TLS inspection

The Network Security service offers in-line, real-time threat protection for all inbound TLS-encrypted IPv4 traffic that reaches your internal servers from beyond the network firewall. Your virtual appliance receives the encrypted flow, decrypts it, inspects it, encrypts it, and then sends it on to its destination.

If there is encrypted traffic that you want to protect for particular segments, enable TLS inspection as a global setting for a single managed virtual appliance. This way you can secure internet communications by providing privacy and data integrity between website servers and web browsers. Key exchange algorithms secure the connections for each session.

Users can integrate Network Security’s TLS capability with their existing infrastructure’s certificate management offerings, including Azure Key Vault, Amazon Certificate Manager (ACM) and Amazon Simple Storage Service (S3). For successful chain validation:

  • Azure certificates, which also contain the private key, can be in either PFX or PEM (PKCS8 only) format.
  • S3 certificates must include the web server's certificate chain in PEM (PKCS8 or PKCS1) format. The certificate chain starts with the web server certificate followed by one or more intermediate CA certificates, and ends with the root CA certificate.
  • ACM certificates must include the PEM-encoded web server's certificate in the certificate body field, and include the certificate chain (which includes a concatenated string of each PEM-encoded intermediate CA certificate and the root CA certificate) in the certificate chain field.
  • Both AWS ACM and Azure Key Vault require users to import the web server's certificate chain and private key. With Azure Key Vault, the virtual appliance can retrieve both certificates and private keys. But because private keys cannot be exported from AWS ACM, you must import those private keys manually to the virtual appliance, or use CloudHSM to get them. This is also true for private keys corresponding to AWS S3 certificates.

Based on your cloud platform provider, the Network Security service automatically provides the appropriate wizard to step you through the TLS configuration process:

Key terms

TLSTransport Layer Security. Protocol that enables secure network communications using encryption. Also Secure Socket Layer (SSL).

ACMAmazon Certificate Manager. Service for requesting, creating, managing, uploading, deploying, and renewing your private and public TLS certificates.

ARNAmazon Resource Name. Unique identifier for Amazon resources, such as IAM policies, TLS certificates, and API calls.

S3Amazon Simple Storage Service. Storage service for storing, organizing, and protecting data.

HCMHybrid Cloud Management. On-premise data center that enables private cloud functionality to work in tandem with the hardware resources of multiple public cloud.

AWS CloudHSMHardware Security Module (HSM). Cloud-based HSM that enables you to generate, use, and manage your own encryption keys.

AWS IAMAWS Identity and Access Manager. Enables you to control access of AWS users and groups to AWS services and resources.

AWS KMSAWS Key Management Service. Enables you to create and control cryptographic keys that you use in your applications and AWS services.

AWS Secrets Manager – Enables you to manage and retrieve secrets, keys, and other credentials used to protect your IT resources, including applications and services.

Azure Key Vault – Cryptographic service for the Azure platform that enables you to manage and retrieve secure resources, including passwords, certificates, and keys.

Configure TLS inspection for AWS

For the AWS platform, a TLS inspection policy requires:

  • Requested access to TLS Preview.

  • Access to AWS Certificate Manager (ACM) or S3. Configure your ACM or S3 connection before adding your server to be proxied.

  • Certificate ARN loaded through ACM or S3. This is your protected server's public key certificate that pairs with the private key. The total certificate file size cannot exceed 512 KB. This includes a 32 KB limit for each certificate and a maximum private key PEM size of 8 KB.

  • Permissions to enable an Identity Access Management (IAM) user role or group to create a TLS service policy. Your appliance's IAM role must have a policy that gives it Read and List actions to the certificate manager and the certificates required for decryption. To configure these permissions, navigate to Identity and Access Management. From there, select Policies from the navigation and then you can create an ACM policy, an S3 bucket policy, and a SecretsManager policy.

    To create an ACM policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "acm:ExportCertificate",
                    "acm:DescribeCertificate",
                    "acm:GetCertificate"
                ],
                "Resource": "arnidentifier"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "acm:GetAccountConfiguration",
                    "acm:ListCertificates",
                    "acm:ListTagsForCertificate"
                ],
                "Resource": "*"
            }
        ]
    }

    To create an S3 bucket policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):

    {
      "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:GetBucketLocation",
              "s3:ListBucket"
            ],
            "Resource": "arnidentifier"
          },
          {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
              "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
          }
        ]
      }

    To create a SecretsManager policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "secretsmanager:GetResourcePolicy",
                  "secretsmanager:GetSecretValue",
                  "secretsmanager:DescribeSecret",
                  "secretsmanager:ListSecretVersionIds"
              ],
              "Resource": "arnidentifier"
          },
          {
              "Sid": "VisualEditor1",
              "Effect": "Allow",
              "Action": [
                  "secretsmanager:GetRandomPassword",
                  "secretsmanager:ListSecrets"
              ],
            "Resource": "*"
          }
        ]
      }

    After you have configured each policy with its correct permissions, navigate to Roles and then click Attach Policy to attach each policy to the IAM role for your Network Security appliance. Learn more about creating an IAM policy and role.

