1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CP3397 ECommerce.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan July 2009) Department of.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Configuring your users browsers. PRACTICAL EXERCISE - 1 We assume here that your LOCAL CACHE has been previously configured to peer with the JWCS. Advice.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CSCI 6962: Server-side Design and Programming
Sorting Out Digital Certificates Bill blog.codingoutloud.com ··· Boston Azure ··· 13·Dec·2012 ···
Course 201 – Administration, Content Inspection and SSL VPN
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
8.4 – 8.5 Securing & Securing TCP connections with SSL By: Amanda Porter.
WEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expected times for each segment of the Webcast:  :00 – :05: Moderator introduces the.
Integrating and Troubleshooting Citrix Access Gateway.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.
Can SSL and TOR be intercepted? Secure Socket Layer.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
Proxysg performance Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top.
Proxysg policy optimization and troubleshooting
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES  Thank you for joining today’s Blue Coat Customer Support.
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MANAGING SSL ON PROXYSG  Thank you for joining today’s Blue Coat Customer Support Technical.
1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – Internal Use Only COMPLETE LIFECYCLE APPROACH TO ADVANCED THREAT.
SSL Interception Planning and Implementation Best Practices Stephen Watkins, CISSP (a.m. webcast) Matthew Lange, CISSP (p.m. webcast), Blue Coat Americas.
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
Can SSL and TOR be intercepted? Secure Socket Layer.
1 © 2004 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Technical Support Seminar Using the Cisco Technical Support Website.
Cryptography CSS 329 Lecture 13:SSL.
1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. ProxySG Performance Monitoring and Troubleshooting April 2016 Rob Ritchardson: Product Support.
1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately.
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
Apache HTTP Server SSL End-to-End
ArcGIS for Server Security: Advanced
Secure Sockets Layer (SSL)
Securing the Network Perimeter with ISA 2004
Using SSL – Secure Socket Layer
TLS and DLP Behind the green lock.
The Secure Sockets Layer (SSL) Protocol
TLS Encryption and Decryption
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
Presentation transcript:

1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter  Please submit questions using the Webex Q/A feature!

2Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS WEBCAST DENNIS PIKE Principal Systems Engineer April 14, 2015

3Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential AGENDA  Crypto Protocols and Algorithms  Recent Trends in SSL  ProxySG SSL Architecture  SSL Performance Factors  Best Practices  Troubleshooting

4Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 4 SSL CRYPTO PROTOCOLS AND ALGORITHMS

5Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PARTS IS PARTS  SSLv?, TLS1.?  Handshake algorithm RSA, DHE, ECDHE  Authentication / Signing RSA, DSA, ECDSA  Bulk Encryption RC4, 3DES, AES*  Hash MD5, SHA1, SHA2/256 parameters.xhtml#tls-parameters-4

6Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 6 RECENT TRENDS IN SSL

7Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SNOWDEN EFFECT Started release of classified NSA material in June Since then:  Global SSL connections at peak have more than doubled  Major web properties have gone default HTTPS and moved to more secure ciphers/algorithms 34 of Top 50 8 of Top 10 (baidu and qq are exceptions)  Web browsers are promoting better security through graphical look and error messages based on cryptography that is negotiated

8Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential HEARTBLEED AND POODLE AND BEAST OH MY!!!  Death to SSLv3!, Long live TLS1.2! Heartbleed – OpenSSL bug POODLE – SSLV3 Fallback exploit BEAST – TLS1.0 CBC exploit Forward Secrecy – private key decrypt (ie court order)

9Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential GOOGLE WHO?  MD-5 SHA-1 > SHA-2  All key properties are HTTPS  ECDHE for key exchange by choice if the browser supports it.  AES-GCM as the bulk cipher if the client supports it and is not Chrome  CHACHA as the bulk cipher if the client is Chrome

10Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential MOZILLA  It’s Hip to be Mod

11Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential MOZILLA

12Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THE BIG SHIFT  January 2014 Bulk Cipher Handshake Protocol

13Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THE BIG SHIFT  May 2014 Bulk Cipher (AES Up, 3DES Down) Handshake (ECDHE 21 -> 42%) Protocol (TLS > 54%) Cert Signing (SHA2 5 -> 10%)

14Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SUMMARY  More and higher percentage SSL traffic  Stronger Hash / MAC (MD5 -> SHA-2)  Stronger Key Exchange Algorithm (Asymmetric Encryption) during Handshake (RSA -> ECDHE)  Stronger Symmetric Bulk Encryption during Data exchange (RC4/3DES -> AES)  Stronger Auth / Digital Signing (RSA -> {EC}DSA)

15Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 15 BLUE COAT PROXY SG SSL ARCHITECTURE

16Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL INTERCEPT

17Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 17 PERFORMANCE FACTORS

18Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL PERFORMANCE INFLUENCERS  Handshake –Protocol -> limited to no impact –Certificate Emulation -> expensive, one-time cost *  Asymmetric Key Exchange Cipher Algorithm –RSA vs DHE vs ECDHE -> DHE is high cost vs RSA/ECDHE Key Size –1024 vs 2048 vs > low/moderate (2048) to high (4096) Certificate Digital Signing –RSA vs DSA -> low (only ~5% of sites today) Certificate Hash –MD5 vs SHA-1/2 -> low  Bulk Encryption –RC4 vs AES -> low  Load –Roughly linear up to 80%

19Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PERFORMANCE FACTORS ① Emulating Certificate Highest cost operation is the creation Emulated Certificate ② Wildcard Cert Cert collision preventing use of Emulated Cert ③ Key Exchange CPU Load RSA < ECDHE < DHE DHE 20x higher CPU load then ECDHE Highest Impact

20Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 20 BEST PRACTICES

21Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Upgrade to >= SG Many new ciphers added in including: ECDHE-RSA-AES128-SHA (0xC013) ECDHE-RSA-AES256-SHA (0xC014) ECDHE-RSA-AES128-SHA256 (0xC027) ECDHE-RSA-AES128-GCM-SHA256 (0xC02F) ECDHE-RSA-RC4-SHA (0xC011) added ECDSA: ECDHE-ECDSA-AES128-SHA256 (0xC023) ECDHE-ECDSA-AES128-GCM-SHA256 (0xC02B) ECDHE-ECDSA-RC4-SHA (0xC007) ECDHE-ECDSA-AES128-SHA (0xC009) ECDHE-ECDSA-AES256-SHA (0xC00A)

22Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Disable DHE DHE support was introduced but very CPU intensive patch has CLI to disable: #co t -> ssl -> proxy dhe-ciphers disable Upgrade to >= , DHE for SSL proxy is now disabled by default (can still be enabled)  Reduce number of Emulated Certificates Upgrade to , use new CLI to increase certificate cache timeout to tune perf #co t -> ssl -> proxy set-cert-cache-timeout 72 hours to prevent Monday morning high load

23Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Wildcard certificates (eg *.google.com and others) Different servers have different certs (different expiration, keys, extensions, etc) SG’s emulated certificates are cached using “CN” as the key value SG is seeing these different certs all with the same CN, causing a collision in the certificate cache and forcing SG to re-emulate certificate Future certificate cache enhancement planned, use policy resolution below  Wildcard certificates Resolution Install the following policy (creates a unique instance for each certificate) ssl.forward_proxy(https) ssl.forward_proxy.splash_text("$(x-rs-certificate- serial-number)$(x-rs-certificate-valid-from)$(x-rs- certificate-valid-to)") Monitor efficacy using % certificate emulations (=SPS51 / (SPS51 + SPS61))

24Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  From VPM, edit SSL-Intercept layer Click on "Splash Text" and paste the below text in the box: $(x-rs-certificate-serial- number)$(x-rs-certificate-valid- from)$(x-rs-certificate-valid-to)

25Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Set Emulated Certificate Size to 1024 Blue Coat SG300 Series#conf t Enter configuration commands, one per line. End with CTRL-Z. Blue Coat SG300 Series#(config)ssl Blue Coat SG300 Series#(config ssl)proxy force- emulated-cert-keysize 1024 ok Valid values: auto, 1024 or 2048 Client side certificate but possible for server side to downgrade

26Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SIZING If you haven’t enabled SSL Intercept (15% HTTPS, 70% CPU, 6.5 SGOS) If you are upgrading to >= 6.5 HTTPS Utilization has gone up over time 10-15% reduction in throughput reduction in throughput independent of HTTP

27Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential ENCRYPTED TRAFFIC MANAGEMENT SOLUTIONS SSL visibility & full Proxy policy control for web traffic only Selective decrypt maintains privacy (BCWF categories) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (optional) SSL visibility & full Proxy policy control for web traffic only Selective decrypt maintains privacy (BCWF categories) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (optional) ProxySG SSL Visibility SSL visibility & policy control for ALL SSL traffic (all ports, all traffic) Selective decryption maintains privacy (Host Categorization) Standalone, high-performance appliance – up to 4Gbps SSL Multiple output streams –Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc. SSL visibility & policy control for ALL SSL traffic (all ports, all traffic) Selective decryption maintains privacy (Host Categorization) Standalone, high-performance appliance – up to 4Gbps SSL Multiple output streams –Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc.

28Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2014 Blue Coat Systems Inc. All Rights Reserved.28 TROUBLESHOOTING

29Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential OPEN ISSUES  Cipher compatibility TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_DH_anon_WITH_RC4_128_MD5 (0x0018) -> MS Lync Desktop sharing Investigating Workaround : Bypass in SSL Intercept Layer  Reverse Proxy limitations ECDHE not currently supported Will be added in future release

30Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential TESTING TOOLS  Client Ciphers  Server Ciphers

31Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential CPU LOAD  CPU monitor Enable – Create 5 min snapshots –KB3795 Don’t change the existing daily or hourly snapshot values

32Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential TRAFFIC MIX  Percentage HTTPS Statistics > Traffic Details > Traffic Mix

33Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential CERTIFICATE EMULATION STATISTICS (SG ) SPS51 Total certificates emulated2,264 SPS52 Total RSA 2048 bit key certificates emulated2,250 SPS53 Current cached emulated server certificates1,078 SPS54 Total emulated server certificates added to cache1,390 SPS55 Total emulated server certificates removed from cache due to timeout0 SPS56 Total emulated server certificates removed from cache due to maxsize0 SPS57 Total emulated server certificates removed from cache due to signature mismatch312 SPS58 Total emulated server certificates removed from cache due to config changes0 SPS59 Total emulated server certificates add to cache failures874 SPS61 Total server certificate cache successful lookups42,109 SPS62 Total proxy certificates emulated5 SPS63 Total certificate emulation failures0 % certificate emulation change = SPS51 / (SPS51 + SPS61) In steady state, % of new emulations should be very small SSL Statistics (in Sysinfo and SSL/Statistics URL) Certificate Emulation

34Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL PROXY CERTIFICATE CACHE  Advanced URL SSL Proxy Certificate Cache URL_Path /sslproxy/certcache Certificate Cache Contents Number of cache entries: 1078 Common Name, Splash Text, Splash URL, Server Keyring rtax.criteo.com,, cloudfront.net,, s3.wpc.edgecastcdn.net,, beacon.walmart.com,, *.linkedin.com, FAAB168CFFE4A Ap r 17 12:30: GMT Apr 17 12:30: GMT, beis.cc.iup.edu,, *.widget.custhelp.com, BAC372720E3496C661336F0Feb 28 00:00: GMTMar 30 23:59: GMT, ads.dotomi.com,02F7CASep 3 03:33: GMTNov 5 14:50: GMT, *.wer.microsoft.com,28DB34EB Apr 4 17:56: GMTApr 4 17:56: GMT, *.ebay.com,, *.googleusercontent.com,, *.reson8.com,D3C03378DC74A2ABF36132E69E273C45Jun 2 00:00: GMTJul 21 23:59: GMT, stage.tracker.springserve.com,, services.addons.mozilla.org,, *.tapad.com,024906Jun 2 08:10: GMTSep 3 03:30: GMT, *.dropbox.com,, $(x-rs-certificate-serial-number) $(x-rs-certificate-valid-from) $(x-rs-certificate-valid-to)

35Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential

36Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THANK YOU FOR JOINING TODAY!  Please provide feedback on this webcast and suggestions for future webcasts to:  Webcast replay and slide deck found here within 48 hours: support-technical-webcasts (Requires BTO log-in)

37Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BLUE COAT CUSTOMER FORUMS  Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers  Research, post and reply to topics relevant to you at your own convenience  Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track  Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

38Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential QUICK SURVEY We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re- directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Dennis?

39Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential Questions?

40Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL WEBCAST QUESTIONS  Q1:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.