solving your encryption dilemma with blue coat – ssl & certificate handling michael mauch...
TRANSCRIPT
Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling
Michael MauchWorldwide Solution Architect - Security
2© Blue Coat Systems, Inc. 2012
SSL – a refresh
Three functions of SSL for HTTPS• Authenticate the end points (usually just server)• Hide the data during transmission• Validate the data arrived unchanged
Steps to an SSL connection setup1. Hello messages (version, cipher negotiation)
2. Certificate exchange (usually server only)
3. Master secret exchange (from which a session key is calculated)
4. Bulk data transmissions (uses session key for encryption)
What IT needs is full SSL visibility and control
3© Blue Coat Systems, Inc. 2012
SSL Handshake and Agenda
Server CertValidation
Client CertAuthentication
Client CertAuthentication
Control Cyphers
Control Cyphers
Web AppControls
Content Inspection
(Malware/DLP)
Application Performance
Server Certificate Validation
5© Blue Coat Systems, Inc. 2012
Why is it important?
In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CAThe attacker has been able to issue fraudulent server
certificatesThis basically breaks the PKI trust model. Users do not get
any certificate warning …
Requirements Detect revoked certificates Detect self-signed certificates Detect expired certificates Detect untrusted issuer Detect hostname mismatch
6© Blue Coat Systems, Inc. 2012
Blue Coat Solution
Revocation checking• Online Certificate Status Protocol (OCSP) – this is real-time!• Certificate Revocation List (CRL)
Validate • CA / issuer signature• Expiry date• Hostname
SSL termination is not required for certificate validation
7© Blue Coat Systems, Inc. 2012
How to enable OCSP (CPL example)
Step 1:
Add OCSP responder
Step 2:
Add certificate validation policy
<ssl>
client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)
SSL Cypher Controls
9© Blue Coat Systems, Inc. 2012
Why should you care?
Compliance reasons (PCI, etc.)• There are cypher suites and SSL versions (e.g. SSL 2.0) that
are not compliant to standards like PCI
Deny weak cypher suites by policy
Deny older SSL protocol version by policy
Can be controlled for:• Connection between client and proxy• Connection between proxy and server
10© Blue Coat Systems, Inc. 2012
How to control cipher strength (VPM example)
2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium www.google.com "Search Engines/Portals” […]
2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied DENIED […] www.google.com […]
Client Certificate Authentication
12© Blue Coat Systems, Inc. 2012
Client certificate authentication use cases
Department / Customer A
Department / Customer B
Department / Customer C
OCS requires client certificate for authenticationSWG fwd proxy using
SSL interception
NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.
NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.
NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.
X.509 certificates
pub / priv key pairs
Policy:Src=A Dst=OCS use client cert ASrc=B Dst=OCS use client cert BSrc=C Dst=OCS use client cert C
SSL
SSL
SSL
SSL
13© Blue Coat Systems, Inc. 2012
Use Cases
This feature enables HTTPS interception for an OCS that requires client certificate based authentication.
This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows• Selection of certificates based on user and/or group• Selection of certificates based on destination URL• Selection of certificates based on all available policy
conditions like server IP, client IP/ subnet / etc
This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.
14© Blue Coat Systems, Inc. 2012
Why is this needed?
Content inspection
Certificate validation
Logging
Centralized client certificate management
Etc.
Web Application Controls
16© Blue Coat Systems, Inc. 2012
Why Web Application Controls?
240%
Growth of malicious
sites in 2011
40%
Users infected by malware from social networking
sites
1 in 14
Downloads containing malware
700B
Minutes users
worldwide spend on
Facebook per month
Companies have had data
loss due to social
networking
41%
17© Blue Coat Systems, Inc. 2012
Granular Web Application Controls
Multimedia
Publishing Sharing
Social Networks
Regulate OperationsRestrict Abuse
Prevent Data Loss
Webmail
Send EmailDownload Attachment
Upload Attachment
Safe Search
Major Search EnginesMedia Search Engines
Keyword Searches
18© Blue Coat Systems, Inc. 2012
Read Only PolicyNo comments, posting, upload/download, games, email, chat, etc
Global Policy
Group PolicyLimited Use PolicyCan comment, post, upload, email and chat, no games, no downloads, etc
Group PolicyExpanded Use PolicyCan comment, post, upload, download, email, chat, but no games, etc.
Full Use PolicyNo Restrictions
Individual Policy
Web Application Control Example
Everyone
Marketing
HR/Recruiting
CEO, CIO
Different Policies for Facebook throughout an Organization
19© Blue Coat Systems, Inc. 2012
Web and Mobile Application Controls Over 200 apps/operations supported
• Safe Search Major Engines supported Media Search engines as well Keyword Searches
• Social Networks Regulate Operations Restrict abuse
• Multi-media Publishing Sharing
• Web Mail• And More!
Upload Video
Upload Photo
Post Message
Send Email
Download Attachment
Upload Attachment
20© Blue Coat Systems, Inc. 2012
Issue: Web applications are using HTTPS
SSL termination is required for granular web app controls!