  • Access to Hybrid Cloud Management (HCM). Configure your HCM connection before adding your server to be proxied. The HCM must reside in the same availability regional zone as the virtual appliance.

  • Access to a hardware security module (HSM). An HSM, such as AWS CloudHSM, is required only if you elect not to upload the private key from the wizard.

  • Access to AWS Key Management Service (KMS) and AWS Secrets Manager. If you delete, change, or make unavailable the KMS customer master key (CMK) in use by the appliance, the appliance will not be able to decrypt the private keys, and any associated TLS policies will be automatically disabled after a reboot.

  • Server to be proxied, and access to its private key. To add the server, go to the Network > Appliances > appliancename page. Only one server can be added per virtual appliance.

  • A single managed Network Security virtual appliance. The appliance must have a minimum version of 2021.7.0.11129. Appliance groups are not currently supported. When you create the AWS CloudHSM, the HSM creates its own security group that includes inbound rules tied to a specific port range. This security group must be added to your virtual appliance so that it can pull the keys from the HSM over one of the ports in the port range. Locate and select your instance on AWS, click Actions > Security > Change security groups, add your HSM cluster as an associated security group, and click Save.

  • Either a single server with a protected static IP address or, for servers running behind a load balancer, a subnet (CIDR). To get the server's IP, go into AWS where the server is located, click EC2, click Instances (running), and copy the IP address specified under Private IPv4 addresses (this is the IP address accessible to AWS only). For example, 192.0.2.0 or, if you use a CIDR, 198.51.100.0/24. A subnet can range from 8 to 32.

  • Server’s public certificate. You can enable access through either your ACM or by placing it in an Amazon S3 bucket.

  • Private key. You can use either AWS CloudHSM or manually upload your own private key. If you use AWS CloudHSM, be sure to first create the IAM role and secret in AWS so that the Network Security service can access the private key.

Use the following steps to configure TLS using the AWS platform.

  1. Go to Policy > TLS Inspection and click Request Access.

  2. Configure the appropriate IAM role for the policy. Refer to Create an IAM policy and role.

  3. Optionally configure an AWS Certificate Manager (ACM). Learn more at Getting Started with AWS Certificate Manager.

  4. Connect to a hardware security module (HSM). Use the region selector to ensure that your HSM IP address resides in the same geographical region of your virtual appliance. Learn more.

  5. After you have been given access to the TLS inspection service from step 1, return to Policy > TLS Inspection and click Configure TLS Inspection to enter the configuration wizard.

From the Configure TLS Inspection wizard:

  1. Select the managed virtual appliance on which you want to enable decryption and inbound TLS traffic inspection. Click Provide Server.

  2. In the Server IP field, enter the IP address of the server to be protected. To retrieve this IP address, click EC2 from the AWS navigation, and click Instances (running) under Resources. The IP address that is accessible only by AWS is listed under Private IP addresses. Click Provide Public Certificate.

  3. In the Certificate ARN field, enter your server’s public certificate S3 ARN or ACM. Click Choose Key Access Method.


    NOTE

    If you get an Unable to retrieve certificate error, go to AWS Services and click IAM > Roles to confirm that your Network Security role has the correct permissions. Click your configured Network Security role from the list, edit the policy that is listed, click Add additional permissions, and add Certificate Manager from the available services. Specify List and Read access level permissions. After you specify a Resource, click Review policy and the Save changes.


  4. Specify whether you will use AWS CloudHSM to provide your server's private key or whether you will manually upload it. Click Provide Resource.

    • If you elected to use AWS CloudHSM, a dialog prompts you to provide a secret ARN using AWS Secrets Manager. The secret ARN contains connection information that enables the HSM to retrieve private key information for the public certificate, which is then stored on your appliance. In order to generate the secret, you must complete the following items in the dialog:

      • Provide a username for the crypto user (CU) account. The username cannot be more than 31 characters, and the underscore (_) is the only special character permitted.
      • Provide a password for the crypto user (CU) account. The password cannot be less than 7 characters or more than 32 characters.
      • Paste the issuing certificate (begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----). The certificate size cannot exceed 65 KB.
      • Provide the IP of the AWS CloudHSM.
      • Click Generate Secret. After the secret is generated, click Copy to Clipboard. In AWS Secrets Manager, go to Secrets and click Store a new secret. Click Other type of secret, select Plain Text, and paste the secret that you generated in the field. Make sure you select the DefaultEncryptionKey option, and then click Next. Learn more at Tutorial: Creating and retrieving a secret. Then paste the resulting secret ARN in the wizard's Secret ARN field and click Provide Keystore Key.
    • If you elect to upload the private key directly, a dialog is displayed where you can paste your server certificate’s private key in the Private Key field. Be sure that what you paste begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----. If your private key is encrypted, enter a passphrase to enable decryption. The passphrase can be one to 255 characters. Click Provide Keystore Key.


