Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MANAGING SSL ON PROXYSG  Thank you for joining today’s Blue Coat Customer Support Technical.

Published byNorma White Modified over 8 years ago

Similar presentations

Presentation on theme: "1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MANAGING SSL ON PROXYSG  Thank you for joining today’s Blue Coat Customer Support Technical."— Presentation transcript:

1 1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MANAGING SSL ON PROXYSG  Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter  Please submit questions using the Webex Q/A feature!

2 2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. AGENDA  Overview  PKI - How trust and certificates work  Tunneling vs Interception  SSL Decryption Best Practices  Configuration Steps 2

3 3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. OVERVIEW  Secure Sockets Layer (SSL) provides an encrypted tunnel through which other protocols can pass  SSL uses public-key cryptography (PKI)  HTTPS is HTTP over SSL  HTTPS traffic exposes enterprises to potential risks  Traffic is encrypted between client and server so content remains undected by network devices

4 4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. WHY INTERCEPT SSL TRAFFIC  Malware scanning (ProxyAV, CAS, MAA)  Data lose protection (DLP)  Visibility (Analytics and Reporting)  Content inspection (BCWF, HTTP Header/Payload)  Check/Enforce SSL parameters (Cipher and Version)  Decrypted content can be cached  Non-HTTPS traffic can be detected and blocked or tunneled

5 5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. LEGAL AND SECURITY CONSIDERATIONS  Know the laws for all locations where you do business Decryption and/or logging of SSL traffic might be prohibited Notification and consent by users might be required (this can be configured on the ProxySG) You are responsible for ensuring that your organization’s use of the SSL proxy complies with all relevant laws and organization policies.

6 6Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. SSL HANDSHAKE

7 7Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. HTTPS IN EXPLICIT MODE (EXPLICIT CONNECT REQUEST) CONNECT https://www.happycatco.com:443 http/1.1 TCP Handshake :443 200 CONNECT Established Port 8080 Explicit Proxy configured 1.1.1.1 : 8080 Explicit Proxy configured 1.1.1.1 : 8080

8 8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CERTIFICATE AUTHORITY

9 9Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CERTIFICATE VALIDATION  Common Name matches what was typed into the browser exactly  Certificate is valid per the dates in the certificate. Compares to system clock  Certificate chains to a trusted Certificate Authority

10 10Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 10 TUNNELING VS INTERCEPTION

11 11Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. EXPLICIT VS. TRANSPARENT PROXY

12 12Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. SSL PROXY TRAFFIC OPTIONS

13 13Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MESSAGE FLOW  ProxySG emulates server certificates  ProxySG functions as both SSL client and SSL server  To avoid browser security warnings, client must be configured to recognize ProxySG certificate

14 14Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. SSL PROXY FUNCTIONS  SSL Proxy tunnels HTTPS traffic by default unless there is an exception (such as certificate error, policy denial)  On an exception, ProxySG sends error page to user

15 15Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. INTERCEPT ON EXCEPTION  Recent browser versions do not interpret HTML code if SSL Handshake is not properly completed  Default Browser’s error page will be displayed User is not aware of the reason of the block  Starting from 6.2.10.x « intercept on Exceptions » is enabled by default : ProxySG Intercepts only failed sessions in order to display a proper error message to the end-user Requires SSL Proxy to be configured in order to avoid security warning to end-users

16 16Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Decrypt/Deny HTTPS PROXY (POLICY ACTIONS) SSL :443 Certificate (unmodified) SSL :443 Certificate Tunnel (do not intercept)/ Decrypt / Deny Traffic Tunneled Tunnel Certificate (SG cert) 3 HTTPS Security checks TCP FIN(Page cannot be displayed) Deny (no intercept) TCP FIN

17 17Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. LOGGING FACILITIES  ProxySG logs SSL information in different logfiles In SSL Accesslogs for connection details (IP, certificate FQDN, timestamps…) In Accesslogs « Main » only if SSL traffic is intercepted. This includes applicative data (URLs, content-type, user-agent…) : In Configuration -> Access Logging -> General : 2014-01-21 12:50:50 368 10.80.0.53 - - - PROXIED “Search Engine/Portal" 0 TUNNELED unknown - ssl www.google.fr 443 - - 10.80.12.33 0 0 - none - - medium *.google.fr "unlicensed" 2014-01-21 12:59:40 223 10.80.0.53 - - - PROXIED "unlicensed;unavailable" https://www.cia.gov/about-cia 404 TCP_NC_MISS GET text/html https www.cia.gov 443 /++theme++contextual.agencytheme/images/youtube-noscript.jpg - jpg "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0" 10.80.12.33 6513 375 - "unlicensed" "unlicensed"

18 18Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 18 SSL DECRYPTION BEST PRACTICES

19 19Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. SSL DECRYPTION METHODOLOGY  A proper workflow MUST be in place before : Need to make sure ProxySG can be trusted by end-users browsers Need to identify SSL based applications that are not http-based to prevent denied access (handling through Whitelist) Need to identify interception scope (all traffic or specific categories) Need to build a Privacy policy Need to define a Server Certificate Validation Strategy (OCSP) (Optional) : TAP SSL Decrypted data  Caveats : Country specific legal policies may prevent use of SSL decryption without user notification SSL traffic is often considered by law as private/confidential traffic for end users

20 20Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG MUST BE TRUSTED BY BROWSERS  Only Certificate Signature may trigger a warning The rest of the certificate is copied from the original one  Internal PKI can issue Intermediate CA Certificate Will be imported on a ProxySG (as keyring) and used to sign emulated certificates (different than a server cert.) Import the Root CA as well (in the trusted CA store)  In case there’s no PKI available : Use the existing cert. from the ProxySG (or generate a new one) Browsers will have to install it in the Certificate Authority store  Active Directory (GPO) can automate certificates distribution

