For situations where specific encryption protocol/cipher suite combinations have to be used, the Barracuda WAF now allows for cipher suite override configurations based on the specific protocol versions. You can now configure a separate cipher suite override for each of the protocols.

To configure, navigate to “Basic -> Services” and edit the service that is to be modified. On the edit service popup, navigate to “SSL” and select “Show Advanced Settings”. The first override cipher configuration is global. It applies to every protocol that is enabled on the Barracuda WAF. Following this configuration, there are override cipher configurations that are available for SSLv3, TLS1.0 and TLS1.1. When these protocol-specific cipher overrides are configured, then only the ciphers selected for a specific protocol will be used. In such a case, the global override will apply to TLS1.2 and protocols for which specific ciphers are not chosen.

Screenshot of “Basic -> Services -> SSL -> Show Advanced Settings”, showing the global cipher override list. When protocol specific overrides are configured, this list of cipher suites will be used for TLS1.2

Screenshot showing the protocol specific cipher suite override configuration screen:

 

A sample of the error seen when the cipher is not supported on Firefox is shown below:

To learn more about the selection of protocol/cipher combinations, NIST has published a guideline for TLS implementations. In addition, the Mozilla Foundation has a wiki that provides recommended configurations for server side security. Since the discovery of the POODLE attack, it is recommended to disable SSLv3 and use TLS (preferably TLS1.1 and above). RC4 should be disallowed completely. SHA256 signatures are preferred, with MD5 ideally being disabled.

Simplifying Security Management

As with all Barracuda products, the design philosophy with our products is to simplify IT for our customers. With the Barracuda Web Application Firewall, organizations can easily and granularly control level security and encryption without any cumbersome changes to their applications. Equally importantly, flexibility and granular control provided by the Barracuda Web Application Firewall allows organizations to adapt and change their security posture to adapt to the latest targeted and/or automated threats.

Learn how the Barracuda Web Application Firewall can help secure your applications by visiting the Barracuda Web Application Firewall page.

Scroll to top
Tweet
Share
Share