Lab 7
Scenario: encrypted attack mitigation

Overview

Description
This lab introduces you to Hardware Security Module (HSM) and SSL
decryption capabilities of Pravail APS that can be used to mitigate DDoS
attacks delivered inside encrypted tunnels.

Objectives
After completing this lab, you will be able to do the following:
• Configure HSM and SSL decryption;
• Analyze attacks mitigated using decryption capabilities of Pravail APS.

Equipment/Tools
The following equipment is required to complete this lab:
• web browser (Chrome or Firefox)
When accessing training labs, you will be prompted for Training Portal
Authentication. Use following credentials:
• Login: student54
• Password: 43xXBAJD89

Estimated Completion Time

• The estimated completion time for this lab is 30 minutes.

Student 54 L7-1
Encrypted attack mitigation
Lab 7

HSM initial configuration

1. Ask your instructor to start the SSL attack

2. Verify that victim is no longer available at

https://victim-pod54.training.arbor.net/

3. Connect to your Pravail APS with web ssh client (use your student54
login to access web ssh).

Web ssh server address: https://cli.training.arbor.net/ssh/

Pravail APS mgt0 interface IP address: 10.2.25.184

Port: 22

Login: admin

Password: 43xXBAJD89

4. Stop Pravail APS service (services aps stop)

5. Initialize HSM module. Choose any officer and user usernames and
passwords. Allow decryption of non-FIPS ciphers and make credentials
persistent for Pravail APS use:

system hsm init officer_name user_name non-fips persist

6. In production environment, you should directly import private key

using SCP or a USB storage, however in lab environment we will
regular clear text FTP and transfer keypair to the disk: first

system file copy ftp://10.2.25.129/keypair.pem disk:

7. Import transferred key. Use any name for the key you like

system hsm key import key_name disk:keypair.pem

8. Check that key has been imported successfully

system hsm key show

9. Delete PEM file from the disk:

system file delete disk:keypair.pem

10. Start APS services (services aps start)

L7-2 Student 54 Pravail APS 5.6

Lab 7 Encrypted attack mitigation

11. Save configuration (config write)

Configuration of decryption in Pravail APS

After HSM is configured, we can enable decryption in Pravail APS

1. Log back into web UI of your Pravail APS device. Note that HSM
Credential Status alert is now cleared

https://pod54.training.arbor.net/
2. Navigate to Administration -> General

3. Select Enable SSL Inspection checkbox and save your settings

4. After a minute, verify that the victim web server is available once again
https://victim-pod54.training.arbor.net/

Encrypted attack monitoring

1. Navigate to the Summary page and note Decrypted Traffic graph in

SSL Inspection widget
2. Check ATLAS Botnet Prevention. Note that there is new traffic
matching low level signatures
3. Navigate to Explore -> Packet Capture page
4. Select your web server protection group in Protection Group filter, SSL
in Service filter and ext0 in Interface filter. Start packet capture.
5. Take a look into any dropped packet. Note that while packet was
decrypted, it got dropped due to AIF Botnet Signatures.

This completes the lab exercise. Please let instructor know that you’ve finished the
lab and the attack should be now stopped

Student 54 L2-3