SSL Visibility Solution Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter Please submit questions using the Webex Q/A feature!
SSL Visibility APPLIANCE Blue Coat Support Services Webinar Manoj Sharma, WW Solutions Architect June 23rd 2015
Agenda About SSL Visibility Appliance SSLV & ProxySG SSLV Use Cases SSLV In Your Network PKI Integration Policy Engine SSL Session Log SSLV + Management Center Troubleshooting Resources
SSL/TLS Traffic is PERVASIVE and Introduces risk SSL is estimated at 35 - 50% of network traffic and growing 20% annually* >70% in some industries (e.g. healthcare) Advanced Persistent Threats (APTs) increasingly use SSL as a transport Dyre trojan (Command & Control) >50% of all malware will use SSL by 2017* *Source: Gartner
Existing security infrastructure is Insufficient NETWORK FORENSICS DLP ANTI-MALWARE Most security solutions are “blind” to SSL DLP, IDS, Sandbox & Network Forensics “Tool-by-Tool” SSL decryption doesn’t work Costly upgrades: NGFW and IPS solutions suffer up to 80% performance degradation* Numerous, evolving cryptographic suites Certificate and key management complexities Additional complexity – arduous scripting NOTES on Vendor solutions Pending NEXT GEN FIREWALL INTRUSION PREVENTION *Sources: NSS Labs, Gartner
SSL Visibility Appliance INTERNET SERVER Automatically identify all inbound and outbound SSL / TLS traffic. Not just HTTP (SMTP, SPDY) on any Port. Connect to GIN (Host Categorization) Establish category-based policies to selectively decrypt SSL traffic and maintain compliance Feed existing security solutions to expose potential threats Avoids high capacity upgrade costs Extends security infrastructure Investment Assures data integrity of traffic – auditable “loopback” CLIENT * SECURITY ANALYTICS GLOBAL INTELLIGENCE NETWORK GATEWAY / FIREWALL ❶ ❷ ❸ ❹ SANDBOX SSL VISIBILITY APPLIANCE NG IPS CORPORATE SERVERS CLIENT Encrypted traffic Decrypted traffic
SSLV: Details What does it do What it does not do The SSL Visibility Appliance “only” decrypts and re-encrypt selected (defined by policy) for both inbound and outboundSSL/TLS traffic and feeds the decrypted traffic to attached security devices. It can Drop/Reject SSL Traffic based on policy and attached active security devices Attached security devices must understand the underlying protocol to inspect the traffic. Example Google Servers , Google Chrome uses SPDY over HTTPS. SSLV will forward SPDY traffic to the attached security devices. By default SSLV device inspects SSL/TLS traffic on all ports. What it does not do SSLV device does not analyze or modify the decrypted traffic. SSLV device can not decrypt the following: SSL/TLS sessions that use: Client side certificates for outbound SSL/TLS inspection Non-standard SSL/TLS implementations IPsec SSH Ad-hoc encryption SSLV Device does not support ICAP
Deployment models Active-Inline: Passive-Inline: Passive-Tap: SSLV is deployed inline (aka bump-in-the-wire) & an active appliance (that can drop/reset a connection e.g. IPS, NGFW, etc.) is attached on two ports (in & out) of SSLV device. Passive-Inline: SSLV is deployed inline (aka bump-in-the-wire) & a passive appliance (IDS, SA, etc.) is connected to a “copy” port. Passive-Tap: SSLV is connected to a network tap and feeds decrypted data and native data to a passive device(s) connected to its copy port. It is possible to have more than one attached security devices receiving the decrypted traffic.
Active and passive devices explained An Active security device processes decrypted and native traffic from the SSLV appliance and then returns the traffic to the SSLV appliance. Active security devices inspect the traffic and either “allow” or “reject” traffic. Examples: IPS NG Firewall Network DLP WAF (in bridge mode) A Passive security simply consumes traffic. These devices work on a copy of the decrypted traffic from the SSLV appliance for monitoring and alerting purposes. Examples IDS Security Analytics Full Packet Capturing devices e.g.FireEye can be deployed in IPS or IDS mode.
