Create User-to-Data-Center Decryption Policy Rules

Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware and other threats.
Create Decryption policy rules for traffic that enters the data center from the user population to provide visibility so that you can inspect the traffic and safeguard your most valuable assets. When you create a Security policy rule that allows a group of users (or a particular user) access to a set of data center servers, create a decryption policy rule to decrypt that traffic.
Because the data center houses your most valuable assets, decrypt all the data center traffic you can decrypt. Start by decrypting traffic to the most critical servers, decrypting high-risk traffic categories, and decrypting traffic from the least trusted network segments (for example, prioritize decrypting third-party traffic from partners, customers, or contractors over decrypting traffic from a trusted internal segment), and then expand the effort until you have applied decryption to traffic destined to all of your data center assets. Decrypt as much traffic as you can while retaining acceptable performance.
Exclude Unsuitable Traffic from Data Center Decryption. Regulations and compliance over personal information differ from country to country and even within country regions. Different companies may have different compliance rules about personal information. Decrypt as much traffic as you can, but if your data center houses information that regulations or company rules exempt from decryption, don’t decrypt that traffic.
In Create User-to-Data-Center Application Whitelist Rules, we created Security policy rules that allow DNS access, allow engineering users to access engineering development servers, allow SAP contractor developers to access only the SAP development servers, and allow a particular set of IT users data center server management access. Here we create decryption policy rules (
Policies
Decryption
) to decrypt the traffic that these rules allow.
The decryption policy rules share some common elements in regard to these traffic flows:
  • When you create a Decryption policy rule, the objective is to decrypt traffic so that a Security policy rule can examine it and allow or block it based on policy. To accomplish that, the Decryption policy rule must use the same source zone(s) and user(s) as the analogous security policy rule, and the same destination zone and address (often defined by a dynamic address group so that as you add or remove servers, you can update the firewall without a commit operation). Defining the same source and destination in the Security policy and in the Decryption policy applies both policies to the same traffic.
  • The Action for all of these rules is decrypt, except in the case of sensitive personal information as shown in Step 4.
  • The decryption rules that use SSL Inbound Inspection to examine incoming traffic require the appropriate server certificate.
  • All of these decryption rules use the Best Practice data center decryption profile shown in Create the Data Center Best Practice Decryption Profiles.
  1. Decrypt allowed traffic from employee user groups to data center servers.
    This rule shows how to decrypt traffic from a user group to the data center servers that the group is allowed to access to provide visibility into that traffic. For example, the application whitelist rules we created include a Security policy rule that allows engineering users to access development servers in the data center. To protect the development servers, decrypt incoming traffic so that the firewall can inspect it and apply threat prevention profiles.
    engg-to-dev-servers-decrypt-pol-rule-user-dc.png
    To create this rule:
    • Specify the same source and destination as in the analogous security policy rule. In this case, the Source users are the
      pantac\apiusers
      and
      pantac\engg
      user groups in the
      Engineering-Users
      zone, and the Destination is the servers specified in the
      Dev-Servers
      dynamic address group in the
      Engineering-DC-Infra
      zone.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSL Inbound Inspection
      . Specify the server certificate for the development servers (
      DevServers
      ) and apply the data center best practice Decryption Profile to apply SSL Inbound Inspection and SSL Protocol Settings to the traffic.
    Create a similar Decryption policy rule for allowed data center traffic of each user group (or individual user, if applicable) based on the source zone and user group (or user) and on the destination zone and server group (as defined by the dynamic address group membership).
  2. Decrypt allowed traffic from contractors, partners, customers, and other third-parties.
    This rule shows how to decrypt from third-party groups to the data center servers they are allowed to access. For example, the whitelist rules include a security policy rule that allows limited access for SAP developer contractors to SAP database servers in the data center. Decrypt incoming traffic so that the firewall can inspect it, apply threat prevention profiles to it, and protect the SAP data center servers.
    sap-contractors-to-servers-decrypt-pol-rule-user-dc.png
    To create this rule:
    • Specify the same source and destination of the traffic to decrypt as in the analogous security policy rule. In this case, the Source users are the
      pantac\sap-contractors
      user group in the
      Contractors
      zone, and the Destination is the servers specified in the
      SAP DB Servers
      dynamic address group in the
      SAP-Infra
      zone.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSL Inbound Inspection
      . Specify the server certificate for the development servers (
      SAP Server Cert
      ) and apply the data center best practice Decryption Profile to apply SSL Inbound Inspection and SSL Protocol Settings to the traffic.
