SSL implementation and credential provisioning

Deep Security Agent may initiate communication to Deep Security Manager or it may be contacted by the manager if the computer object is set to operate in bi-directional mode. Deep Security Manager treats all connections to agents and appliances in a similar way. If the agent has not been activated, a limited set of interactions is possible. If the agent has been activated (either by an administrator or via the agent-initiated activation feature), the full set of interactions is enabled. Deep Security Manager acts as an HTTP client in all cases, regardless of whether or not it was the client when forming the TCP connection. Agents and appliances cannot ask for data or initiate operations themselves. The manager requests information such as events and status, invokes operations, or pushes configuration to the agent. This security domain is highly controlled to ensure that agents and appliances have no access to Deep Security Manager or the computer on which it is running.

Both agent and manager use two different security contexts to establish the secure channel for HTTP requests:

  1. Before activation, the agent accepts the bootstrap certificate to form the SSL or TLS channel.
  2. After authentication, mutual authentication is required to initiate the connection. For mutual authentication, the manager's certificate is sent to the agent and the agent's certificate is sent to the manager. The agent validates that the certificates come from the same certificate authority (which is the Deep Security Manager) before privileged access is granted.

Once the secure channel is established, the agent acts as the server for the HTTP communication. It has limited access to the manager and can only respond to requests. The secure channel provides authentication, confidentiality through encryption, and integrity. The use of mutual authentication protects against man-in-the-middle (MiTM) attacks where the SSL communication channel is proxied through a malicious third party. Within the stream, the inner content uses GZIP and the configuration is further encrypted using PKCS #7.

It is not recommended to perform SSL/TLS decryption of communications between Deep Security products. Any device or middleware should be configured for TLS passthrough. For instance, if a firewall performs SSL inspection, it decrypts and then re-encrypts the communication, altering the certificate in the process. This alteration causes the certificate to differ from the original one provided. As a result, when the communication from Deep Security Agent reaches Deep Security Manager, the altered certificate is deemed unauthorized.