    NOTE

    If you get an error stating that the certificate you entered does not match, there is an issue with your certificate or key. Reload your certificate and key to make sure you have the correct ones.


  5. Use AWS Key Management Service to create a symmetric customer master key (CMK) and add your Network Security role as a key user so that your private key can be stored encrypted on your appliance. Paste the resulting ARN in the wizard's Key Management ARN field and click Confirm and Deploy.


    NOTE

    If you get an error, go to AWS Services and click Key Management Service > Customer managed keys to confirm that your Network Security role has the correct permissions. Click your configured Customer master key from the list, scroll to Key users, and, click Add. Select your Network Security role, and click Add. Learn more about configuring key policies.


  6. Review your configuration and click Deploy and Close to start inspecting encrypted traffic.

  7. Go to Policy > TLS Inspection and confirm that the Status field displays Ready to inspect encrypted traffic.

Note: After a TLS inspection policy has been configured on a virtual appliance, you cannot edit the TLS policy. Your TLS settings remain in effect until you completely delete the policy. If you want to change your TLS inspection strategy, delete the existing policy by clicking the delete icon and create a new one.


Optionally, you can verify that your TLS configuration is working by following these steps:

  1. Open the network-security-block-events log group in the CloudWatch logs.
  2. Open the log stream for your virtual appliance (identified by the same ID number indicated on the Appliances page).
  3. Scroll down to the most recent timestamped event at the bottom.
  4. Check the filter field for activity that was blocked to protect your server (indicated by the dst-ip field).

Configure TLS inspection for Azure

For the Azure platform, a TLS inspection policy requires:

  • Requested access to TLS Preview.
  • Access to Azure Active Directory (AD). Be sure to also associate your Azure subscription to your Azure AD.
  • Access to the Azure Key Vault.
  • Server to be proxied, and access to its private key. To add the server, go to the Network > Appliances > appliancename page. Only one server can be added per virtual appliance.
  • A single managed Network Security virtual appliance. The appliance must have a minimum version of 2021.7.0.11129. Appliance groups are not currently supported.
  • A single server with a protected IP address, or a CIDR for servers running behind a load balancer. For example, 192.0.2.0 or, if you use a CIDR, 198.51.100.0/24. A subnet can range from 8 to 32. To get the server's IP, refer to Retrieve private IP address information for a VM.
  • Server’s public certificate. You can enable access through Azure Key Vault.

Use the following steps to configure TLS using the Azure platform.

  1. Go to Policy > TLS Inspection and click Request Access.

  2. Configure the appropriate IAM role for the policy. Refer to Key Vault roles.

  3. Configure an Azure Key Vault. Learn more.

  4. After you have been given access to the TLS inspection service from step 1, return to Policy > TLS Inspection and click Configure TLS Inspection to enter the configuration wizard.

From the Configure TLS Inspection wizard:

  1. Select the managed virtual appliance on which you want to enable decryption and inbound TLS traffic inspection. Click Provide Server.

  2. In the Server IP field, enter the IP address of the server to be protected. To retrieve this IP address, refer to Retrieve private IP address information for a VM. Click Provide Public Certificate.

  3. In the Certificate field, enter the URI to the Azure Key Vault (this URI is one of the properties displayed after you created your Azure Key Vault; for example, https://<your-unique-keyvault-name>.vault.azure.net/), or specify the reference link for the public certificate identifier (for example, https://<your-unique-keyvault-name>/certificates/your-certificate-name). Click Confirm and Deploy.

  4. Review your configuration and click Deploy and Close to start inspecting encrypted traffic.

  5. Go to Policy > TLS Inspection and confirm that the Status field displays Ready to inspect encrypted traffic.



Note: After a TLS inspection policy has been configured on a virtual appliance, you cannot edit the TLS policy. Your TLS settings remain in effect until you completely delete the policy. If you want to change your TLS inspection strategy, delete the existing policy by clicking the delete icon and create a new one.


Optionally, you can verify that your TLS configuration is working by following these steps:

  1. Open the network-security-block-events log group in the CloudWatch logs.
  2. Open the log stream for your virtual appliance (identified by the same ID number indicated on the Appliances page).
  3. Scroll down to the most recent timestamped event at the bottom.
  4. Check the filter field for activity that was blocked to protect your server (indicated by the dst-ip field).