    Create a similar Decryption policy rule for each third-party group’s allowed data center traffic based on the source zone and user group and the destination zone and server group (as defined by the dynamic address group membership).
  3. Decrypt privileged allowed access to data center servers (except traffic pertaining to personal information if regulations or compliance rules prohibit it).
    This rule shows how to decrypt traffic for privileged access because you should decrypt as much traffic as possible to provide the visibility necessary to defend the data center, no matter how much you trust the users. If you don’t decrypt allowed traffic, you can’t apply threat prevention profiles, and if the traffic conceals malware or other threats, you won’t see them. This example references the Security Policy whitelist rule we created previously to provide management interface access to data center servers for IT superusers.
    If the IT group that manages and maintains data center servers uses SSH, you can’t decrypt the SSH traffic. You can configure SSH Proxy to block SSH tunnels and prevent SSH from tunneling potentially malicious content and applications. If the IT group uses SSL, create a Decryption Policy rule using SSL Forward Proxy instead of SSL Inbound Inspection. The reason is that SSL Inbound Inspection requires the server certificate to perform decryption. Because IT manages many data center servers, creating SSL Inbound Inspection rules for each server is onerous and difficult to manage. SSL Forward Proxy decryption scales better in this use case.
    The following example shows the Decryption policy rule for the SSL Forward Proxy use case.
    it-mgmt-decrypt-pol-rule-user-dc.png
    To create this rule:
    • Specify the same source and destination of the traffic to decrypt as in the analogous security policy rule. In this case, the Source users are the
      pantac\it-superusers
      user group in the
      IT-Users
      zone, and the Destination is the servers specified in the
      IT-Server-Management
      static address group in the
      IT-server-access-DC
      zone.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSL Forward Proxy
      . Apply the data center best practice Decryption Profile to apply SSL Forward Proxy and SSL Protocol Settings to the traffic.
    If other groups require privileged access, create a similar type of Decryption Policy rule for each group.
    IT personnel also manage switches, routers, and other devices in the data center. If the same group of IT users manages those resources, you can add them to the destination zone and address so that the rule decrypts traffic for connections to the management interfaces of those devices. If different IT user groups manage different sets of data center resources, create separate, tight security policy rules and corresponding decryption and authentication policy rules for each user group.
    The next example shows the Decryption policy rule for the SSH Proxy use case. You may also choose not to decrypt the traffic instead of using SSH Proxy decryption.
    it-mgmt-ssh-proxy-decrypt-pol-rule-user-dc.png
    To create this rule:
    • The traffic source and destination are the same as for the preceding SSL Forward Proxy use case example rule.
    • On the Options tab, set the Action to
      Decrypt
      and the decryption Type to
      SSH Proxy
      . Apply the data center best practice Decryption Profile to apply SSH Proxy and SSL Protocol Settings to the traffic.
      IT personnel also manage data center switches, routers, and other devices. If the same group of IT users manages those resources, you can add them to the destination zone and address so that the rule decrypts traffic for connections to the management interfaces of those devices. If different IT user groups manage different sets of data center resources, create separate, tight security policy rules and corresponding decryption and authentication policy rules for each user group.
  4. Do not decrypt sensitive personal information if prohibited by regulations or compliance rules.
    This rule shows how to create a policy-based decryption exclusion if you need to except traffic from decryption for regulatory or compliance reasons. This example references the Security Policy whitelist rule we created previously to provide Finance server access for Finance users. If regulations or compliance permit you to decrypt this traffic, decrypt it so that the firewall can see the traffic and protect against threats.
    finance-PCI-decrypt-pol-rule-user-dc.png
    To create this rule:
    • Specify the same source and destination of the traffic to decrypt as in the analogous security policy rule. In this case, the Source users are the
      pantac2012\accounting-users
      and
      pantac2012\finance-users
      user groups in the
      Finance-Users
      zone, and the Destination is the servers specified in the
      Fin-Servers
      dynamic address group in the
      Finance-DC-Infra
      zone.
    • On the Options tab, set the Action to
      No Decrypt
      and the decryption Type to
      SSL Forward Proxy
      so that the firewall won’t ask for a server certificate. Apply the data center best practice Decryption Profile to apply No Decryption and SSL Protocol Settings to the traffic.

Related Documentation