You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Don Eugene Paul Viado <de...@yahoo.com.INVALID> on 2022/12/06 01:35:03 UTC
Guacamole over proxy
Hi,
If the guacamole is accessed from a transparent proxy environment e.g. (About SSL Inspection | Zscaler)
May I know what kind of information can be extracted or replayed? Does guacamole support perfect forward secrecy on sessions?Is there possibility to see in clear the user sessions or worst access the guacamole without authentication?I assume that in such case it will be limited to the session that was captured and is not able to compromise the entire Guacamole without proper authentication and 2FA?Hope someone can provide more inputs how to better tighten the security in Guacamole in such kind of environments.
Thanks in advance.
Re: Guacamole over proxy
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Dec 6, 2022 at 9:55 PM Don Eugene Paul Viado
<de...@yahoo.com.invalid> wrote:
>
> Hi Nick,
>
> Very well explained and thanks for the detailed information.
> Yes. I can say that SSL inspection is definitely turned on cause the SSL certificate presented is from ZScaler not from my web server.
> As such, they do have means to hijack the authentication using tokens. But I guess it will only be effective on the validity of session for e.g.
> With 2FA will be harder to create new sessions once the old one expires.
>
Yes, some of these items - like 2FA and shortened token lifetime -
will help mitigate the risk.
But, that brings up the real question: What risk are you concerned
about and trying to protect against? Zscaler, the company (or its
employees), doing something nefarious with data they have access to
regarding your systems? Your network admin or security team misusing
the data they might be able to inspect? Or an external attacker
hacking Zscaler and then being able to get into your systems because
they've compromised Zscaler? And, then you have to ask: what other
data and/or systems, outside of the ones Guacamole would be connecting
to, might they be inspecting? Other web sites that require login
credentials - either inside or outside a network? Sites or services
processing PII data? From there you can determine what _reasonable_
mitigations are - ask the security team to bypass SSL inspection for
the Guacamole server, or accept the risk and choose to trust Zscaler,
or unplug the computer because you can't fully trust anyone and the
most secure computer is the one that is powered off :-).
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole over proxy
Posted by Don Eugene Paul Viado <de...@yahoo.com.INVALID>.
Hi Nick,
Very well explained and thanks for the detailed information.Yes. I can say that SSL inspection is definitely turned on cause the SSL certificate presented is from ZScaler not from my web server.As such, they do have means to hijack the authentication using tokens. But I guess it will only be effective on the validity of session for e.g.With 2FA will be harder to create new sessions once the old one expires.
Thanks and Regards,Don
On Tuesday, 6 December 2022 at 10:36:39 am SGT, Nick Couchman <vn...@apache.org> wrote:
On Mon, Dec 5, 2022 at 9:20 PM Michael Jumper <mj...@apache.org> wrote:
>
> On Mon, Dec 5, 2022 at 5:35 PM Don Eugene Paul Viado <de...@yahoo.com.invalid> wrote:
>>
>> Hi,
>>
>> If the guacamole is accessed from a transparent proxy environment e.g. (About SSL Inspection | Zscaler)
>> May I know what kind of information can be extracted or replayed? Does guacamole support perfect forward secrecy on sessions?
>> Is there possibility to see in clear the user sessions or worst access the guacamole without authentication?
>> I assume that in such case it will be limited to the session that was captured and is not able to compromise the entire Guacamole without proper authentication and 2FA?
>> Hope someone can provide more inputs how to better tighten the security in Guacamole in such kind of environments.
>
>
> Guacamole relies on SSL/TLS for security of the connection to the server. You should not use _any_ web application in an environment where you cannot trust TLS.
>
> I don't believe there is any countermeasure that could be developed that a corporate firewall vendor would not eventually work around. TLS is already designed to do exactly this.
>
Just to add a bit more context to this, as my Day Job uses Zscaler,
let's be clear about what capabilities of Zscaler we're talking about:
* Transparent Proxy - aka Zero Trust, is the VPN Replacement
functionality of Zscaler, and simply proxies traffic between a remote
endpoint (client laptop/desktop/phone) and internal, protected
resources (servers, applications, etc.). I'm sure there are a variety
of configurations that can be done with this, but my Day Job
configuration does NOT do interception of SSL traffic between the
client endpoints and protected, internal resources. This means my
Guacamole sessions are not intercepted and decrypted by Zscaler.