SSL VISIBILITY APPLIANCE: Reference Architecture: DATA & WORKFLOW GLOBAL INTELLIGENCE NETWORK Traffic Flow Is Traffic Encrypted? Send to passive device(s) PASSIVE TAP SIEM/Syslog DEPLOYMENT MODEL Apply Policy Send to passive device(s) Re-Encrypt and Send to Destination PASSIVE INLINE Last Updated: 20.12.2013 All traffic enters the SSL VA appliance, First decision, is this SSL Traffic. No move onto Deployment Model; If yes, look at Policy if No move to Deployment Model; If yes, decrypt traffic move to Deployment Model Policy can also use HCS (Host Categorization Service) to determine if the traffic belongs to site(s) that must or must not be decrypted. Syslog messages and SSL session log entries can optionally be sent to one or more remote syslog servers. SSL Session Log data and Statistics collected by SSLV can be exported as files and then converted to .csv files using off box tools. Depending on Deployment Model the SSL VA appliance will act differently. Note these Deployment Models may be different on each set of Interfaces. For Passive Devices, all traffic is either sent to passive device(s) or load balanced across multiple devices. For Inline Devices the traffic is sent up to inline device and SSL VA appliance waits for it to return, if it returns we assume good. If it got blocked at Security Device we drop flow. Note that we do not support solutions that modify the tcp connection like ProxySG in active inline deployments. Decrypt Traffic Send to inline device(s) and get back Re-Encrypt and Send to Destination ACTIVE INLINE Network HSM Drop Flow Last Updated: May 20.2015
SSL VISIBILITY appliance Family Performance Function SV800-250M SV800-500M SV1800 SV2800 SV3800 Total Packet Processing 8 Gbps 20 Gbps 40 Gbps SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps Concurrent SSL Flow States (CPS) 20,000 100,000 200,000 400,000 New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs) 1024-bit keys 2048-bit keys 1,000 2,000 7,500 3,000 10,500 12,500 6,000 Configurations Fixed Modular 3 Slots Modular 7 Slots Input / Output 8 10/100/1000 Copper (fixed) 8 10/100/1000 Copper (fixed) 10/100/1000 Copper or Fiber (fixed) 2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods 2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods Resiliency FTW / FTA NetMods are separate SKUs
SSL Visibility Appliance SSLV And proxy sg Proxy SG SSL Visibility Appliance SSL visibility & full Proxy policy control for web traffic only Purpose-build, stand alone SSL inspection solution Full Proxy (TCP Termination) Only SSL Proxy (TCP is not terminated) Selective decrypt maintains privacy (BCWF categories) Selective decryption maintains privacy (Host Categorization Feeds decrypted traffic to AV, DLP solutions via ICAP No support for non-ICAP active security devices ICAP not supported Single output stream – Encrypted TAP (optional) Only Decrypted SSL/TLS Traffic available from ETAP Up to 4Gbps of SSL/TLS traffic inspection All non-SSL/TLS + All cut-through SSL/TLS + Decrypted traffic is available to the attached devices. Support for Connection Forwarding No support for Connection Forwarding Policies applied to all Traffic Policy Applied ONLY to SSL/TLS traffic User Authentication supported User Authentication not supported Ability to change/influence the SSL/TLS versions/ciphers used between client and server Maintains the the SSL/TLS protocol and ciphers negotiated between client and server
SSLV and Proxy SG - Policy integration Security Solution CN: Gmail CA: Verisign CN: Gmail CA: ProxySG Cert ✔ Encrypted Traffic Decrypted Traffic SSL Visibility Appliance ProxyAV, DLP, etc. ProxySG
SSLV and Proxy SG - Policy integration Security Solution CN: Fidelity CA: Thawte CN: Fidelity CA: Thawte ✔ Encrypted Traffic Decrypted Traffic Ignore SSL Visibility Appliance ProxyAV, DLP, etc. ProxySG Description: Customer has Blue Coat ProxySG deployed in network SSL interception enabled on BC proxy SSL interception is bypassed for certain BCWF or custom categories Challenge: Customer requires SSL Inspection for other tools within the security stack via the SSL Visibility Appliance Ex. IPS/IDS, DLP, Forensics, Malware, etc Challenge: Customer requires to bypass SSL interception for the same BCWF or custom categories that are used on ProxySG Solution: The SSL Visibility Appliance is able to intercept SSL based on signing CA certificates. Only SSL traffic with server certificates signed by ProxySG will be intercepted.
