Which DPI-SSL migration process is best for my environment?

03/26/2020 57 11515

DESCRIPTION:

The 2018 Threat Report details the advanced threats that evade traditional security mechanisms that are not using DPI-SSL. Please review this short video for the DPI-SSL use cases.

DPI-SSL is a very powerful service offered by SonicWall to provide Deep Packet Inspection (DPI) on Secure Socket Layer (SSL) traffic.  This article is going to provide strategies for deploying DPI-SSL.  These are generic solutions to be used.  If a more specific and complex configuration is required please reach out to the SonicWall Partner Enabled Services (PES) team for guidance.

CAUSE:

Enabling DPI-SSL service on the SonicWall without preparing the environment is going to result in catastrophic failure within the organization.  There are several phases of preparing the environment to deploy DPI-SSL.  These phases include:

1. Determining the Zones that DPI-SSL should be used.
2. Understanding exceptions for clients, users, or services within the Zones that should be excluded from DPI-SSL.
3. Creating Certificates required for the DPI-SSL process.
4. Deploying the Root Certificate Authority (CA) certificate to all clients participating in DPI-SSL process.
5. Creating a Common Name (CN) exclusion list for public sights that are not compatible with the DPI-SSL Process.
6. Create a rollout plan with rollback capabilities.

Not enabling DPI-SSL will create a major security vulnerability within the infrastructure.  Please review the 2018 Threat Report from the above link.

RESOLUTION:

All partners who are in the PES program have access to specialized tools and processes that solve the root causes of deploying DPI-SSL.  This is a specialized service within the SonicWall platform and the PES program partners can use their experience and tools to greatly reduce the time of the overall project and the success of the deployment.  The following methods are only some of the options available in deploying DPI-SSL, and are mainly focused in providing general guidelines.

There are many types of implementation (or deployment) options, but cutover and phased are the most common.  Both have their benefits and drawbacks.  When deciding on the type of deployment one should consider several topics:

• Number of clients
• Operating System
• Applications and services
• Time on project
• Level of acceptable user interruption
• Number of unique devices that need to be excepted like:
  • Printers
  • HVAC systems
  • Security systems
  • HR systems like hand scanners, badge readers, etc.
  • IP clocks

The cutover strategy is designed for less complex environments that have a low number of clients.  The general recommendation is less than 50 clients would be acceptable for a cutover migration.  The cutover migration should not take longer than 40 hours to deploy.  Often in the smaller environments.  The number of applications and services that are affected by DPI-SSL is significantly reduced due to the number of users.  The level of acceptable user interruption is going to be higher in the cutover strategy.  Establishing user interruption thresholds is important for this deployment style.  The number of unique devices will also be significantly less in these environments.

The phased migration would be used in mostly in environments larger than 50 clients.  The phased migrations approach consumes more time deploying, but lowers the total risk of impact on the client.  The total length of a phased migration should vary from 80-120 hours.  The environments will need a prior assessment or documentation to determine number of applications/services and unique devices in the infrastructure.  The number of unique devices is going to be significantly higher in these environments.  Testing is going to be paramount in this procedure.

Cutover Migration Process

1. Hardware capacity discovery
   1. Ensure the total number of clients and sessions are supported by the model of SonicWall in the customer environment.  In today's Internet a reasonable expectation per user could vary between 20 and 60 sessions. Gathering the data from either Local Analyzer, Analyzer, GMS, or Cloud GMS is going to be crucial in sizing to the SonicWall to meet the demands of the environment.
   2. SonicWall DPI-SSL Connection Limits
2. Certificate Creation Methods
   
   1. PES Partners have access to tools that create the Public Key Infrastructure  (PKI) and provision the certificates needed for this deployment in a secure environment.
   2. Certificate Authority server on premise.  This could be Unix, Linux or Windows based.
      1. Windows Server KB
   3. Use third party tools to create a PKI like OpenSSL.
      1. OpenSSL KB
3. Discovery Phase
   
   1. Determine the applications and services that will not be supported by DPI-SSL
      
      1. PES Partners have a comprehensive list that can be deployed that are going to include the vast number of the sites that are incompatible with DPI-SSL process.  This list is only given the PES Partners who have completed advanced DPI-SSL training.
   2. Be aware that modification of the certificate used in DPI-SSL constitutes a reboot.
   3. Schedule for the downtime, and determine acceptable service interruption levels.
   4. Determine the method used for clients to enroll devices. Some options:
      1. Capture Client
         1. Capture Client Deployment KB
      2. PES Partner
         1. PES Partners have access to tools that will automate the process and install the certificates in both the local certificate store as well as Firefox.
      3. Manual Certificate enrollment
         1. Windows Certificate Store
            1. Manual Certificate Enrollment Windows KB
         2. Firefox has a separate certificate
            1. Manual Certificate Enrollment Firefox KB
      4. Active Directory GPO
         1. AD GPO Certificate Push KB
         2. Note: Firefox does not use local certificate store so all workstations with Firefox will have to manually added, see 3.4.3.2.
   5. Notify end users of the configuration and deployment of the DPI-SSL service.  Ensure the date and time for configuration is in this email.
      
      1. Ensure the date and time for configuration is in this method of communication.
   6. Clearly outline who is to provide tier 1 support for any issues that arise from clients.
      1. All PES Partners have received advanced training in DPI-SSL troubleshooting.
      2. Ensure those assigned have been trained in DPI-SSL troubleshooting.
         1. DPI-SSL Troubleshooting KB
         2. DPI-SSL Troubleshooting Part 1 Video
         3. DPI-SSL Troubleshooting Part 2 Video
         4. DPI-SSL Troubleshooting Part 3 Video
         5. DPI-SSL Troubleshooting Part 4 Video
   7. Determine a list of networks/clients, services, or users that will be in the include and exclude lists.
      1. Common Name Exclusion List KB
4. SonicWall configuration
   1. Prior to any work, ensure a notification is sent to clients letting them know maintenance is about to begin.
   2. Select the Zones to enable SSL Client Inspection o.
      
