1. SSL Visibility Solution
Thank you for joining today’s Blue Coat Customer Support Technical Webcast!
The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join
You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers
Audio broadcast will only go live when the Webcast begins – there will be silence until then
The Presentation will run approximately 60 minutes
There will be a 30-minute Q/A session thereafter
Please submit questions using the Webex Q/A feature!

2. SSL Visibility APPLIANCE
Blue Coat Support Services Webinar
Manoj Sharma, WW Solutions Architect
June 23rd 2015

3. Agenda About SSL Visibility Appliance SSLV & ProxySG SSLV Use Cases
SSLV In Your Network
PKI Integration
Policy Engine
SSL Session Log
SSLV + Management Center
Troubleshooting
Resources

4. SSL/TLS Traffic is PERVASIVE and Introduces risk
SSL is estimated at % of network traffic and growing 20% annually*
>70% in some industries (e.g. healthcare)
Advanced Persistent Threats (APTs) increasingly use SSL as a transport
Dyre trojan (Command & Control)
>50%
of all malware will use SSL by 2017*
*Source: Gartner

5. Existing security infrastructure is Insufficient
NETWORK FORENSICS
DLP
ANTI-MALWARE
Most security solutions are “blind” to SSL
DLP, IDS, Sandbox & Network Forensics
“Tool-by-Tool” SSL decryption doesn’t work
Costly upgrades: NGFW and IPS solutions suffer up to 80% performance degradation*
Numerous, evolving cryptographic suites
Certificate and key management complexities
Additional complexity – arduous scripting
NOTES on Vendor solutions Pending
NEXT GEN FIREWALL
INTRUSION PREVENTION
*Sources: NSS Labs, Gartner

6. SSL Visibility Appliance
INTERNET SERVER
Automatically identify all inbound and outbound SSL / TLS traffic. Not just HTTP (SMTP, SPDY) on any Port.
Connect to GIN (Host Categorization)
Establish category-based policies to selectively decrypt SSL traffic and maintain compliance
Feed existing security solutions to expose potential threats
Avoids high capacity upgrade costs
Extends security infrastructure Investment
Assures data integrity of traffic – auditable “loopback”
CLIENT *
SECURITY ANALYTICS
GLOBAL INTELLIGENCE NETWORK
GATEWAY / FIREWALL ❶ ❷ ❸ ❹
SANDBOX
SSL VISIBILITY APPLIANCE
NG IPS
CORPORATE SERVERS
CLIENT
Encrypted traffic
Decrypted traffic

7. SSLV: Details What does it do What it does not do
The SSL Visibility Appliance “only” decrypts and re-encrypt selected (defined by policy) for both inbound and outboundSSL/TLS traffic and feeds the decrypted traffic to attached security devices.
It can Drop/Reject SSL Traffic based on policy and attached active security devices
Attached security devices must understand the underlying protocol to inspect the traffic.
Example Google Servers ,  Google Chrome uses SPDY over HTTPS. SSLV will forward SPDY traffic to the attached security devices.
By default SSLV device inspects SSL/TLS traffic on all ports.
What it does not do
SSLV device does not analyze or modify the decrypted traffic.
SSLV device can not decrypt the following:
SSL/TLS sessions that use:
Client side certificates for outbound SSL/TLS inspection
Non-standard SSL/TLS implementations
IPsec
SSH
Ad-hoc encryption
SSLV Device does not support ICAP

8. Deployment models Active-Inline: Passive-Inline: Passive-Tap:
SSLV is deployed inline (aka bump-in-the-wire) & an active appliance (that can drop/reset a connection e.g. IPS, NGFW, etc.) is attached on two ports (in & out) of SSLV device.
Passive-Inline:
SSLV is deployed inline (aka bump-in-the-wire) & a passive appliance (IDS, SA, etc.) is connected to a “copy” port.
Passive-Tap:
SSLV is connected to a network tap and feeds decrypted data and native data to a passive device(s) connected to its copy port.
It is possible to have more than one attached security devices receiving the decrypted traffic.

9. Active and passive devices explained
An Active security device processes decrypted and native traffic from the SSLV appliance and then returns the traffic to the SSLV appliance. Active security devices inspect the traffic and either “allow” or “reject” traffic. Examples:
IPS
NG Firewall
Network DLP
WAF (in bridge mode)
A Passive security simply consumes traffic. These devices work on a copy of the decrypted traffic from the SSLV appliance for monitoring and alerting purposes. Examples
IDS
Security Analytics
Full Packet Capturing devices
e.g.FireEye can be deployed in IPS or IDS mode.