Again, I'm sure there are a variety of configurations, but just
because a company is using Zscaler as a zero-trust, VPN replacement,
does not mean that it is decrypting all of that traffic.
* SSL Inspection - This is generally done for malware protection and
legal compliance, and involves the Zscaler service intercepting HTTPS
(SSL/TLS) traffic, and decrypting it, inspecting it, and then
re-writing it. This would mean that the intermediate system (Zscaler)
would have access to the unencrypted Guacamole traffic, including
keystrokes and mouse movement, credentials, and image data returned
from the remote system. As Mike points out, Guacamole relies on you
being able to trust the entire SSL/TLS chain, so if you can't trust
Zscaler's SSL Inspection, you can't trust the connection. I'm sure
Zscaler has policies about what is done with the intercepted sessions
and data, as there would be a lot of sensitive data that would pass
through SSL inspection (banking, PII, government, etc.).
THAT SAID - there are a couple of things to caveat this with:
* Just because SSL inspection is being done does not mean that the
authentication mechanisms of Guacamole would be bypassed. Someone
abusing/exploiting the Zscaler intermediate system would still have to
obtain the credentials and log in to the remote Guacamole server, and
then have the credentials for the remote system and log in to that.
Yes, they'd be able to obtain those credentials, or watch the traffic
passing back-and-forth, but just because there is some MITM (legit or
otherwise) between client and Guacamole doesn't mean that all of the
authentication mechanisms are suddenly bypassed or ineffective. They
could potentially leverage other attacks - trying to inject data into
the session, or reuse an existing token - but those things are likely
going to generate disruptions that will become obvious and not allow
the attacker to remain hidden.
* SSL Inspection is not something that is generally 100% hidden. You
can see when this is happening by inspecting the certificate of the
remote server and making sure it is the one you expect and trust. When
Zscaler does SSL inspection, it has to *replace* the certificate
presented to the client with one that it generates on its own. Other
SSL inspection (DPI) solutions do the same thing - in my previous life
we used Palo Alto's SSL inspection mechanism, and it worked exactly
the same way. The up-shot is that, if you look at the SSL certificate
for the Guacamole server on the client (browser) side, you'll see
evidence of the SSL inspection in the form of a wildcard certificate
issued by Zscaler (Palo Alto, etc.) instead of the specific
certificate for your Guacamole server. A lot of companies (like the
one I work for) install the Zscaler wildcard as a trusted certificate
on all of the systems that they deploy so that users won't be bothered
with warnings about insecure sites, but you can still see it if you
look. Obviously teaching your users to go look may not be what you
want to do, but the point is that there is something that indicates
that a certificate switch has been made.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole over proxy
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Dec 5, 2022 at 9:20 PM Michael Jumper <mj...@apache.org> wrote:
>
> On Mon, Dec 5, 2022 at 5:35 PM Don Eugene Paul Viado <de...@yahoo.com.invalid> wrote:
>>
>> Hi,
>>
>> If the guacamole is accessed from a transparent proxy environment e.g. (About SSL Inspection | Zscaler)
>> May I know what kind of information can be extracted or replayed? Does guacamole support perfect forward secrecy on sessions?
>> Is there possibility to see in clear the user sessions or worst access the guacamole without authentication?
>> I assume that in such case it will be limited to the session that was captured and is not able to compromise the entire Guacamole without proper authentication and 2FA?
>> Hope someone can provide more inputs how to better tighten the security in Guacamole in such kind of environments.
>
>
> Guacamole relies on SSL/TLS for security of the connection to the server. You should not use _any_ web application in an environment where you cannot trust TLS.
>
> I don't believe there is any countermeasure that could be developed that a corporate firewall vendor would not eventually work around. TLS is already designed to do exactly this.