      
      
   3. Upload Certificate to SonicWall that was created.
      
      
      
   4. Change the certificate in the DPI-SSL Client configuration.
      
      Notice after changing the certificate the firewall requires a reboot.
      
      
   5. Apply networks/client, services, or users to the include exclude list
      
      
      
   6. Import custom Common Name list with client modifications into the SonicWall
      
      
      
   7. Configure default CFS category-based exclusion/inclusion
      
      This configuration is based on local policies and procedures and regional laws and regulations.
      
      
   8. Configure General Settings
      
      
      
   9. Enable SSL Client Inspection
      
5. Post Configuration Support
   1. Maintain the process for a single point of contact for escalations
   2. This could be individual or team
   3. Troubleshoot issues as they arise
6. Completion
   1. Take time to discuss postmortem topics for moving forward in better understanding and delivering future projects.

Phased Migration

1. Hardware capacity discovery
   1. Ensure the total number of clients and sessions are supported by the model of SonicWall in the customer environment.  In today's Internet a reasonable expectation per user could vary between 20 and 60 sessions. Gathering the data from either Local Analyzer, Analyzer, GMS, or Cloud GMS is going to be crucial in sizing to the SonicWall to meet the demands of the environment.
   2. SonicWall DPI-SSL Connection Limits
2. Certificate Creation Methods
   1. PES Partners have access to tools that create the PKI and provision the certificates needed for this deployment in a secure environment.
   2. Certificate Authority server on premise.  This could be Unix, Linux or Windows based.
      1. Windows Server KB
   3. Use third party tools to create a Public Key Infrastructure (PKI) like OpenSSL.
      1. OpenSSL KB
3. Discovery Phase
   
   1. Determine the applications and services that will not be supported by DPI-SSL
      
      1. PES Partners have a comprehensive list that can be deployed that are going to include the vast number of the sites that are incompatible with DPI-SSL process.  This list is only given the PES Partners who have completed advanced DPI-SSL training.
      2. This list will need to be set by priority approach for testing phase.
   2. Be aware that modification of the certificate used in DPI-SSL constitutes a reboot.
   3. Schedule for the downtime, and determine acceptable service interruption levels.
   4. Determine the method used for clients to enroll devices. Some options:
      1. Capture Client
         1. Capture Client Deployment KB
      2. PES Partner
         1. PES Partners have access to tools that will automate the process and install the certificates in both the local certificate store as well as Firefox.
      3. Manual Certificate enrollment
         1. Windows Certificate Store
            1. Manual Certificate Enrollment Windows KB
         2. Firefox has a separate certificate
            1. Manual Certificate Enrollment Firefox KB
      4. Active Directory GPO
         1. AD GPO Certificate Push KB
         2. Note: Firefox does not use local certificate store so all workstations with Firefox will have to manually added, see 3.4.2.2.
   5. Notify end users of the configuration and deployment of the DPI-SSL service.  Ensure the date and time for configuration is in this email.
      
      1. Ensure the date and time for configuration is in this method of communication.
   6. Clearly outline who is to provide tier 1 support for any issues that arise from clients.
      1. All PES Partners have received advanced training in DPI-SSL troubleshooting.
      2. Ensure those assigned have been trained in DPI-SSL troubleshooting.
         1. DPI-SSL Troubleshooting KB
         2. DPI-SSL Troubleshooting Part 1 Video
         3. DPI-SSL Troubleshooting Part 2 Video
         4. DPI-SSL Troubleshooting Part 3 Video
         5. DPI-SSL Troubleshooting Part 4 Video
   7. Determine a list of networks/clients, services, or users that will be in the include and exclude lists.
      1. Common Name Exclusion List KB
   8. Phase 1 Rollout
      1. 2-3 Users from each department will be selected to perform functionality testing for all critical applications and services.
      2. Create a group in SonicWall for the IP addresses of the users that would be part of this group.
      3. Test all critical applications and services.
   9. Phase 2 Rollout
      1. Enable DPI-SSL to each department one at a time until all departments are using DPI-SSL.
4. SonicWall configuration
   1. Prior to any work, ensure a notification is sent to clients letting them know maintenance is about to begin.
   2. Select the Zones to enable SSL Inspection on.
      
      
      
   3. Upload Certificate to SonicWall that was created.
      
      
      
   4. Change the certificate in the DPI-SSL Client configuration.
      
      Notice after changing the certificate the firewall requires a reboot.
      
      
   5. Apply networks/client, services, or users to the include exclude list
      
      
      
   6. Import custom Common Name list with client modifications into the SonicWall
      
      
      
   7. Configure default CFS category-based exclusion/inclusion
      
      This configuration is based on local policies and procedures and regional laws and regulations.
      
      
   8. Configure General Settings
      
      
      
   9. Enable SSL Client Inspection
      
5. Post Configuration Support
   1. Maintain the process for a single point of contact for escalations
   2. This could be individual or team
   3. Troubleshoot issues as they arise
6. Completion
   1. Take time to discuss postmortem topics for moving forward in better understanding and delivering future projects. 

Conclusion

The most important component of DPI SSL implementation is communication.  When using either cutover or phased migration ensuring the clients are notified before and after maintenance is critical to the success of the project.  Perception is reality when deploying services.  Users don’t care about the complications of deploying an in depth security feature.  Users are only going to remember what the impact to their work cycle.  Ensure to set expectations accordingly.

Contact Partner Enabled Services with any further questions.