1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately following today’s webcast Visit the Blue Coat Customer Forums (forums.bluecoat.com) to post your questions and today’s presenter, Dennis Pike, will be available to answer live and in person. A link to the Q&A discussion thread will be provided at the conclusion of today’s webcast. Important: A Blue Coat Customer Forums account is required to post questions. Don’t have an account? Simply visit forums.bluecoat.com and register now Post a question for a chance to win a Blue Coat swag package!

2 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL Decryption Best Practices Hello and thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter Please submit questions using the Webex Q/A feature!

3 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL Decryption Best Practices Dennis Pike == Principal Systems Engineer

4 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG and SSLV SSL Feature Overview and Comparison SG SSL Decryption Best Practices General SSL Proxy SSL Policy SSLV Decryption Best Practices General Policy Certificate Deployment Rollout Methodology Common Issues & Troubleshooting Agenda

5 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL visibility and full Proxy policy control for web traffic (HTTP / HTTPS) Selective decrypt maintains privacy via Blue Coat Intelligent Services (BCIS) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (license-based) Automatic visibility and policy control for all SSL/TLS traffic Selective decryption maintains privacy via Host Categorization (license-based) Standalone, high-performance appliance – 9 Gbps SSL inspection & decryption Multiple output streams Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc. ProxySG ApplianceSSL Visibility Appliance SG SSL Decrypt Best Practices SG and SSLV SSL Feature Overview and Comparison

6 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Don’t Run Defaults!!! Load Concerns ~10-15% CPU Baseline increase Higher % HTTPS (>20%) More demanding Cipher Suites (DHE, larger keys) Low Cert Cache hit rate SG == ASG General

7 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Tunnel on Protocol Error i.e. non-HTTPS on 443 Benefit: Non-conforming applications will work (Skype) Risk: Big security problem. Major reason for running SSL proxy is to prevent non-HTTPS traffic from burrowing through on port 443. With Tunnel on Protocol Error enabled that traffic will be allowed out. Alternative – Bypass traffic at service (L3) or SSL Intercept level (SSL). SSL Proxy

8 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices SSL Intercept Policy – Splash Text for Wildcard Certs

9 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices What to Bypass Client Cert Non-protocol compliant Pinned Privacy Concern SSL Intercept Policy

10 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices SSL Intercept Policy How to Bypass Recommendations Service Level Bypass IP only Only Transparent / Not Explicit Complete Bypass Disable “Detect Protocol” Service and/or CPL Typically Explicit TCP Tunnel Service Level TCP Tunnel Typically Transparent SSL Intercept “Do Not Intercept” Still SSL Proxied but not Decrypted Access to Certificate information

11 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Intercept On Exception Policy denial Certificate error Error with the SSL handshake. Careful of Default Behavior!!! Can be used to only Intercept to block traffic but user gets Untrusted Issuer message unless certificate distributed SSL Intercept Policy

12 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Category Some only available for Explicit since exposed in CONNECT Certificate data is available as long as Service is Intercepting traffic SSL Intercept Policy

13 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices SSL Access Policy Cert Validation Start with Server Certificate Validation Enabled -> Very rare for a site to have a bad cert and if it does you want to know about it. Careful with Internal Sites Trust Packages Make sure this is update to the latest. CRL/OCSP Avoid

14 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSLV Decrypt Best Practices Defaults are good! General

15 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSLV Decrypt Best Practices Default Bypass Privacy Concerns Policy

16 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Certificate Deployment Internal CA Methods to push Trusted CA GPO/WSUS/SCCM JAMF MDM IE / Chrome vs Firefox

17 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Rollout Methodology Whitelist vs Blacklist Controlled Friends and Family Departmental Building / Floor

18 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Common Issues and Troubleshooting HTTP issues exposed Auth, Policy, ICAP CPL troubleshooting hootingWebSites PCAP (proxy vs ICAP) Fiddler ETAP

19 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Common Issues and Troubleshooting Policy Trace Debug SSL :8082/sslproxy/Debug HTTP :8082/HTTP/Debug

20 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Thank You

21 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Customer Forums Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers Research, post and reply to topics relevant to you at your own convenience Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

22 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Thank You for Joining Today! Please provide feedback on this webcast and suggestions for future webcasts to: Webcast replay and slide deck found here within 48 hours: webcasts (Requires BTO log-in)

23 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Quick Survey We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re- directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Dennis?