Uncovering SSL Anomalies In Your Network Using SecurityCenter

Looking in More than One Place

Nessus, PVS, and LCE offer several methods for auditing SSL protocol usage on your network(s). SSL is commonly used to secure websites, but also protects email, file sharing, and many other services. This post lists some generic SSL capabilities found in all Tenable products, and shows how you can combine them to generate useful reports and dashboards.

On the vulnerability identification side, Nessus uncovers many issues with SSL certificates, such as outdated certificates, unsigned certificates, and much more (see the screenshot below for more examples). SSL implementations shipped with appliances often use unsigned certificates, and rely on the administrator to install their own valid certificate. Without a properly signed certificate, man-in-the-middle attacks become considerably easier. If you’re an e-commerce shop, improper SSL implementations will also cause you to become non-compliant with PCI DSS standards.

A sample of Nessus plugins associated with identifying problems with SSL certificates. (Click for larger image)

Passive SSL Protocol Detection

PVS can sniff SSL traffic across your network, providing broader coverage of SSL problems since it sees traffic in real time. While network-based scanners will typically discover SSL on port 443, PVS can more easily identify SSL regardless of the port. For example, most active network scans have a tough time enumerating multiple SSL-protected websites being hosted on a single IP address. However, since PVS looks at active network traffic, enumerating all the websites hosted on a given IP address is much easier.

PVS can also identify the following situations and associated vulnerabilities in SSL:

• PVS can aggregate SSL certificates and CNs (common names) inside web browsing traffic, allowing you to see the sites users are visiting. Often, the SSL traffic is very self-explanatory. For example, the following entry clearly identifies an Apple iPhone using SSL on the network:

  SSL_certificate_Summary since 10/2/2012 21:14:32 host 192.168.1.55 had SSL sessions involving these server certificates: Akamai 
  Technologies Inc configuration.apple.com courier.push.apple.com iphone-ld.apple.com

• Tracking communications using SSL is a common feature for most firewalls, a requirement listed in the SANS CAG, and an integral part of your situational awareness strategy. PVS identifies hosts connecting to and listening for SSL services, and the ports being used to do so, making it easy to audit SSL usage.

• LCE brings traditional SIEM correlation for the events uncovered by both Nessus and PVS, in addition to syslog events generated by your hosts. SSL traffic can be analyzed to detect several types of anomalies (see "Tracking SSL Activity Anomalies"). This level of analysis can be used to detect botnet activity, aid in forensic investigations, detect policy violations, and more.

For example, you can track SSL browsing activity on a per user basis:

I highlighted an individual user's activity ("rgula"). No traffic exists for the previous day because Ron was out of the office. Drilling into the actual logs provides us with some detail on Ron's SSL traffic:

Fortunately there is nothing abnormal to report — Ron has been using Twitter, a remote instance of SecurityCenter (obfuscated for security reasons), and some Tenable resources (also obfuscated).

Tying It All Together Using SecurityCenter Dashboards

Tenable provides SecurityCenter customers with numerous dashboards free of charge. Here’s an example dashboard for customers that leverage SSL monitoring:

In the above dashboard, PVS data is being used to detect SSL on non-standard ports, providing both a graph of the traffic patterns and a detailed list of ports. You can download this dashboard from our SecurityCenter Dashboard sites from the entry titled "SSL Activity Monitoring."

Conclusion

Monitoring protocol usage and traffic patterns supports the advice given by many — know your network. The ability across Tenable's products to detect vulnerabilities and anomalies in SSL traffic helps you do just that. A single vulnerability on a given host or one particular event may not be interesting on its own. However, correlating network-based vulnerabilities, passively discovered vulnerabilities, and log events allows you to see the big picture and detect anomalies that require immediate attention.