Blocking HTTPS websites with Application Firewall using Certificate Serial Number

03/26/2020 19 14573

DESCRIPTION:

Application firewall scans application layer network traffic as it passes through the gateway and looks for content that matches configured keywords. When it finds a match, it performs the configured action. It can match text or binary content. When you configure application firewall, you create policies that define the type of applications to scan, the direction, the content or keywords to match. You could also optionally define the user or domain to match, and the action to perform.

SSL (Secure Sockets Layer) is the dominant standard for the encryption of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications.

An effect of the security provided by SSL is the obscuration of all payload being requested by a client when establishing an HTTPS session. This is due to the fact that HTTP is transported within the encrypted SSL
tunnel when using HTTPS. It is not until the SSL session is established (step 10 in the screenshot below) that the actual target resource is requested by the client, but since the SSL session is already established, no inspection of the session data by the firewall or any other intermediate device is possible. The following screenshot shows the SSL session establishment.

In the above messages, we are going to concentrate on the SeverKeyExchange message. ServerKeyExchange messages contain the public key information. Since ServerKeyExchange messages are transmitted without encryption, the public key information is visible to the SonicWall.  Within the ServerKeyExchange packet is the Serial Number. The Serial Number is a value assigned by the Certificate Authority (CA) to an individual certificate and is unique for every certificate.

This article illustrates the method to find out the Serial Number of HTTPS websites and creating Application Firewall policies to block the Serial Number.

RESOLUTION:

Obtaining the Certificate Serial Number-1

• Open a web browser and go to a HTTPS enabled website (in this example: https://mail.google.com).
• Do a packet capture. The screenshot below shows the Serial Number of https://mail.google.com.
• Copy the hex value of the Serial Number. The hex value is the same as the Serial Number without the "0x"

Obtaining the Certificate Serial Number-2

The Certifcate serial number can also obtained by clicking on the padlock icon at the bottom of a browser when a HTTPS session has been established.

Configuration in  Application Firewall

• Login to the SonicWall Management GUI
• Navigate to the Application Firewall | Application Objects page.
• Click on Add New Object to create a new object as per the following screenshot.
• You can add serial numbers of additional HTTPS websites. Listed here are the Serial Numbers of some HTTPS websites. 
  • 465889f9000300001d38 - Embedded chat in gmail.com
  • 0a82ef83e4cc4036aef3677a29f5ebc0 - https://facebook.com

• Navigate to the Policies page.
• Click on Add New Policy to create a new policy as per the screenshot.
• Make sure the new policy is enabled and Enable Application Firewall is checked at the beginning of the page.