SSL Interception Planning and Implementation Best Practices

Download Report

Transcript SSL Interception Planning and Implementation Best Practices 

SSL Interception Planning and
Implementation Best Practices
Stephen Watkins, CISSP (a.m. webcast)
Matthew Lange, CISSP (p.m. webcast),
Blue Coat Americas Consulting
Agenda
•
•
•
•
•
•
Introduction
Why SSL Intercept
Critical Planning Elements
Implementation Best Practices
Resources
Questions
Introduction
 Stephen Watkins, CISSP (79463)
•
•
•
•
•
4+ years Blue Coat Professional Services
16 years Information Security experience
MS Computer Science; Information Security (JMU, 2005)
BS Computer Science (ODU, 1999)
Publications (ISBNs) (1597490318, 1597490601, 1597491098)
 Matthew Lange, CISSP (#43861)
• 2+ years Blue Coat Professional Services
• 12 years Information Security experience
 Khaled Nassar
• 10 years Developing and Implementing Security Solutions
• 5+ years experience with Blue Coat ProxySG
© Blue Coat Systems, Inc. 2012
3
Why SSL Intercept?
 Increased granularity for content filtering
• SSL Proxy vs. SSL Interception
 SSL Proxy alone can do content filtering (without SSL
Interception)
• Explicit vs. Transparent interception
 Deep level protocol inspection (HTTP)
• HTTPS is just encapsulated HTTP
• HTTP Headers, etc. are readable after SSL Interception
 ICAPS handoff
• Antivirus (AV) inspection; RespMod
• Data Leakage Protection (DLP) inspection; ReqMod
 Logging and Reporting for SSL/HTTPS
© Blue Coat Systems, Inc. 2012
4
SSL Interception:
Critical Planning Elements
 Project Planning leads to Project Success
 What does our environment look like?
•
•
•
•
•
•
How does the ProxySG enforce policy for known entities?
Network segments; admin, DMZ, guest, BYOD, mobile, etc.
Client lists; managed or unmanaged?
User-Agents (think certificate distribution)?
Non-Proxy aware applications like Windows Update, etc.?
Will Cert distribution be difficult for some clients/applications?
 What/Who is going to be intercepted?
• Policy exemptions for CF Categories, sources, destinations?
• Discuss with HR/Legal to receive feedback regarding privacy
concerns
© Blue Coat Systems, Inc. 2012
5
SSL Interception:
Critical Planning Elements
 Authentication for HTTPS requests
• Explicit vs. Transparent deployment
 Explicit much easier; transparent can be challenging
• Surrogate type (IP, Cookie, none)?
• Confirm using SSL/HTTPS authentication virtual URL
• https://hostname:4443
• Transparent authentication requires a Reverse Proxy
Listener on the ProxySG
• HTTPS Reverse Proxy listener for port 4443
• Single hostname for virtual URL; why?
• https://hostname:4443 instead of
https://hostname.domain.com:4443
• Trusted by IE…automatically submits NTLM credentials (IWA)
© Blue Coat Systems, Inc. 2012
6
SSL Interception:
Critical Planning Elements
 SSL Keyring and Certificate/s
• Distribution is Key!!
• Why aren’t public (VeriSign, etc.) certificates a valid option?
 Significant cost factor if approved
• Self-signed or signed with an internal CA?
• How many ProxySGs do you have?
• Does your organization have issues with housing a Subordinate
CA Cert on the ProxySG/s? (check with your security CA team)
• ProxySG Sizing is key also. If you are adding SSL Interception to
an existing solution make sure your ProxySGs will handle the
overhead associated with SSL/HTTPS interception. (Ask an SE)
• ProxySG certificate emulation (next slide)
• Extract certificate hostname & expiration date, then sign it with the
SSL Interception Keyring Certificate
© Blue Coat Systems, Inc. 2012
7
SSL Interception Model
© Blue Coat Systems, Inc. 2012
8
SSL Interception:
Critical Planning Elements
 Testing Critical Business Applications!
• Project Discovery & Documentation are necessary
 Enumerate your applications
 Document their working condition prior to implementation
• How to correct issues with applications?




