Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately.

Published byIrene Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately."— Presentation transcript:

1 1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately following today’s webcast Visit the Blue Coat Customer Forums (forums.bluecoat.com) to post your questions and today’s presenter, Dennis Pike, will be available to answer live and in person. A link to the Q&A discussion thread will be provided at the conclusion of today’s webcast. Important: A Blue Coat Customer Forums account is required to post questions. Don’t have an account? Simply visit forums.bluecoat.com and register now Post a question for a chance to win a Blue Coat swag package!

2 2 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL Decryption Best Practices Hello and thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter Please submit questions using the Webex Q/A feature!

3 3 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL Decryption Best Practices Dennis Pike == Principal Systems Engineer

4 4 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG and SSLV SSL Feature Overview and Comparison SG SSL Decryption Best Practices General SSL Proxy SSL Policy SSLV Decryption Best Practices General Policy Certificate Deployment Rollout Methodology Common Issues & Troubleshooting Agenda

5 5 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSL visibility and full Proxy policy control for web traffic (HTTP / HTTPS) Selective decrypt maintains privacy via Blue Coat Intelligent Services (BCIS) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (license-based) Automatic visibility and policy control for all SSL/TLS traffic Selective decryption maintains privacy via Host Categorization (license-based) Standalone, high-performance appliance – 9 Gbps SSL inspection & decryption Multiple output streams Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc. ProxySG ApplianceSSL Visibility Appliance SG SSL Decrypt Best Practices SG and SSLV SSL Feature Overview and Comparison

6 6 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Don’t Run Defaults!!! Load Concerns ~10-15% CPU Baseline increase Higher % HTTPS (>20%) More demanding Cipher Suites (DHE, larger keys) Low Cert Cache hit rate SG == ASG General

7 7 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Tunnel on Protocol Error i.e. non-HTTPS on 443 Benefit: Non-conforming applications will work (Skype) Risk: Big security problem. Major reason for running SSL proxy is to prevent non-HTTPS traffic from burrowing through on port 443. With Tunnel on Protocol Error enabled that traffic will be allowed out. Alternative – Bypass traffic at service (L3) or SSL Intercept level (SSL). SSL Proxy

8 8 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices http://bluecoat.force.com/knowledgebase/articles/Solution/000022650 SSL Intercept Policy – Splash Text for Wildcard Certs

9 9 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices What to Bypass Client Cert Non-protocol compliant Pinned Privacy Concern SSL Intercept Policy

10 10 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices SSL Intercept Policy How to Bypass Recommendations Service Level Bypass IP only Only Transparent / Not Explicit Complete Bypass Disable “Detect Protocol” Service and/or CPL Typically Explicit TCP Tunnel Service Level TCP Tunnel Typically Transparent SSL Intercept “Do Not Intercept” Still SSL Proxied but not Decrypted Access to Certificate information

11 11 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Intercept On Exception Policy denial Certificate error Error with the SSL handshake. Careful of Default Behavior!!! Can be used to only Intercept to block traffic but user gets Untrusted Issuer message unless certificate distributed SSL Intercept Policy

12 12 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices Category Some only available for Explicit since exposed in CONNECT Certificate data is available as long as Service is Intercepting traffic SSL Intercept Policy

13 13 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SG SSL Decrypt Best Practices SSL Access Policy Cert Validation Start with Server Certificate Validation Enabled -> Very rare for a site to have a bad cert and if it does you want to know about it. Careful with Internal Sites Trust Packages Make sure this is update to the latest. http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000028311 CRL/OCSP Avoid

14 14 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSLV Decrypt Best Practices Defaults are good! General

15 15 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. SSLV Decrypt Best Practices Default Bypass Privacy Concerns Policy

16 16 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Certificate Deployment Internal CA Methods to push Trusted CA GPO/WSUS/SCCM JAMF MDM IE / Chrome vs Firefox

17 17 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Rollout Methodology Whitelist vs Blacklist Controlled Friends and Family Departmental Building / Floor

18 18 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Common Issues and Troubleshooting HTTP issues exposed Auth, Policy, ICAP CPL troubleshooting http://bluecoat.force.com/knowledgebase/articles/Solution/Troubles hootingWebSites PCAP (proxy vs ICAP) Fiddler ETAP

19 19 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Common Issues and Troubleshooting Policy Trace Debug SSL https:// :8082/sslproxy/Debug HTTP https:// :8082/HTTP/Debug

20 20 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Thank You

21 21 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Customer Forums Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers Research, post and reply to topics relevant to you at your own convenience Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

22 22 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Thank You for Joining Today! Please provide feedback on this webcast and suggestions for future webcasts to: john.dyer@bluecoat.com Webcast replay and slide deck found here within 48 hours: https://bto.bluecoat.com/training/customer-support-technical- webcasts (Requires BTO log-in)

23 23 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Quick Survey We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re- directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Dennis?

Download ppt "1 Copyright © 2016 Blue Coat Systems Inc. All Rights Reserved. Live Online Q&A Session! We are excited to continue the live online Q&A session immediately."

Similar presentations

Heroix Longitude - multiplatform, automated application performance monitoring and management software.

Heroix Longitude - multiplatform, automated application performance monitoring and management software.
Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.

Staying in Sync with Cloud 2 Device Messaging. About Me Chris Risner Twitter: chrisrisner.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
LeadManager™- Internet Marketing Lead Management Solution May, 2009.

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.

Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
Michael Mauch Worldwide Solution Architect - Security

Michael Mauch Worldwide Solution Architect - Security
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Similar presentations

Ads by Google