21© Blue Coat Systems, Inc. 2012
How to enable app controls (VPM example)
VPM
22© Blue Coat Systems, Inc. 2012
How to enable app controls (VPM example)
2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https www.facebook.com 443 /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high www.facebook.com "Social Networking" "Facebook" "Post Messages"
Content InspectionAnti-Malware, DLP, etc.
© Blue Coat Systems, Inc. 2011. 24
Evolving Threat Landscape
© Blue Coat Systems, Inc. 2011. 24
76% Businesses Have BYOD Initiatives
72 Minutes Browsing the Mobile Web
240% Increase in Malicious Sites
2/3 of All Attacks in 2012 Will Be Launched via Malnets
1 in 16 Malicious Attacks
Internet within an Internet
15% of Enterprise Apps by 2015
Web Applications Attacked Every Two Minutes
MALNETS
MOBILEDEVICES
SAAS & CLOUD-BASED APPLICATIONS
SOCIAL NETWORKING
25© Blue Coat Systems, Inc. 2012
Inline Threat Detection
Protection Layer Over Desktops• Second AV engine • Faster update cycles• Deep inspection
99 layers of compression, up to 2GB files
• Users cannot tamper or disable
Latest AV Technology• Checksum database for known threats• Behavioral analysis on commands/content• Emulation of scripts and active content
Detect and block tunneled applications
No longer optional, required defense layer• All web traffic including SSL/TLS
26© Blue Coat Systems, Inc. 2012
Malware Scanning / DLP: Co-Processor Architecture
Improved utilization with M:N ratio
Higher throughput per gateway
Results in less hardware
Optimized design
EnterpriseNetwork
Internet
ProxySG
ProxyAV ProxyAV DLP
Clean Object Cache
Finger Print Cache
Dual Cache Design
• Patience Page • Trickle First• Trickle Last • Defer Scan (media)
ICAP, ICAP+, S-ICAP
Web Application Performance
28© Blue Coat Systems, Inc. 2012
Dominant Trends in Apps & Networks
Cloud-Delivered Applications
Next-generationNetworks
IPv6
Virtualization & IT Consolidation
Internet
StreamingVideo
HTML5
29© Blue Coat Systems, Inc. 2012
Cloud Infrastructure as-a-Service (IaaS)
Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization
Requirements
Asymmetric Cloud Caching
Symmetric Cloud or DC (Virtual) Appliance
Internal & External SSL Decryption
INTERNET
WAN Branch Office6MB
Apple
ImagesRTSP
CloudCachingEngine
SSLFiles & Objects
HTML5
HTTPFiles & Objects
Silver-light
Flash RTMP
6MB6MB6MB
Blue Coat Branch to Cloud and internal HTTPS Optimization
Speed Cloud-delivered Apps 5-93X
Low TCO with Single Box Solution
Accelerate Internet & Web Applications
Cloud SaaS
Asymmetric
Symmetric
DATA CENTER
Cloud M5 VA
6MB
Symmetric
30© Blue Coat Systems, Inc. 2012
Cloud-Delivered Microsoft SharePointOne-Armed “Cloud Caching”
250k.doc
1340k.doc
7108k.doc
1100k.xs
500k.xls
250k.ppt
500k.ppt
3500k.ppt
0 20 40 60 80 100 120
3.0
22.0
121.3
17.0
6.3
3.0
13.0
58.0
1.0
1.0
1.3
1.0
1.0
1.0
1.0
1.2
BCSI Warm
Baseline
Blue Coat 22x faster
93x
17x
13x
47x
Summary and Q&A
32© Blue Coat Systems, Inc. 2012
SSL Option 1: Passthrough
Applications passed through
No cache
Visibility and context of: • Network-level information• User/group • Applications (very limited)
SSL
TCP
User
Internet
Apps
TCP
Control
Option 1
33© Blue Coat Systems, Inc. 2012
SSL Option 2: Check, then Pass
Certificate validation No cache
Visibility and context of: • Network-level information• Certificates & certificate categories• User/group • Applications (very limited)
Can warn user and remind of AUP
SSL
TCP
User
Internet
Apps
TCP
Control
Option 2
34© Blue Coat Systems, Inc. 2012
Intercept SSL based on:• User/group• Server certificate category• Request URL Category• Request URL• Src. & dest. IP• Client hostname• Etc.
SSL Option 3: Full SSL Proxy
Full caching and logging options
Visibility and context of: • Network-level information• Certificates & certificate categories• User/group • Applications&Operations• Content• Etc.
Preserve untrusted issuer
SSL
Internet
Apps
User
TCP TCP
SSL
Control
Option 3
35© Blue Coat Systems, Inc. 2012
SSL Proxy requirements
SSL license
Trust between client and ProxySG
1. Roll-out SGs self-signed certificate
2. Integrate ProxySG into an internal CA
Legal requirements:
• This has to be verified on a per country base. Examples Germany: SSL interception has to be conform with data protection laws
(BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved.
Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.
Blue Coat Confidential – Internal Use Only
Please provide feedback on this webcast to:
Webcast replay and slide deck found here:
https://bto.bluecoat.com/training/customer-support-technical-webcasts(requires BTO login)