21 21Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CAREFULLY IDENTIFY APPLICATIONS SCOPE  SSL encrypted applications that are not HTTP based will be denied (Webex, Skype are good examples…) SSL Interception will block access to applications in case the app is not http based Stunnel Interception will allow application to go through without being blocked  If client certificate is requested during SSL Handshake, it will break SSL Interception Use whitelist to exempt SSL interception for regular applications Use keylist to store Client Certificates directly on the ProxySG (requires SGOS 6.3.x and later) so that ProxySG knows which user maps to which certificate  Be sure to identify all of them before decrypting SSL sessions (at least the critical ones) : Management can be done through Whitelist These applications won’t be decrypted Consider to test Intranet applications in case they are accessed through Proxies

22 22Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. IDENTIFY INTERNET INTERCEPTION SCOPE  SSL decryption can be done through categories  Server Certificate Category is the best trigger  Work with Human Resources and Legal departments  Categories that should not be intercepted Financial Services Health

23 23Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CERTIFICATE VALIDATION STRATEGY  Errors in certificates (server-side, if tolerated) are not propagated to client browsers by default : Need SGOS 6.3.x or later (Preserve untrusted issuer). SSL Proxy allows to choose a Untrusted Issuer Keyring to reflect Certificates errors  Consider Certificate Validation for Intranet applications (if proxified) Some of them may use self-signed certificates  Recommended Strategy for Internet is : Don’t tolerate certificate errors (except for trusted apps) Configure OCSP to check revocation list

24 24Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. TAP ENCRYPTED DATA  Requires Encrypted TAP license SGOS 6.5.1.x allows to tap SSL based traffic (through Stunnel Proxy) SGOS 6.5.2.x allows to tap SSL based traffic, (including SSL Proxy)  The Tap output is pseudo TCP and cannot be routed  Can only be configured to tap client side SSL traffic (bi- directional)  Tapped (decrypted) SSL data is sent to a dedicated Interface and can be consumed by network forensics tools such as Security Analytics Platform (or IPS …)  VPM/CPL SSL Access layers allow to decide which traffic to TAP

25 25Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.25Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CONFIGURATION STEPS

26 26Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. IMPORT CERTIFICATES AUTHORITY  In Management Console, Configuration -> SSL -> CA Certificates : Import the Root Certificate of your PKI solution Import the certificate chain (if applicable) in case multiple Intermediate CA are used Import the ProxySG subordinate CA (the one you have generated to delegate signature of emulated certificates)

27 27Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CONFIGURE SSL PROXY  In Management Console, Configuration -> Proxy Settings -> SSL Proxy Choose the default Certificate Authority the SG will use to sign the emulated Certificates (the one you just have imported) Choose the Server Certificate List that ProxySG will use to validate server Certificate (browser-trusted) Tick « Preserve untrusted certificate Issuer » in case you need to propagate Certificate errors towards end users

28 28Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXY SERVICES CONFIGURATION  Explict Environments Set Explict HTTP service to Intercpet Edit the Explicit Proxy Service and check detect protocol (global) HTTP Proxy will ‘detect’ CONNECT request ‘Detected’ session will be passed to the SSL Proxy for processing VPM/CPL allows for selective protocol detection  Transparant Environments Set HTTPS service to Intercept  Every application which doesn’t respect SSL standards will be blocked

29 29Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CREATE SSL INTERCEPTION RULES  In VPM, use SSL Intercept Layer to define interception policies Interception action will let you choose the keyring used to sign emulated server certificates Enable HTTPS Interception : SSL decryption will be performed. Non https applications will be blocked Enable HTTPS Interception on exception : Allow the ProxySG to intercept the SSL session to present an exception message to the end user Enable STunnel Interception : SSL decryption will be performed. Application layer won’t be inspected (no application logs…). Allow non https applications to go through the Proxy. Decrypted traffic can be optimized (MACH5) and TAPed in clear text. Enable SSL Interception with automatic protocol detection : https based applications will be handoff to SSL Proxy, others will be handled by Stunnel Proxy

30 30Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CREATE OCSP RESPONDER  Give it a name  Issuer CCL: The issuer CCL attribute allows the administrator to specify the certificate authorities (issuers) for which the responder in question is the designated responder  Reponse CCL: This attribute is used during verification of OCSP responses  Specific errors can be ignored

31 31Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CREATE SERVER CERTIFICATES VALIDATION RULES  In VPM, use SSL Access Layer to define certificate validation rules Server certificates validation can be enabled or disabled with specific triggers Rules can ignore specific information (hostname mismatch, expiration date and/or certificate issuer) OCSP revocation check can be performed (recommended) by using the responder created in the last slide

32 32Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. VERIFY SSL INTERCEPTION  Go on a https website where SSL interception has been configured  Have a look on the SSL certificate for the website to check SSL interception

33 33Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. BLUE COAT CUSTOMER FORUMS  Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers  Research, post and reply to topics relevant to you at your own convenience  Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track  Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

34 34Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. THANK YOU FOR JOINING TODAY!  Please provide feedback on this webcast and suggestions for future webcasts to: john.dyer@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts

35 35Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Q&A Questions?

Download ppt "1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. MANAGING SSL ON PROXYSG  Thank you for joining today’s Blue Coat Customer Support Technical."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Michael Mauch Worldwide Solution Architect - Security

Michael Mauch Worldwide Solution Architect - Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Similar presentations

Ads by Google