Ciphers Suites explained TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Protocol TLS/SSL Key Exchange Key Authentication Encryption Effective Bits Hashing Algorithm Name common cipher suite name. TLS ciphers have //TLS_Kx_[Au]_FROM_Enc_MAC// format. SSL2 only use RSA for key exchange and authentication, so their names have //SSL2_Enc_WITH_MAC// format.ProtocolMost ciphers suites fall into either //TLS// or //SSL/SSL2// protocols. The only exception is Microsoft's proprietary //PCT// protocol. Kx Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE). Some of the more exotic methods include Kerberos (KRB5), Pre-Shared Key (PSK), and others. Au Authentication algorithm. RSA is commonly used for key authentication. Enc Symmetric encryption algorithm (e.g. DES, 3DES, AES, RC4, etc.) Bits Effective symmetric encryption key size in bits. Export for export outside US are limited to 40-56 bits. MAC Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.
Supported SSL/TLS Traffic + Ciphers The SSL Visibility Appliance supports SSL processing on TCP in IPv4 and IPv6. SSL/TLS Versions Supported SSL 3.0, TLS 1.0, TLS 1.1 TLS 1.2. There is a partial for SSL 2.0 Public Key Algorithms: RSA, DHE, ECDHE Symmetrical Key Algorithms AES, AES-GCM, 3DES, DES, RC4, ChaCha20-Poly1305, Camellia Hashing Algorithms MD5, SHA-1, SHA-2 Cipher suites supported Most comprehensive support for cipher suites being used on the internet. Closely follow Google as they change and update the ciphers, etc. List: https://bto.bluecoat.com/sites/default/file s/tech_pubs/SV2800_SV3800_Admin_3 .8.pdf Page 46
Planning a deployment Hardware, NetMods, Host Cat License Physical Deployment Deployment modes/Attached security devices How many segments HA/Redundant Network Setup Setup Management Port Need internet access for Host Cat Updates Host Cat database kept locally PKI Integration Policy What should be decrypted? Results: Connected devices working better? Export SSL session, audits log, etc to a syslog/SIEM Policy
Overload Action SSLV provides with three options for handling the SSL traffic if it sees more SSL traffic than it can process (when appliance is undersized). This setting is specific to a segment & is not universal Three actions are allowed: Cut-Through (default): Additional SSL sessions will be cut-through. Drop: Silently drop the connection. Reject: Reset the connection. Syslog entry is generated when overload status started and finished. "Overload on NFE <number>” "Recovery on NFE <number>” Recovery from overload state is automatic.
Ssl-Enable your active Security devices No Visibility into encrypted traffic Desktop Active Security Device Complete Visibility into Encrypted Traffic Desktop SSL Visibility Appliance Active Security Device
Ssl-Enable your active Security devices No Visibility into encrypted traffic Desktop Active Security Device Desktop Complete Visibility into Encrypted Traffic SSL Visibility Appliance Active Security Devices
SSL-Enable your passive Security devices No Visibility into encrypted traffic Desktop Active Security Device Complete Visibility into Encrypted Traffic SSL Visibility Appliance Active Security Devices Desktop
Simple active and passive (Inline) deployments SSLV IDS Passive-Inline SSLV IPS Active-Inline
Configuration Options Fail-to-Wire Fail to Wire is a generic term we use to indicate connecting the port-pairs together. Fail to wire is the hardware shared by pairs of ports By wiring the ports appropriately an Active- Inline segment can be FTA or FTN. Power Off FTW Configuration FTN = Fail-to-Network Applicable for the Active-Inline and Passive- Inline deployments Configuring a segment to Fail To Network (FTN) mode results in traffic bypassing the active appliance in the event of failure. FTA = Fail-to-Appliance Fail to active appliance connected to the SSLV Only applicable for the Active-Inline deployments (active appliance attached to SSLV) Traffic continues to flow through the active security device if SSLV fails.
Concepts: HA Option Explained High Availability Action: How SSLV behaves when a port/interface goes down. Disabled: Appliance does nothing. Auto Recovery: If a failure happens and is corrected, the appliance attempts to recover from failure automatically. Manual Reset: Appliance remains in failed mode and a manual intervention is required to recover from failure. This recovery is initiated from appliance UI Dashboard Software Failure Options: how SSLV will behaves when a software failure occurs Disable Interfaces: all interfaces in segment are taken offline. Drop packets (Auto Recovery): stops packet processing. Fail-to-Wire (Auto Recover): the appliance will go into fail-to-wire mode and will recover automatically when the error state has been corrected. This is the default action. Fail-to-Wire (Manual Reset) The appliance will go into fail-to-wire mode and a manual intervention is needed to recover from this state. Ignore Failure: All failures will be ignored.
