Blocking HTTPS websites with Application Firewall using Certificate Serial Number

03/29/2021 19 17011

DESCRIPTION:

Application firewall scans application layer network traffic as it passes through the gateway and looks for content that matches configured keywords. When it finds a match, it performs the configured action. It can match text or binary content. When you configure application firewall, you create policies that define the type of applications to scan, the direction, the content or keywords to match. You could also optionally define the user or domain to match, and the action to perform.

SSL (Secure Sockets Layer) is the dominant standard for the encryption of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications.

An effect of the security provided by SSL is the obscuration of all payload being requested by a client when establishing an HTTPS session. This is due to the fact that HTTP is transported within the encrypted SSL
tunnel when using HTTPS. It is not until the SSL session is established (step 10 in the screenshot below) that the aactual target resource is requested by the client, but since the SSL session is already established, no inspection of the session data by the firewall or any other intermediate device is possible. The following screenshot shows the SSL session establishment.

In the above messages, we are going to concentrate on the SeverKeyExchange message. ServerKeyExchange messages contain the public key information. Since ServerKeyExchange messages are transmitted without encryption, the public key information is visible to the SonicWall.  Within the ServerKeyExchange packet is the Serial Number. The Serial Number is a value assigned by the Certificate Authority (CA) to an individual certificate and is unique for every certificate.

This article illustrates the method to find out the Serial Number of HTTPS websites and creating Application Firewall policies to block the Serial Number.

RESOLUTION:

Obtaining the Certificate Serial Number-1

• Open a web browser and go to a HTTPS enabled website (in this example: https://mail.google.com).
• Do a packet capture. The screenshot below shows the Serial Number of https://mail.google.com.
• Copy the hex value of the Serial Number. The hex value is the same as the Serial Number without the "0x"

Obtaining the Certificate Serial Number-2

The Certificate serial number can also obtained by clicking on the padlock icon at the bottom of a browser when a HTTPS session has been established.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

• Login to the SonicWall Management GUI.
• Navigate to Object | Match Objects page.
• Click Add.
• You can add serial numbers of additional HTTPS websites. Listed here are the Serial Numbers of some HTTPS websites. 
  
  465889f9000300001d38 - Embedded chat in gmail.com
  0a82ef83e4cc4036aef3677a29f5ebc0 - https://Facebook.com
  
  
• Enter the serial number in the content box and click on Add.
• Click on Save.
   
  
  

• Navigate to the Policies| Click on App Rules.
• Click on Add New Policy to create a new policy as per the screenshot.
• Click on OK .
  
  
  
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

• Navigate to Manage | Objects | Match Objects page.
• Click on Add.
• You can add serial numbers of additional HTTPS websites. Listed here are the Serial Numbers of some HTTPS websites. 
  
  465889f9000300001d38 - Embedded chat in gmail.com
  0a82ef83e4cc4036aef3677a29f5ebc0 - https://Facebook.com
  
  
• Enter the serial number in the content box and click on Add.
• Click on OK.
  
  
  
• Navigate to the Manage| Rules|App Rules.
• Click on Add  to create a new policy as per the screenshot.
• Click on OK .
  
  

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Configuration in  Application Firewall

• Login to the SonicWall Management GUI
• Navigate to the Application Firewall | Application Objects page.
• Click on Add New Object to create a new object as per the following screenshot.
• You can add serial numbers of additional HTTPS websites. Listed here are the Serial Numbers of some HTTPS websites. 
  • 465889f9000300001d38 - Embedded chat in gmail.com
  • 0a82ef83e4cc4036aef3677a29f5ebc0 - https://Facebook.com

• Navigate to the Policies page.
• Click on Add New Policy to create a new policy as per the screenshot.
• Make sure the new policy is enabled and Enable Application Firewall is checked at the beginning of the page.