Black Hat 2017Sometimes a slow day is just what the doctor ordered. Today has been rather uneventful so far, which gave the Black Hat NOC team an opportunity to work on the assigned projects and investigate the occasional bursts of multicast traffic.  With Scrutinizer appliance running like a clock, I was also able to spend some quality time on playing with Gigamon exports. This time, I was particularly interested in the SSL information we could collect from the darkest network on the planet.

A couple of months ago, one of Plixer’s customers reached out to my colleague Jeff with the following request: he wanted to trend what SSL version his internal servers were running and what was the most common version his users came across in the wild. This collaboration resulted in creating two Gigamon specific reports: SSL Version and SSL All Details. In his blog, Jeff did a great job of describing the process of configuring Gigamon’s IPFIX exports, and there is no time like now to put it to good use.

Exploring Gigamon SSL Reports

After putting the configuration in place, we started getting some impressive flow data from our Gigamon appliance. The Gigamon SSL Version Count report provided us with the current trends on the Black Hat network: TLS 1.2 is by far the most common. That makes perfect sense. TLS 1.2 is currently the most used version of TLS and has made several improvements in security compared to TLS 1.1. According to RFC 4346, the biggest enhancement in encryption of TLS 1.2 enables it to use more secure hash algorithms such as SHA-256 with the advanced cipher suites that support elliptical curve cryptography.

Scrutinizer SSL Versions Report

Next, we changed the report type to the Gigamon SSL All Details and got the granular details on the source IPs, who they have been reaching out to, the version of SSL used SSL algorithm and key size and even the certificate subject. Pretty amazing, isn’t it?

Scrutinizer SSL All Details Report


What are the SSL/TLS Best Practices?

Like any technology, SSL/TLS has known vulnerabilities, which jeopardize the integrity, confidentiality, and authenticity of information transmitted. A rule of the thumb: always be on the lookout for the next attack. This means staying in touch with what is on the horizon when it comes to information security as well as keeping on top of updates –the critical ones in particular.

  • Enforce TLS v1.1 and above.
  • Disable SSL v3 immediately. Google Chrome and other web browsers have already removed support for SSL v3 in their newest versions due to the POODLE vulnerability. Updating your browser is also an excellent idea to mitigate these issues from the client side.
  • Make sure the Common Name matches the hostname of the server. If it does not, then a user may not be able to determine if the certificate is for that service or not. This can result in a security error within web browsers and requires the user to “click through” the message to view the application. Some users may be used to clicking through the error message when visiting this service and therefore not notice the illegitimate certificate, which creates an opportunity for a man-in-the middle attack. Same would apply to a self-signed or expired certificate.

Coming Up Next

The power of NetFlow is growing every day, especially with IPFIX allowing us to export more contextual details. The Gigamon SSL exports most definitely prove this point. If you would like to learn more about utilizing flow data for malware or breach investigations, reach out to our helpful support team at the Kennebunk headquarters. In the meantime, I am heading to the pool but will be back with more Black Hat USA 2017 updates tomorrow.

anna author pic 2019

Anna McElhany

Anna is a Quality Assurance Analyst at Plixer. She is dedicated to creating customer-facing documentation and identifying any potential problems that users might encounter. Anna holds a degree in Computer Technology, the AWS Certified SysOps Administrator - Associate, CCNA R&S, CCNA Security, and CompTIA Network + and Security + certifications, as well as NSTISSI Security INFOSEC Professional recognition. In her free time, Anna enjoys spending time with friends and family, flying drones, and hiking.


Leave a Reply