Ssl-Enable your active Security devices SSL Decrypt Internet Users IPS Device SSL Decrypt Internet Users IPS Devices
Ssl-Enable your passive Security devices SSLV Internet Users Passive Security Device SSL Decrypt Internet Users Passive Security Device
PKI Integration For Inbound SSL Inspection: Basic Principles Known Server Key Import the Certificates and Keys for all servers you want to inspection SSL traffic to. For Outbound SSL Inspection CSR: Certificate Resign Self Signed Certificate on SSLV Basic Principles Passive-tap mode Must have server key/cert Must not use DHE/ECDHE Inline modes Known Server Key or Certificate Resigning DHE/ECHDE not a problem Client Certificates Only supported for Known Server Key
PKI Integration: Outbound SSL Inspection Self-Signed Certificate Generate a self-signed certificate on SSLV Import the self signed certs into browsers of each client machine Use AD GP update to push certificate to user devices Use the certificate to resign the SSL sessions Certificate Signing Request Generate a Certificate Signing Request on SSLV Get the Certificate Signed by enterprise CA Install the signed certificate on SSLV Use the certificate to resign the SSL sessions
PKI Integration: inbound ssl inspection Load all Server Certs and Keys on SSLV and use them in rule to inspect SSL Traffic to your servers (IP, IP List, Subnet, etc.) If the Certificates are expired, or do not match, connections to affected servers will not be inspected. You can also use a third party product to manage Certificates and Keys on SSLV. Note: If you use DH for key exchange, SSLV must be deployed in- line. For RSA key exchange, you can deploy SSLV on a SPAN/TAP.
Lets Talk Policy policy/Rulesets Condition IP, Domain Lists, Host Cat. Etc. Rule Decrypt, Cut Through, Drop etc. Rule Set PKI, Resign, Cut-Through, Reject etc. Segment Definition: Active In-Line, Passive In-line etc. Default Action for Segment Physical Deployment
Policy Triggers First Match Exit the policy/rule set evaluation Source IP (Lists) Network (lists) Destination Port IP (lists) Host Categories (lists) C-Name/Domain Name (lists) Certificate Status Valid, Expired, Not-Valid-yet, revoked, self-signed, invalid-signature, Invalid- Issuer. Cipher Suites (lists) For Freak and Logjam vulnerabilities Heartbleed is automatically detected and the connections are automatically dropped. Traffic Class (lists)
Preserve privacy and compliance while enabling security Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies Host Categorization Service Leverages the Blue Coat Global Intelligence Network Utilizes 80+ categories, in 55 languages Processes +1.2B web and file requests per day Easily customizable per regional and organizational needs Policy Examples Block or decrypt traffic from suspicious sites and known malnets Bypass / Do not decrypt financial and banking-related traffic
SSLV common Policy Examples: 1 Block or Reject non-compliant SSL/TLS Traffic: with invalid certificates with weak ciphers that uses vulnerable SSL version Traffic that exploits Heartbleed vulnerability Handle invalid Certificate Using a single resign cert, the users will not see the browser warning Rule 1: Use a trusted cert to inspect connections that present valid cert Rule 2: Use an untrusted cert to inspect connections that present invalid cert
SSLV common Policy Examples: 2 Using Host Categorization Service Two approaches: Cut-through only the PII categories (or select categories); inspect rest all Inspect the high risk categories Log the (inbound) traffic that was not decrypted (missing certs?) Rule 1 (Blanked Rule): Decrypt everything coming in Rule 2: Decrypt all connections going to Datacenter IPs All traffic that did not get decrypted with Rule 1 will be evaluated by rule 2. these will not be decrypted. SSL Session logs exported to a syslog collector shows all traffic that hit Rule 2.
Network HSM and keys/Certificate Management Systems Safenet Luna SP Use Case: Secure storage for encryption keys and certificates SSLV can use an HSM for outbound SSL/TLS inspection. We support: Safenet Luna SP no other HSM support planned yet. Key and Certificate Management Venafi Trust Platform Use Case: Automated management of encryption keys and certificates on all SSL/TLS enable entities in the network. Can be used to manage keys and certificates on SSLV for inbound SSL/TLS inspection. Note: SSL Visibility Appliance Does NOT require these devices/services to work.
