Solving Your Encryption Dilemma with Blue Coat
Download
Report
Transcript Solving Your Encryption Dilemma with Blue Coat
Solving Your Encryption
Dilemma with Blue Coat –
SSL & Certificate Handling
Michael Mauch
Worldwide Solution Architect - Security
SSL – a refresh
Three functions of SSL for HTTPS
• Authenticate the end points (usually just server)
• Hide the data during transmission
• Validate the data arrived unchanged
Steps to an SSL connection setup
1.
2.
3.
4.
Hello messages (version, cipher negotiation)
Certificate exchange (usually server only)
Master secret exchange (from which a session key is
calculated)
Bulk data transmissions (uses session key for encryption)
What IT needs is full SSL visibility and control
© Blue Coat Systems, Inc. 2012
2
SSL Handshake and Agenda
Server Cert
Validation
Client Cert
Authentication
Control
Cyphers
Control
Cyphers
Client Cert
Authentication
Web App
Controls
Content
Inspection
(Malware/DLP)
Application
Performance
© Blue Coat Systems, Inc. 2012
3
Server Certificate
Validation
Why is it important?
In 2011, (at least) 2 Certificate Authorities have been
hacked: Comodo CA and DigiNotar CA
The attacker has been able to issue fraudulent server
certificates
This basically breaks the PKI trust model. Users do not get
any certificate warning …
Requirements
Detect revoked certificates
Detect self-signed certificates
Detect expired certificates
Detect untrusted issuer
Detect hostname mismatch
© Blue Coat Systems, Inc. 2012
5
Blue Coat Solution
Revocation checking
• Online Certificate Status Protocol (OCSP) – this is real-time!
• Certificate Revocation List (CRL)
Validate
• CA / issuer signature
• Expiry date
• Hostname
SSL termination is not required for certificate validation
© Blue Coat Systems, Inc. 2012
6
How to enable OCSP (CPL example)
Step 1:
Add OCSP responder
Step 2:
Add certificate validation policy
<ssl>
client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)
© Blue Coat Systems, Inc. 2012
7
SSL Cypher Controls
Why should you care?
Compliance reasons (PCI, etc.)
• There are cypher suites and SSL versions (e.g. SSL 2.0) that
are not compliant to standards like PCI
Deny weak cypher suites by policy
Deny older SSL protocol version by policy
Can be controlled for:
• Connection between client and proxy
• Connection between proxy and server
© Blue Coat Systems, Inc. 2012
9
How to control cipher strength (VPM example)
2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium
www.google.com "Search Engines/Portals” […]
2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied
DENIED […] www.google.com […]
© Blue Coat Systems, Inc. 2012
10
Client Certificate
Authentication
Client certificate authentication use cases
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
X.509 certificates
pub / priv key pairs
Department / Customer A
SSL
SSL
OCS requires client certificate
for authentication
Department / Customer B
SWG fwd proxy using
SSL interception
Department / Customer C
Policy:
Src=A Dst=OCS use client cert A
Src=B Dst=OCS use client cert B
Src=C Dst=OCS use client cert C
© Blue Coat Systems, Inc. 2012
12
Use Cases
This feature enables HTTPS interception for an OCS that
requires client certificate based authentication.
This feature enables ProxySG to act as a proxy presenting
the appropriate client certificate to the OCS based on
configured policy. This feature allows
• Selection of certificates based on user and/or group
• Selection of certificates based on destination URL
• Selection of certificates based on all available policy
conditions like server IP, client IP/ subnet / etc
This feature enables administrators to load a large number
of client certificates and their corresponding private keys
from a file.
© Blue Coat Systems, Inc. 2012
13
Why is this needed?
Content inspection
Certificate validation
Logging
Centralized client certificate management
Etc.
© Blue Coat Systems, Inc. 2012
14
Web Application
Controls
Why Web Application Controls?
240%
40%
Growth of
malicious
sites in 2011
Users infected
by malware
from social
networking
sites
© Blue Coat Systems, Inc. 2012
1 in 14
700B
41%
Downloads
containing
malware
Minutes
users
worldwide
spend on
Facebook per
month
Companies
have had data
loss due to
social
networking
16
Granular Web Application Controls
Safe Search
Social
Networks
Webmail
Multimedia
Major Search Engines
Media Search Engines
Keyword Searches
Regulate Operations
Restrict Abuse
Prevent Data Loss
Send Email
Download Attachment
Upload Attachment
Publishing
Sharing
© Blue Coat Systems, Inc. 2012
17
Web Application Control Example
Different Policies for Facebook throughout an Organization
Read Only Policy
Global Policy
Everyone
Limited Use Policy
Group Policy
Marketing
Can comment, post, upload, email and
chat, no games, no downloads, etc
Expanded Use Policy
Group Policy
HR/Recruiting
Can comment, post, upload, download,
email, chat, but no games, etc.
Full Use Policy
Individual Policy
No Restrictions
CEO, CIO
© Blue Coat Systems, Inc. 2012
No comments, posting, upload/download,
games, email, chat, etc
18
Web and Mobile Application Controls
Over 200 apps/operations supported
• Safe Search
Major Engines supported
Media Search engines as well
Keyword Searches
• Social Networks
Regulate Operations
Restrict abuse
• Multi-media
Publishing
Sharing
• Web Mail
• And More!
© Blue Coat Systems, Inc. 2012
Upload Video
Upload Photo
Post Message
Send Email
Download Attachment
Upload Attachment
19
Issue: Web applications are using HTTPS
SSL termination is required for granular web app controls!