10. SSL VISIBILITY APPLIANCE: Reference Architecture: DATA & WORKFLOW
GLOBAL INTELLIGENCE NETWORK
Traffic Flow
Is Traffic Encrypted?
Send to passive device(s)
PASSIVE TAP
SIEM/Syslog
DEPLOYMENT MODEL
Apply
Policy
Send to passive device(s)
Re-Encrypt and Send to Destination
PASSIVE INLINE
Last Updated:
All traffic enters the SSL VA appliance,
First decision, is this SSL Traffic. No move onto Deployment Model;
If yes, look at Policy if No move to Deployment Model;
If yes, decrypt traffic move to Deployment Model
Policy can also use HCS (Host Categorization Service) to determine if the traffic belongs to site(s) that must or must not be decrypted.
Syslog messages and SSL session log entries can optionally be sent to one or more remote syslog servers. SSL Session Log data and Statistics collected by SSLV can be exported as files and then converted to .csv files using off box tools.
Depending on Deployment Model the SSL VA appliance will act differently. Note these Deployment Models may be different on each set of Interfaces.
For Passive Devices, all traffic is either sent to passive device(s) or load balanced across multiple devices.
For Inline Devices the traffic is sent up to inline device and SSL VA appliance waits for it to return, if it returns we assume good. If it got blocked at Security Device we drop flow.
 Note that we do not support solutions that modify the tcp connection like ProxySG in active inline deployments.
Decrypt Traffic
Send to inline device(s) and get back
Re-Encrypt and Send to Destination
ACTIVE INLINE
Network HSM
Drop Flow
Last Updated: May

11. SSL VISIBILITY appliance Family Performance
Function
SV M
SV M
SV1800
SV2800
SV3800
Total Packet Processing
8 Gbps
20 Gbps
40 Gbps
SSL Visibility Throughput
250 Mbps
500 Mbps
1.5 Gbps
2.5 Gbps
4 Gbps
Concurrent SSL Flow States (CPS)
20,000
100,000
200,000
400,000
New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs)
1024-bit keys
2048-bit keys
1,000
2,000
7,500
3,000
10,500
12,500
6,000
Configurations
Fixed
Modular 3 Slots
Modular 7 Slots
Input / Output
8 10/100/1000 Copper (fixed) 8
10/100/1000 Copper (fixed)
10/100/1000 Copper or Fiber (fixed)
2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods
2x10G-Fiber, 4x1G Copper, 4x1G Fiber
Network Mods
Resiliency
FTW / FTA
NetMods are separate SKUs

12. SSL Visibility Appliance
SSLV And proxy sg
Proxy SG
SSL Visibility Appliance
SSL visibility & full Proxy policy control for web traffic only
Purpose-build, stand alone SSL inspection solution
Full Proxy (TCP Termination)
Only SSL Proxy (TCP is not terminated)
Selective decrypt maintains privacy (BCWF categories)
Selective decryption maintains privacy (Host Categorization
Feeds decrypted traffic to AV, DLP solutions via ICAP
No support for non-ICAP active security devices
ICAP not supported
Single output stream – Encrypted TAP (optional)
Only Decrypted SSL/TLS Traffic available from ETAP
Up to 4Gbps of SSL/TLS traffic inspection
All non-SSL/TLS + All cut-through SSL/TLS + Decrypted traffic is available to the attached devices.
Support for Connection Forwarding
No support for Connection Forwarding
Policies applied to all Traffic
Policy Applied ONLY to SSL/TLS traffic
User Authentication supported
User Authentication not supported
Ability to change/influence the SSL/TLS versions/ciphers used between client and server
Maintains the the SSL/TLS protocol and ciphers negotiated between client and server

13. SSLV and Proxy SG - Policy integration
Security Solution
CN: Gmail
CA: Verisign
CN: Gmail CA: ProxySG Cert ✔
Encrypted Traffic
Decrypted Traffic
SSL Visibility Appliance
ProxyAV, DLP, etc.
ProxySG

14. SSLV and Proxy SG - Policy integration
Security Solution
CN: Fidelity
CA: Thawte
CN: Fidelity CA: Thawte ✔
Encrypted Traffic
Decrypted Traffic
Ignore 
SSL Visibility Appliance
ProxyAV, DLP, etc.
ProxySG
Description:
Customer has Blue Coat ProxySG deployed in network
SSL interception enabled on BC proxy
SSL interception is bypassed for certain BCWF or custom categories
Challenge: Customer requires SSL Inspection for other tools within the security stack via the SSL Visibility Appliance
Ex. IPS/IDS, DLP, Forensics, Malware, etc
Challenge: Customer requires to bypass SSL interception for the same BCWF or custom categories that are used on ProxySG
Solution:
The SSL Visibility Appliance is able to intercept SSL based on signing CA certificates.
Only SSL traffic with server certificates signed by ProxySG will be intercepted.

