1. SSL Interception Planning and Implementation Best Practices Stephen Watkins, CISSP (a.m. webcast) Matthew Lange, CISSP (p.m. webcast), Blue Coat Americas Consulting

2. Agenda IntroductionIntroduction Why SSL InterceptWhy SSL Intercept Critical Planning ElementsCritical Planning Elements Implementation Best PracticesImplementation Best Practices ResourcesResources QuestionsQuestions

3. 3 © Blue Coat Systems, Inc. 2012 Introduction  Stephen Watkins, CISSP (79463) 4+ years Blue Coat Professional Services 16 years Information Security experience MS Computer Science; Information Security (JMU, 2005) BS Computer Science (ODU, 1999) Publications (ISBNs) ( 1597490318, 1597490601, 1597491098)  Matthew Lange, CISSP (#43861) 2+ years Blue Coat Professional Services 12 years Information Security experience  Khaled Nassar 10 years Developing and Implementing Security Solutions 5+ years experience with Blue Coat ProxySG

4. 4 © Blue Coat Systems, Inc. 2012 Why SSL Intercept?  Increased granularity for content filtering SSL Proxy vs. SSL Interception  SSL Proxy alone can do content filtering (without SSL Interception) Explicit vs. Transparent interception  Deep level protocol inspection (HTTP) HTTPS is just encapsulated HTTP HTTP Headers, etc. are readable after SSL Interception  ICAPS handoff Antivirus (AV) inspection; RespMod Data Leakage Protection (DLP) inspection; ReqMod  Logging and Reporting for SSL/HTTPS

5. 5 © Blue Coat Systems, Inc. 2012 SSL Interception: Critical Planning Elements  Project Planning leads to Project Success  What does our environment look like? How does the ProxySG enforce policy for known entities? Network segments; admin, DMZ, guest, BYOD, mobile, etc. Client lists; managed or unmanaged? User-Agents (think certificate distribution)? Non-Proxy aware applications like Windows Update, etc.? Will Cert distribution be difficult for some clients/applications?  What/Who is going to be intercepted? Policy exemptions for CF Categories, sources, destinations? Discuss with HR/Legal to receive feedback regarding privacy concerns

6. 6 © Blue Coat Systems, Inc. 2012 SSL Interception: Critical Planning Elements  Authentication for HTTPS requests Explicit vs. Transparent deployment  Explicit much easier; transparent can be challenging Surrogate type (IP, Cookie, none)? Confirm using SSL/HTTPS authentication virtual URL https://hostname:4443 Transparent authentication requires a Reverse Proxy Listener on the ProxySG HTTPS Reverse Proxy listener for port 4443 Single hostname for virtual URL; why? https://hostname:4443 instead of https://hostname.domain.com:4443 Trusted by IE…automatically submits NTLM credentials (IWA)

7. 7 © Blue Coat Systems, Inc. 2012 SSL Interception: Critical Planning Elements  SSL Keyring and Certificate/s Distribution is Key!! Why aren’t public (VeriSign, etc.) certificates a valid option?  Significant cost factor if approved Self-signed or signed with an internal CA? How many ProxySGs do you have? Does your organization have issues with housing a Subordinate CA Cert on the ProxySG/s? (check with your security CA team) ProxySG Sizing is key also. If you are adding SSL Interception to an existing solution make sure your ProxySGs will handle the overhead associated with SSL/HTTPS interception. (Ask an SE) ProxySG certificate emulation (next slide) Extract certificate hostname & expiration date, then sign it with the SSL Interception Keyring Certificate

8. 8 © Blue Coat Systems, Inc. 2012 SSL Interception Model

9. 9 © Blue Coat Systems, Inc. 2012 SSL Interception: Critical Planning Elements  Testing Critical Business Applications! Project Discovery & Documentation are necessary  Enumerate your applications  Document their working condition prior to implementation How to correct issues with applications?  Disable interception / tunnel traffic via config/policy  Enable service listener for specific targets (TCP Tunnel Proxy)  Add a service listener and set it to Bypass  Standard ProxySG troubleshooting methods apply –Policy Trace, Packet Capture, Event Log, Access Log, Advanced URLs –Isolating the issue and choosing the appropriate corrective policy/configuration

10. 10 © Blue Coat Systems, Inc. 2012 SSL Interception: Critical Planning Elements  Rollout Plan Have you documented your implementation procedures, test plan, and back out plan? Success criteria is critical! It’s how we measure things are working as expected; what will a successful rollout (at each milestone) look like to your organization? Identify a small pilot group for initial testing (IT group?) SSL Interception is never a light-switch rollout; aim to minimize risk and production interruption Define gradual increases in exposure based on BU sensitivity. Avoid fighting too many fires at once or risk having to back out the entire solution; target small successes No one knows everything; know when to call a peer or Blue Coat Technical Support for help troubleshooting problems

11. 11 © Blue Coat Systems, Inc. 2012 SSL Implementation Best Practices  Protecting User Data For the most part, HTTPS uses SSL encapsulation to protect the integrity/privacy of transactions  Alternative purposes now in use; but still protect transaction data Use Secure ICAP  Once the ProxySG terminates the client SSL connection, it will offload to the ICAP peer in plain text Consider which CF categories to exempt Use on-box Content Filters to prevent clear-text URL transmission; enable secure connections for WebPulse Modify logging to disable URL and header information for HTTPS requests/responses  HTTP GET can use parameters un URL also; similar to POST

12. 12 © Blue Coat Systems, Inc. 2012 SSL Implementation Best Practices  Tunnel Non-Standard Applications Not all SSL/HTTPS applications are compatible with ProxySG WebEx, GotoMyPC, Skype  Decide how to handle certificate errors from the OCS Prior to SSL Proxy Interception users chose how to handle certificate errors (browser behavior). Disable and allow browser behavior or deny access?  Disable weak versions of SSL SSL v2 is weak; disable it in the SSL Client configuration

13. 13 © Blue Coat Systems, Inc. 2012 SSL Implementation Best Practices  Set pathlen=0 on the CA certificate for SSL Interception This disables the certificate from creating/signing other Subordinate CA Certificates  Use Internal CA when available to reduce complexity Internal CA root certificates are already trusted by managed clients and allows you to extend the certificate expiration period (2 years for self-signed certs). It also prevents administrators from having to create/modify a GPO (or alternative distribution method)

14. 14 © Blue Coat Systems, Inc. 2012 Resources  SSL Proxy Deployment Web Guide https://bto.bluecoat.com/sgos/ProxySG/63/SSL_Proxy_Deployment _WebGuide/SSL_Proxy_WebGuide.htmhttps://bto.bluecoat.com/sgos/ProxySG/63/SSL_Proxy_Deployment _WebGuide/SSL_Proxy_WebGuide.htm  Configuring SSL Interception on the ProxySG Appliance https://bto.bluecoat.com/support/ssl-interception  Blue Coat Knowledge Base https://kb.bluecoat.com  Blue Coat Technical Support Case https://bto.bluecoat.com/support/sr/list  Configuring SSL Interception for Transparent Proxy https://kb.bluecoat.com/index?page=content&id=KB3700  Writing SSL Interception/Access Policy https://kb.bluecoat.com/index?page=content&id=KB3716

15. 15 © Blue Coat Systems, Inc. 2012 Questions ??

16. Please provide feedback on this webcast to: supportnewsletter@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login)