Managing SslV appliances: Management Center Blue Coat Management Center Version 1.4 is now GA. Management Center v1.4 supports: ProxySG Content Analysis System Malware Analysis System PacketShaper, and SSL Visibility Appliance SSLV Management: Health Monitoring Inventory Backup and Restore Device Synchronization PKI Policy/Rulesets Users
SSL Session Log A log entry is created in SSL Session Log for each SSL/TLS Flow This information is available on device. Device keeps 32M log lines Can be sent to up to 8 Syslog collectors/servers.
SSL Session log: more in syslog Oct 16 11:09:04 sslva-9000 WLOO-SV1800 ssldata[3291]: [B:a10012f8] 1413472158 10.169.102.178:53473 -> 8.12.219.125:443 TLS1.0 TLS_RSA_WITH_RC4_128_MD5 secure.footprint.net rule:11 resign Success(0x0) From left to right: System time Model number Hostname Process Process ID Segment:SSLV flow id SSLV display time Source IP:Port Dest IP:Port SSL/TLS Version Cipher Suite Domain Name Rule:# Action Message/Error
SSL Visibility : map your ssl/TLS footprint SSL Versions seen on the networks SSL Versions have known vulnerabilities.. TLS 1.1 and 1.2 Certificate Status Valid certificate v/s invalid certs Should not see any traffic with invalid certificate. Ciphers used Strong v/s Week cipher suites Freak/Logjam Top N SSL Sites by Request Users of SSL Traffic
Troubleshooting Basic data collection First stage analysis Device type – SV-1800 Software version – E.g. v3.6.3-841 Interfaces – speed/media type Deployment model – PT/PI/AI Inspection method – KSK/CRS Attached appliance(s) Problem affects? System Non SSL traffic All SSL traffic Inspected SSL traffic Subset of traffic First stage analysis Software up to date? Update then analyse if persists Problem persists in FTW? Look at attached appliance What does SSL session log show? Are there errors in syslog? Is the problem related to client software (browser/OS)? Are KSK on box up to date? Is problem repeatable? Can you replicate?
Backup and restore Restore files Always backup before upgrading Policy Rulesets, segments and lists PKI All keys and certs Users Platform SNMP, NTP, Syslog Backup files All files are backed up separately Protected by user entered password Saved in .bin format Restore files When restoring files they must be loaded separately Require same password Some files may require the appliance to be rebooted before taking effect
Upgrading SSL Visibility appliance Patch file Apply via webUI Updates main partition All data/config retained Recommended option Reboot required NSU file System update Re-images main partition Restores factory defaults Retains mgmt IP address All data/config lost NRU file Apply via webUI Updates rescue partition All data/config retained Rescue image updated after reboot
Resources Documentation Quick Start Guide Administartion and User Guides https://bto.bluecoat.com/documentation/All- Documents/SSL%20Visibility First Steps (Web Guide) for SSLV Deployment https://bto.bluecoat.com/webguides/sslv/sslva_first_steps/Content/Topics/DeploymentMode/deployment.htm Services: Professional Services Customer Training Courses
Encrypted Traffic Management @BLUECOAT * Pending capability in MC v1.4 (Q1 FY16); ** Pending capability in v4.x (Q1 / Q2 FY17) Security Analytics Global Intelligence Network Policy Enforcement for Host Categorization Copy Port Management Center * ProxySG In-line Loopback ** Malware Analysis Real-time file extraction ** SSL Visibility Appliance HSM KEY MGMT DLP NGFW / IPS APM / NPM SANDBOX FORENSICS Certified Partners Additional Proven, Compatible Solutions
Blue Coat Customer Forums Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers Research, post and reply to topics relevant to you at your own convenience Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track Access at forums.bluecoat.com and register for an account today!
Thank you for Joining Today! Please provide feedback on this webcast and suggestions for future webcasts to: john.dyer@bluecoat.com Webcast replay and slide deck found here within 48 hours: https://bto.bluecoat.com/training/customer-support-technical- webcasts (Requires BTO log-in)
Questions for Manoj? Quick Survey We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re-directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Manoj?
got ssl? www.bluecoat.com/uncoverssl