Disable interception / tunnel traffic via config/policy
Enable service listener for specific targets (TCP Tunnel Proxy)
Add a service listener and set it to Bypass
Standard ProxySG troubleshooting methods apply
– Policy Trace, Packet Capture, Event Log, Access Log, Advanced
URLs
– Isolating the issue and choosing the appropriate corrective
policy/configuration
© Blue Coat Systems, Inc. 2012
9
SSL Interception:
Critical Planning Elements
 Rollout Plan
• Have you documented your implementation procedures, test plan,
and back out plan?
• Success criteria is critical! It’s how we measure things are working
as expected; what will a successful rollout (at each milestone) look
like to your organization?
• Identify a small pilot group for initial testing (IT group?)
• SSL Interception is never a light-switch rollout; aim to minimize risk
and production interruption
• Define gradual increases in exposure based on BU sensitivity.
Avoid fighting too many fires at once or risk having to back out the
entire solution; target small successes
• No one knows everything; know when to call a peer or Blue Coat
Technical Support for help troubleshooting problems
© Blue Coat Systems, Inc. 2012
10
SSL Implementation Best Practices
 Protecting User Data
• For the most part, HTTPS uses SSL encapsulation to protect
the integrity/privacy of transactions
 Alternative purposes now in use; but still protect transaction data
• Use Secure ICAP
 Once the ProxySG terminates the client SSL connection, it will
offload to the ICAP peer in plain text
• Consider which CF categories to exempt
• Use on-box Content Filters to prevent clear-text URL
transmission; enable secure connections for WebPulse
• Modify logging to disable URL and header information for
HTTPS requests/responses
 HTTP GET can use parameters un URL also; similar to POST
© Blue Coat Systems, Inc. 2012
11
SSL Implementation Best Practices
 Tunnel Non-Standard Applications
• Not all SSL/HTTPS applications are compatible with
ProxySG
• WebEx, GotoMyPC, Skype
 Decide how to handle certificate errors from the OCS
• Prior to SSL Proxy Interception users chose how to handle
certificate errors (browser behavior).
• Disable and allow browser behavior or deny access?
 Disable weak versions of SSL
• SSL v2 is weak; disable it in the SSL Client configuration
© Blue Coat Systems, Inc. 2012
12
SSL Implementation Best Practices
 Set pathlen=0 on the CA certificate for SSL Interception
• This disables the certificate from creating/signing other
Subordinate CA Certificates
 Use Internal CA when available to reduce complexity
• Internal CA root certificates are already trusted by managed
clients and allows you to extend the certificate expiration
period (2 years for self-signed certs). It also prevents
administrators from having to create/modify a GPO (or
alternative distribution method)
© Blue Coat Systems, Inc. 2012
13
Resources
 SSL Proxy Deployment Web Guide
• https://bto.bluecoat.com/sgos/ProxySG/63/SSL_Proxy_Deployment
_WebGuide/SSL_Proxy_WebGuide.htm
 Configuring SSL Interception on the ProxySG Appliance
• https://bto.bluecoat.com/support/ssl-interception
 Blue Coat Knowledge Base
• https://kb.bluecoat.com
 Blue Coat Technical Support Case
• https://bto.bluecoat.com/support/sr/list
 Configuring SSL Interception for Transparent Proxy
• https://kb.bluecoat.com/index?page=content&id=KB3700
 Writing SSL Interception/Access Policy
• https://kb.bluecoat.com/index?page=content&id=KB3716
© Blue Coat Systems, Inc. 2012
14
Questions
© Blue Coat Systems, Inc. 2012
15
Please provide feedback
on this webcast to:
[email protected]
Webcast replay and
slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts
(requires BTO login)