>
Just to add a bit more context to this, as my Day Job uses Zscaler,
let's be clear about what capabilities of Zscaler we're talking about:
* Transparent Proxy - aka Zero Trust, is the VPN Replacement
functionality of Zscaler, and simply proxies traffic between a remote
endpoint (client laptop/desktop/phone) and internal, protected
resources (servers, applications, etc.). I'm sure there are a variety
of configurations that can be done with this, but my Day Job
configuration does NOT do interception of SSL traffic between the
client endpoints and protected, internal resources. This means my
Guacamole sessions are not intercepted and decrypted by Zscaler.
Again, I'm sure there are a variety of configurations, but just
because a company is using Zscaler as a zero-trust, VPN replacement,
does not mean that it is decrypting all of that traffic.
* SSL Inspection - This is generally done for malware protection and
legal compliance, and involves the Zscaler service intercepting HTTPS
(SSL/TLS) traffic, and decrypting it, inspecting it, and then
re-writing it. This would mean that the intermediate system (Zscaler)
would have access to the unencrypted Guacamole traffic, including
keystrokes and mouse movement, credentials, and image data returned
from the remote system. As Mike points out, Guacamole relies on you
being able to trust the entire SSL/TLS chain, so if you can't trust
Zscaler's SSL Inspection, you can't trust the connection. I'm sure
Zscaler has policies about what is done with the intercepted sessions
and data, as there would be a lot of sensitive data that would pass
through SSL inspection (banking, PII, government, etc.).
THAT SAID - there are a couple of things to caveat this with:
* Just because SSL inspection is being done does not mean that the
authentication mechanisms of Guacamole would be bypassed. Someone
abusing/exploiting the Zscaler intermediate system would still have to
obtain the credentials and log in to the remote Guacamole server, and
then have the credentials for the remote system and log in to that.
Yes, they'd be able to obtain those credentials, or watch the traffic
passing back-and-forth, but just because there is some MITM (legit or
otherwise) between client and Guacamole doesn't mean that all of the
authentication mechanisms are suddenly bypassed or ineffective. They
could potentially leverage other attacks - trying to inject data into
the session, or reuse an existing token - but those things are likely
going to generate disruptions that will become obvious and not allow
the attacker to remain hidden.
* SSL Inspection is not something that is generally 100% hidden. You
can see when this is happening by inspecting the certificate of the
remote server and making sure it is the one you expect and trust. When
Zscaler does SSL inspection, it has to *replace* the certificate
presented to the client with one that it generates on its own. Other
SSL inspection (DPI) solutions do the same thing - in my previous life
we used Palo Alto's SSL inspection mechanism, and it worked exactly
the same way. The up-shot is that, if you look at the SSL certificate
for the Guacamole server on the client (browser) side, you'll see
evidence of the SSL inspection in the form of a wildcard certificate
issued by Zscaler (Palo Alto, etc.) instead of the specific
certificate for your Guacamole server. A lot of companies (like the
one I work for) install the Zscaler wildcard as a trusted certificate
on all of the systems that they deploy so that users won't be bothered
with warnings about insecure sites, but you can still see it if you
look. Obviously teaching your users to go look may not be what you
want to do, but the point is that there is something that indicates
that a certificate switch has been made.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole over proxy
Posted by Michael Jumper <mj...@apache.org>.
On Mon, Dec 5, 2022 at 5:35 PM Don Eugene Paul Viado
<de...@yahoo.com.invalid> wrote:
> Hi,
>
> If the guacamole is accessed from a transparent proxy environment e.g. (About
> SSL Inspection | Zscaler
> <https://help.zscaler.com/zia/about-ssl-inspection>)
> May I know what kind of information can be extracted or replayed? Does
> guacamole support perfect forward secrecy on sessions?
> Is there possibility to see in clear the user sessions or worst access the
> guacamole without authentication?
> I assume that in such case it will be limited to the session that was
> captured and is not able to compromise the entire Guacamole without proper
> authentication and 2FA?
> Hope someone can provide more inputs how to better tighten the security in
> Guacamole in such kind of environments.
>
Guacamole relies on SSL/TLS for security of the connection to the server.
You should not use _any_ web application in an environment where you cannot
trust TLS.
I don't believe there is any countermeasure that could be developed that a
corporate firewall vendor would not eventually work around. TLS is already
designed to do exactly this.
- Mike