8.3 Ensure that the Certificate used for Decryption is Trusted


The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. There are two classes of users that need to be considered.
1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or "IoT" (Internet of Things) devices.
2: Users that are not member of the organization - often these are classed as "Visitors" in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of "visitor" traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for member's organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.
Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's "man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Set the CA Certificate(s):
Navigate to Device > Setup > Certificate Management > Certificates
Set the Certificate Profile needed for the SSL Forward Proxy:
Navigate to Device > Setup > Certificate Management > Certificate Profile

Set the decryption profile to include the settings described in the SSL Forward Proxy guidance in this document:
Navigate to Objects > Decryption Profile
Set the Decryption Policy to be applied to the appropriate interfaces and to have the categories assigned to it that comply with your organization's internal policies, regulatory requirements and legal requirements.
Navigate to Policies > Decryption
Source: all internal user subnets
Destination: all target zones (typically this is the public internet)
Excluded URL categories: include Health Care, Personal Banking and any other category that exposes PII, PHI or that exposes any information that might be described in your organization's internal policies, regulatory framework, privacy requirements or legal requirements as protected.
Decryption Policy Rule: include the SSL Forward Proxy defined above, and the Decryption Profile defined above
Default Value:
Decryption is not enabled by default.

See Also


Item Details


References: 800-53|SC-17, CSCv6|12.5

Plugin: Palo_Alto

Control ID: 802baca681c3417c7320c0c504275ab7b85545562042f4a0db371be1375291fe