15. Ciphers Suites explained
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Protocol
TLS/SSL
Key Exchange
Key Authentication
Encryption
Effective Bits
Hashing Algorithm
Name common cipher suite name.
TLS ciphers have //TLS_Kx_[Au]_FROM_Enc_MAC// format. SSL2 only use RSA for key exchange and authentication, so their names have //SSL2_Enc_WITH_MAC// format.ProtocolMost ciphers suites fall into either //TLS// or //SSL/SSL2// protocols. The only exception is Microsoft's proprietary //PCT// protocol.
Kx Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE). Some of the more exotic methods include Kerberos (KRB5), Pre-Shared Key (PSK), and others.
Au Authentication algorithm. RSA is commonly used for key authentication.
Enc Symmetric encryption algorithm (e.g. DES, 3DES, AES, RC4, etc.)
Bits Effective symmetric encryption key size in bits. Export for export outside US are limited to bits.
MAC Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.

16. Supported SSL/TLS Traffic + Ciphers
The SSL Visibility Appliance supports SSL processing on TCP in IPv4 and IPv6.
SSL/TLS Versions Supported
SSL 3.0,
TLS 1.0,
TLS 1.1
TLS 1.2.
There is a partial for SSL 2.0
Public Key Algorithms:
RSA, DHE, ECDHE
Symmetrical Key Algorithms
AES, AES-GCM, 3DES, DES, RC4, ChaCha20-Poly1305, Camellia
Hashing Algorithms
MD5, SHA-1, SHA-2
Cipher suites supported
Most comprehensive support for cipher suites being used on the internet.
Closely follow Google as they change and update the ciphers, etc.
List: s/tech_pubs/SV2800_SV3800_Admin_3 .8.pdf
Page 46

17. Planning a deployment Hardware, NetMods, Host Cat License
Physical Deployment
Deployment modes/Attached security devices
How many segments
HA/Redundant Network Setup
Setup Management Port
Need internet access for Host Cat Updates
Host Cat database kept locally
PKI Integration
Policy What should be decrypted?
Results: Connected devices working better?
Export SSL session, audits log, etc to a syslog/SIEM
Policy

18. Overload Action
SSLV provides with three options for handling the SSL traffic if it sees more SSL traffic than it can process (when appliance is undersized).
This setting is specific to a segment & is not universal
Three actions are allowed:
Cut-Through (default): Additional SSL sessions will be cut-through.
Drop: Silently drop the connection.
Reject: Reset the connection.
Syslog entry is generated when overload status started and finished.
"Overload on NFE <number>” "Recovery on NFE <number>”
Recovery from overload state is automatic.

19. Ssl-Enable your active Security devices
No Visibility into encrypted traffic
Desktop
Active Security
Device
Complete Visibility into Encrypted Traffic
Desktop
SSL Visibility
Appliance
Active Security
Device

20. Ssl-Enable your active Security devices
No Visibility into encrypted traffic
Desktop
Active Security
Device
Desktop
Complete Visibility into Encrypted Traffic
SSL Visibility
Appliance
Active Security
Devices

21. SSL-Enable your passive Security devices
No Visibility into encrypted traffic
Desktop
Active Security
Device
Complete Visibility into Encrypted Traffic
SSL Visibility
Appliance
Active Security
Devices
Desktop

22. Simple active and passive (Inline) deployments
SSLV
IDS
Passive-Inline
SSLV
IPS
Active-Inline

23. Configuration Options
Fail-to-Wire
Fail to Wire is a generic term we use to indicate connecting the port-pairs together.
Fail to wire is the hardware shared by pairs of ports
By wiring the ports appropriately an Active- Inline segment can be FTA or FTN.
Power Off FTW Configuration
FTN = Fail-to-Network
Applicable for the Active-Inline and Passive- Inline deployments
Configuring a segment to Fail To Network (FTN) mode results in traffic bypassing the active appliance in the event of failure.
FTA = Fail-to-Appliance
Fail to active appliance connected to the SSLV
Only applicable for the Active-Inline deployments (active appliance attached to SSLV)
Traffic continues to flow through the active security device if SSLV fails.