© Blue Coat Systems, Inc. 2012
20
How to enable app controls (VPM example)
VPM
© Blue Coat Systems, Inc. 2012
21
How to enable app controls (VPM
example)
2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social
Networking" 403 TCP_DENIED POST - https www.facebook.com 443
/ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0)
Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high
www.facebook.com "Social Networking" "Facebook" "Post Messages"
© Blue Coat Systems, Inc. 2012
22
Content Inspection
Anti-Malware, DLP, etc.
Evolving Threat Landscape
SOCIAL
NETWORKING
MALNETS
240% Increase in
Malicious Sites
1 in 16 Malicious
Attacks
2/3 of All Attacks in
2012 Will Be
Launched via Malnets
Internet within an
Internet
MOBILE
DEVICES
SAAS & CLOUDBASED APPLICATIONS
15% of Enterprise
Apps by 2015
76% Businesses
Have BYOD
Initiatives
Web Applications
Attacked Every Two
Minutes
72 Minutes
Browsing the
Mobile Web
© Blue Coat Systems, Inc. 2011.
24
Inline Threat Detection
Protection Layer Over Desktops
• Second AV engine
• Faster update cycles
• Deep inspection
99 layers of compression, up to 2GB files
• Users cannot tamper or disable
Latest AV Technology
• Checksum database for known threats
• Behavioral analysis on commands/content
• Emulation of scripts and active content
Detect and block tunneled applications
No longer optional, required defense layer
• All web traffic including SSL/TLS
© Blue Coat Systems, Inc. 2012
25
Malware Scanning / DLP: Co-Processor
Architecture
Improved utilization with M:N ratio
Higher throughput per gateway
Results in less hardware
Optimized design
ProxyAV
ProxyAV
ICAP, ICAP+, S-ICAP
DLP
Dual Cache Design
Clean Object Cache
Finger Print Cache
Enterprise
Network
ProxySG
© Blue Coat Systems, Inc. 2012
• Patience Page
• Trickle First
• Trickle Last
• Defer Scan (media)
26
Internet
Web Application
Performance
Dominant Trends in Apps & Networks
Virtualization & IT
Consolidation
© Blue Coat Systems, Inc. 2012
Streaming
Video
Cloud-Delivered
Applications
28
Next-generation
Networks
Use Case example: Cloud SaaS & IaaS and
internal HTTPS Optimization
Cloud SaaS
Cloud Infrastructure
as-a-Service (IaaS)
Cloud
M5 VA
6MB
INTERNET
Flash
RTMP
Silverlight
Cloud
Caching
Engine
HTML5
6MB
RTSP
DATA CENTER
Symmetric
WAN
Blue Coat Branch to
Cloud and internal HTTPS Optimization
Apple
HTTP
Files &
Objects
SSL
Files &
Objects
Images
Branch Office
Requirements
Speed Cloud-delivered Apps 5-93X
Asymmetric Cloud Caching
Low TCO with Single Box Solution
Symmetric Cloud or DC (Virtual) Appliance
Accelerate Internet & Web Applications
Internal & External SSL Decryption
© Blue Coat Systems, Inc. 2012
29
Cloud-Delivered Microsoft SharePoint
One-Armed “Cloud Caching”
0
250k.doc
1340k.doc
7108k.doc
1100k.xs
500k.xls
250k.ppt
500k.ppt
3500k.ppt
© Blue Coat Systems, Inc. 2012
20
40
60
3.0
1.0
80
100
120
Blue Coat
22x faster
22.0
1.0
121.3
93x
1.3
17.0
1.0
17x
Baseline
6.3
1.0
BCSI Warm
3.0
1.0
13.0
1.0
13x
58.0
1.2
47x
30
Summary and Q&A
SSL Option 1: Passthrough
Applications passed through
No cache
Visibility and context of:
Option 1
• Network-level information
• User/group
• Applications (very limited)
Control
Apps
User
SSL
Internet
TCP
© Blue Coat Systems, Inc. 2012
TCP
32
SSL Option 2: Check, then Pass
Certificate validation
No cache
Visibility and context of:
•
•
•
•
Option 2
Network-level information
Certificates & certificate categories
User/group
Applications (very limited)
Can warn user and remind of AUP
Control
Apps
User
SSL
Internet
TCP
© Blue Coat Systems, Inc. 2012
TCP
33
SSL Option 3: Full SSL Proxy
Full caching and logging options Intercept SSL based on:
Visibility and context of:
•
•
•
•
•
•
Network-level information
Certificates & certificate categories
User/group
Applications&Operations
Content
Etc.
Preserve untrusted issuer
•
•
•
•
•
•
•
User/group
Server certificate category
Request URL Category
Request URL
Option
Src. & dest. IP
Client hostname
Etc.
3
Control
Apps
User
Internet
© Blue Coat Systems, Inc. 2012
SSL
SSL
TCP
TCP
34
SSL Proxy requirements
SSL license
Trust between client and ProxySG
1. Roll-out SGs self-signed certificate
2. Integrate ProxySG into an internal CA
Legal requirements:
• This has to be verified on a per country base. Examples
Germany: SSL interception has to be conform with data protection laws
(BDSG). To be allowed to intercept SSL, the reasoning has to be, that
the customer would like to prevent possible damage by internet threats
and there must be a concrete risk potential (which here is of course).
SSL scanning must happen in a "black box" without disclosing the
encrypted content. Users have to be informed about SSL interception,
work councils have to be involved.
Sweden: There are no laws regarding SSL interception in Sweden.
However, it is recommend to inform the user that SSL interception will
occur.
© Blue Coat Systems, Inc. 2012
35
Questions?
[email protected]
© Blue Coat Systems, Inc. 2012
36
Please provide feedback on
this webcast to:
[email protected]
Webcast replay and
slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts
(requires BTO login)
Blue Coat Confidential – Internal Use Only