Juniper Secure Access: Using TCP Dump to View Cipher Information

juniper

Using TCP Dump to View Cipher Information

You can use the TCP Dump tool to view which cipher each client uses to connect to the server. TCP Dump is a packet analyzer that intercepts (sniffs) and displays TCP/IP and other packets transmitted or received between the server and clients.

Note: To permit debugging, it is recommended that the ECC certificate be replaced by an RSA certificate so that an RSA cipher suite gets selected and then the application data can be decoded.

To capture packet headers:

  1. Select Maintenance > Troubleshooting > Tools > TCP Dump.
  2. Select the interface, internal or external or both, you wish to sniff and then the VLAN port.
  3. Click Start Sniffing.The next time a user points a browser window to the server or logs in to the server, handshake information is obtained.
  4. Click Stop Sniffing when done.

To view the packet headers:

  1. Select Maintenance > Troubleshooting > Tools > TCP Dump.
  2. Under Dump file, select SSLDump from the file menu and the certificate to use. See Figure 1.

    Figure 1: Viewing the TCP Dump Output

    Viewing the TCP Dump Output

    The certificate names in the TCP Dump window are the same as the “Certificate issued to” names in the Device Certificates window. Select the certificate corresponding to the port you wish to view packet information. See Figure 2.

    Figure 2: Issued to Certificate on the Device Certificates Pages

    Issued to Certificate on the Device<br /><br />
Certificates Pages
  3. Click Get.

Portions of a TCP dump output follow.

The client starts a handshake with the server:

1 1  0.0007 (0.0007)  C>S  Handshake

The client then lists its supported cipher suites:

cipher suites
        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA
        TLS_ECDH_ECDSA_WITH_DES_CBC3_SHA
			 ...

The server acknowledges the handshake:

1 2  0.0010 (0.0003)  S>C  Handshake

The server compares the cipher suites on the client with the ones on the server and picks the cipher suite that is preferred by the server based on SSL options:

cipherSuite         TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

Example TCP Dump Output

New TCP connection #1: 10.64.8.3(46200) <-> 10.64.90.21(443)
1 1  0.0007 (0.0007)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA
        TLS_ECDH_ECDSA_WITH_DES_CBC3_SHA
        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_128_SHA256
        TLS_ECDH_ECDSA_WITH_AES_128_SHA
        TLS_ECDH_ECDSA_WITH_RC4_SHA
        Unknown value 0xc001
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        compression methods
                  NULL
        ClientHello Extensions [113]=
          00 6f 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 
          00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 
          00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 
          00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 
          00 11 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 
          06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 
          03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 
          01 
1 2  0.0010 (0.0003)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[32]=
          a3 07 40 6e 73 12 c2 4d f3 7d b9 77 f8 97 e1 94 
          fc 1b 51 6a 66 3c 99 d6 c7 7d 0e fa 29 2e d0 c4 
        cipherSuite         TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        compressionMethod                   NULL
        ServerHello Extensions [20]=
          00 12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 
          0f 00 01 01 
1 3  0.0010 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0010 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.1413 (0.1403)  C>S  Handshake
      ClientKeyExchange
1 6  0.1413 (0.0000)  C>S  ChangeCipherSpec
1 7  0.1413 (0.0000)  C>S  Handshake
1 8  0.1464 (0.0051)  S>C  ChangeCipherSpec
1 9  0.1464 (0.0000)  S>C  Handshake
1 10 9.2389 (9.0924)  C>S  application_data
1 11 9.5828 (0.3438)  C>S  application_data
1 12 9.5833 (0.0004)  S>C  application_data
1    9.5833 (0.0000)  S>C  TCP FIN
1 13 9.5999 (0.0166)  C>S  Alert
1    9.5999 (0.0000)  C>S  TCP FIN

Published: 2014-01-17

Understanding Juniper Networks FIPS Level 1 Support

juniper

Understanding Juniper Networks FIPS Level 1 Support

Following from Juniper website:

What Is FIPS?

Federal Information Processing Standard (FIPS) are a set of standards that define security requirements for products that implement cryptographic modules used to secure sensitive but unclassified information. The most recent standards are defined in the FIPS Publication 140-2.

The FIPS documents define, among other things, security levels for computer and networking equipment. U.S. Federal Government departments, and other organizations, use FIPS to evaluate the cryptographic capabilities of the equipment they consider for purchase. Cryptographic modules are validated against separate areas of the FIPS specification. An overall certification level is assigned based on the minimum level achieved in any area. Although primarily aimed at environments requiring strict security, FIPS levels are increasingly enforced as qualifying criteria for all U.S. Federal Government contracts. Security-conscious private enterprises might also use FIPS levels as an equipment evaluation benchmark. FIPS levels also serve as a customer-neutral description of vendor requirements. Vendors can engineer security products to FIPS levels and extend the applicability and eligibility of these products across a broad customer base, thereby eliminating exhaustive and time-consuming customer-by-customer product qualification procedures.

What Is FIPS Level 1 Support?

Juniper Networks offers FIPS level 1 support starting with Secure Access Service release 7.4 and Access Control Service release 4.4. Both services use a 140-2 level 1 certified cryptographic module to comply with FIPS. When FIPS level 1 support is enabled applications, such as browsers, accessing the web server must support Transport Layer Security (TLS), the latest version of Secure Socket Layer (SSL). If the platform features hardware acceleration, then for SSL processing SSL hardware acceleration is disabled,  (IPSec hardware acceleration is not affected), as hardware acceleration does not comply with FIPS validation. Only FIPS approved algorithms are used when in FIPS level 1 support is enabled.

Note: You cannot run FIPS level 1 support on a hardware FIPS platform such as the SA6500 FIPS SSL VPN Appliance. For more information on the hardware FIPS platform, see the Secure Access Service Administration Guide and the Access Control Service Administration Guide.

For more information about the Juniper Networks Pulse Cryptography Module, see the security policy PDF Document and the validation certificate. For a complete list of validated FIPS 140-1 and FIPS 140-2 cryptography modules, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2012.

Published: 2014-01-17

FIPS Supported Platforms

The following platforms support FIPS level 1:

  • Junos Pulse Gateway MAG2600
  • Junos Pulse Gateway MAG4610
  • Junos Pulse Gateway MAG6610
  • Junos Pulse Gateway MAG6611
  • Junos Pulse Gateway MAG-SM160
  • Junos Pulse Gateway MAG-SM360
  • Secure Access Service and Access Control Service virtual appliances

Supported Cipher Suites when FIPS Level 1 Support is Enabled

FIPS-ciphers