24. Concepts: HA Option Explained
High Availability Action:
How SSLV behaves when a port/interface goes down.
Disabled: Appliance does nothing.
Auto Recovery: If a failure happens and is corrected, the appliance attempts to recover from failure automatically.
Manual Reset: Appliance remains in failed mode and a manual intervention is required to recover from failure. This recovery is initiated from appliance UI Dashboard
Software Failure Options:
how SSLV will behaves when a software failure occurs
Disable Interfaces: all interfaces in segment are taken offline.
Drop packets (Auto Recovery): stops packet processing.
Fail-to-Wire (Auto Recover): the appliance will go into fail-to-wire mode and will recover automatically when the error state has been corrected. This is the default action.
Fail-to-Wire (Manual Reset) The appliance will go into fail-to-wire mode and a manual intervention is needed to recover from this state.
Ignore Failure: All failures will be ignored.

25. Ssl-Enable your active Security devices
SSL Decrypt
Internet
Users
IPS Device
SSL Decrypt
Internet
Users
IPS Devices

26. Ssl-Enable your passive Security devices
SSLV
Internet
Users
Passive Security Device
SSL Decrypt
Internet
Users
Passive Security Device

27. PKI Integration For Inbound SSL Inspection: Basic Principles
Known Server Key
Import the Certificates and Keys for all servers you want to inspection SSL traffic to.
For Outbound SSL Inspection
CSR: Certificate Resign
Self Signed Certificate on SSLV
Basic Principles
Passive-tap mode
Must have server key/cert
Must not use DHE/ECDHE
Inline modes
Known Server Key or Certificate Resigning
DHE/ECHDE not a problem
Client Certificates
Only supported for Known Server Key

28. PKI Integration: Outbound SSL Inspection
Self-Signed Certificate
Generate a self-signed certificate on SSLV
Import the self signed certs into browsers of each client machine
Use AD GP update to push certificate to user devices
Use the certificate to resign the SSL sessions
Certificate Signing Request
Generate a Certificate Signing Request on SSLV
Get the Certificate Signed by enterprise CA
Install the signed certificate on SSLV
Use the certificate to resign the SSL sessions

29. PKI Integration: inbound ssl inspection
Load all Server Certs and Keys on SSLV and use them in rule to inspect SSL Traffic to your servers (IP, IP List, Subnet, etc.)
If the Certificates are expired, or do not match, connections to affected servers will not be inspected.
You can also use a third party product to manage Certificates and Keys on SSLV.
Note: If you use DH for key exchange, SSLV must be deployed in- line. For RSA key exchange, you can deploy SSLV on a SPAN/TAP.

30. Lets Talk Policy policy/Rulesets
Condition
IP, Domain Lists, Host Cat. Etc.
Rule
Decrypt, Cut Through, Drop etc.
Rule Set
PKI, Resign, Cut-Through, Reject etc.
Segment Definition:
Active In-Line, Passive In-line etc.
Default Action for Segment
Physical Deployment

31. Policy Triggers First Match  Exit the policy/rule set evaluation
Source
IP (Lists)
Network (lists)
Destination
Port
IP (lists)
Host Categories (lists)
C-Name/Domain Name (lists)
Certificate Status
Valid, Expired, Not-Valid-yet, revoked, self-signed, invalid-signature, Invalid- Issuer.
Cipher Suites (lists)
For Freak and Logjam vulnerabilities
Heartbleed is automatically detected and the connections are automatically dropped.
Traffic Class (lists)

32. Preserve privacy and compliance while enabling security
Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies
Host Categorization Service
Leverages the Blue Coat Global Intelligence Network
Utilizes 80+ categories, in 55 languages
Processes +1.2B web and file requests per day
Easily customizable per regional and organizational needs
Policy Examples
Block or decrypt traffic from suspicious sites and known malnets
Bypass / Do not decrypt financial and banking-related traffic

33. SSLV common Policy Examples: 1
Block or Reject non-compliant SSL/TLS Traffic:
with invalid certificates
with weak ciphers
that uses vulnerable SSL version
Traffic that exploits Heartbleed vulnerability
Handle invalid Certificate
Using a single resign cert, the users will not see the browser warning
Rule 1: Use a trusted cert to inspect connections that present valid cert
Rule 2: Use an untrusted cert to inspect connections that present invalid cert

34. SSLV common Policy Examples: 2
Using Host Categorization Service
Two approaches:
Cut-through only the PII categories (or select categories); inspect rest all
Inspect the high risk categories
Log the (inbound) traffic that was not decrypted (missing certs?)
Rule 1 (Blanked Rule): Decrypt everything coming in
Rule 2: Decrypt all connections going to Datacenter IPs
All traffic that did not get decrypted with Rule 1 will be evaluated by rule 2. these will not be decrypted.
SSL Session logs exported to a syslog collector shows all traffic that hit Rule 2.

