Using the Sensor to protect encrypted traffic
17 April 2024
ID 203036
The solution involves sending a copy of SPAN traffic and web server logs to the KDP Sensor in real time.
HTTPS traffic protection mechanism without transmitting a secret key
Use of a Kaspersky DDoS Protection Sensor lets you "clean" a Customer's encrypted traffic at the unencrypted level. This ensures the maximum possible quality of filtering without transmitting a SSL certificate outside of the Customer's infrastructure. To receive all the necessary information about encrypted traffic, the Customer's WEB servers send a log of requests in UDP Syslog format to the Sensor in real time.
A log entry string must contain the following fields:
- server_addr:server_port– IP address of the server receiving the request (IP address of the Protected resource);
- remote_addr:remote_port – IP address of the Customer that established the connection with the Protected resource;
- remote_port – port of the Customer;
- time_local – time of the request;
- scheme – application-layer protocol (HTTP or HTTPS);
- request;
- status – server response code;
- http_host – value of the Host header in the HTTP request;
- http_referer – value of the Referer header in the HTTP request;
- http_user_agent – value of the User-Agent header in the HTTP request;
- http_accept – value of the Accept header in the HTTP request.
It is extremely preferable for a log entry string to contain the following fields:
- ssl_session_id – ID of the SSL session;
- ssl_session_reused – 1, if the SSL session is used again;
The fields must be separated by two hash characters “##”. The line must start with the double delimiter "####", and (preferably) end with the ## delimiter as well.
An example of a correct log:
####10.1.10.113:443##111.11.111.11:3000##02/Jun/2022:16:36:29 +0300##https##GET /api/v1/news?_sort=beginShowDate-&_sort=dateTime- HTTP/1.1##304##online.site.ru##http://localhost/##Mozilla/5.0 (Linux; Android 12; RMX3363 Build/RKQ1.210503.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/101.0.4951.61 Mobile Safari/537.36##
In addition, a document with examples of configuration for various web servers can be provided on request to a Customer.
Use of this mechanism does not require transmission of a certificate or decrypted copy of encrypted traffic to the Kaspersky DDoS Protection Sensor. This ensures full compliance with the requirements of various regulators.