Customer reported problems about bank’s online services and bank unable to find those user sessions in the IBM Tealeaf.
The obstacle here was to get to the root cause as bank’s end customer’s sessions were missing so we had to look at all probable causes like network packets dropped, SSL certificate issue and internal traffic forwarding configuration. Capture server never drops any traffic unless there are rules in PCA defined to do so, we checked all the rules and we don’t have any rules which drops any traffic packets. We examined SSL certificates as well and its validity and found some certificates were expired and not updated which fixed some issues related to traffic inconsistency. None of the PCA flags on the Summary Tab showed any other concerns. We then compared the traffic stats of the network F5 switch but it did not show accurate picture as it was forwarding lot of traffic which PCA was discarding as per customer’s license and business requirements. Whenever we created session or someone from bank’s internal network created session, those sessions always appeared. We were also comparing tcpdump of PCA with IBM Tealeaf traffic reports and wasn’t showing any probable root cause, so we decide to use different browsers and various versions to create sessions. This idea worked as we could consistently found that sessions from latest version of firefox were missing. So we created a specific tcpdump of that IP and analyse that tcpdump which showed presence of Diffie Hellman (DH) ciphers.
DH are not intended for deciphering, thus, when Capture server notices the existence of DH ciphers it just relinquish those packets as IBM Tealeaf cannot decipher that traffic and therefore no further processing can be done. DH is often used by new age browsers and hence webservers are compelled to use them as preferred cipher.
We first reduced the priority of DH ciphers from the list of ciphers used by Web Server for the internal traffic and tracked if there was any impact from security or any other site issues. Upon success validation of we implemented the same strategy for all the traffic and which lead bank to see all the traffic and also bank was able to find reported issues by customer and fix with much lesser turnaround time.
Please check out the video for more on IBM Tealeaf and How Royal Cyber can help.