35. Network HSM and keys/Certificate Management Systems
Safenet Luna SP
Use Case:
Secure storage for encryption keys and certificates
SSLV can use an HSM for outbound SSL/TLS inspection.
We support: Safenet Luna SP
no other HSM support planned yet.
Key and Certificate Management
Venafi Trust Platform
Use Case:
Automated management of encryption keys and certificates on all SSL/TLS enable entities in the network.
Can be used to manage keys and certificates on SSLV for inbound SSL/TLS inspection.
Note: SSL Visibility Appliance Does NOT require these devices/services to work.

36. Managing SslV appliances: Management Center
Blue Coat Management Center Version 1.4 is now GA.
Management Center v1.4 supports:
ProxySG
Content Analysis System
Malware Analysis System
PacketShaper, and
SSL Visibility Appliance
SSLV Management:
Health Monitoring
Inventory
Backup and Restore
Device Synchronization
PKI
Policy/Rulesets
Users

37. SSL Session Log
A log entry is created in SSL Session Log for each SSL/TLS Flow
This information is available on device. Device keeps 32M log lines
Can be sent to up to 8 Syslog collectors/servers.

38. SSL Session log: more in syslog
Oct 16 11:09:04 sslva-9000 WLOO-SV1800 ssldata[3291]: [B:a10012f8]  : > :443 TLS1.0 TLS_RSA_WITH_RC4_128_MD5 secure.footprint.net rule:11 resign Success(0x0)
From left to right:
System time Model number Hostname Process Process ID Segment:SSLV flow id SSLV display time Source IP:Port Dest IP:Port SSL/TLS Version Cipher Suite Domain Name Rule:# Action Message/Error

39. SSL Visibility : map your ssl/TLS footprint
SSL Versions seen on the networks
SSL Versions have known vulnerabilities..
TLS 1.1 and 1.2
Certificate Status
Valid certificate v/s invalid certs
Should not see any traffic with invalid certificate.
Ciphers used
Strong v/s Week cipher suites
Freak/Logjam
Top N
SSL Sites by Request
Users of SSL Traffic

40. Troubleshooting Basic data collection First stage analysis
Device type – SV-1800
Software version – E.g. v
Interfaces – speed/media type
Deployment model – PT/PI/AI
Inspection method – KSK/CRS
Attached appliance(s)
Problem affects?
System
Non SSL traffic
All SSL traffic
Inspected SSL traffic
Subset of traffic
First stage analysis
Software up to date?
Update then analyse if persists
Problem persists in FTW?
Look at attached appliance
What does SSL session log show?
Are there errors in syslog?
Is the problem related to client software (browser/OS)?
Are KSK on box up to date?
Is problem repeatable?
Can you replicate?

41. Backup and restore Restore files Always backup before upgrading
Policy
Rulesets, segments and lists
PKI
All keys and certs
Users
Platform
SNMP, NTP, Syslog
Backup files
All files are backed up separately
Protected by user entered password
Saved in .bin format
Restore files
When restoring files they must be loaded separately
Require same password
Some files may require the appliance to be rebooted before taking effect

42. Upgrading SSL Visibility appliance
Patch file
Apply via webUI
Updates main partition
All data/config retained
Recommended option
Reboot required
NSU file
System update
Re-images main partition
Restores factory defaults
Retains mgmt IP address
All data/config lost
NRU file
Apply via webUI
Updates rescue partition
All data/config retained
Rescue image updated after reboot

43. Resources Documentation Quick Start Guide
Administartion and User Guides Documents/SSL%20Visibility
First Steps (Web Guide) for SSLV Deployment
Services:
Professional Services
Customer Training Courses

44. Encrypted Traffic Management @BLUECOAT
* Pending capability in MC v1.4 (Q1 FY16);
** Pending capability in v4.x (Q1 / Q2 FY17)
Security Analytics
Global Intelligence Network
Policy Enforcement for Host Categorization
Copy Port
Management Center *
ProxySG
In-line
Loopback **
Malware Analysis
Real-time file extraction **
SSL Visibility
Appliance
HSM
KEY
MGMT
DLP
NGFW /
IPS
APM / NPM
SANDBOX
FORENSICS
Certified Partners
Additional Proven, Compatible Solutions

45. Blue Coat Customer Forums
Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers
Research, post and reply to topics relevant to you at your own convenience
Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track
Access at forums.bluecoat.com and register for an account today!

46. Thank you for Joining Today!
Please provide feedback on this webcast and suggestions for future webcasts to:
Webcast replay and slide deck found here within 48 hours:
webcasts
(Requires BTO log-in)

47. Questions for Manoj? Quick Survey
We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re-directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you!
Questions for Manoj?

48. got ssl?