SSL Inspection : Forti Focus
Often times we come across website which use certificates that not match the certificate of the site. It presents us with a warning message and option to proceed with risks, below image is quite common.
A number of applications and website that use SSL encryption correctly. In this case, the traffic goes through a Secure Sockets Layer (SSL) and is encrypted. However, there are risks associated with its use, since encrypted traffic can be used to around network. In common cases, users can unknowingly download a malicious file during an e-commerce session or there can be a phishing attachment sent with the secure email. Since the traffic is encrypted it can bypass the network’s security measures. To protect from the threat, SSL encryption can hold the key to unlock the sessions, examine the packets to find possible threats and blocks them.
When the deep inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. After successful inspection, it re-encrypts the content and creates a new session between FortiGate and recipient. A certificate is used from FortiGate’s own repository in order to re-encrypt the content.
There are 2 methods of deployment being used for SSL inspection.
Multiple clients connecting to multiple servers – This uses a CA certificate and applied to outbound policies destined to unknown servers or websites.
Protecting SSL server – Uses a server certificate, typically used for inbound policies