Transcript Solving Your Encryption Dilemma with Blue Coat

Solving Your Encryption
Dilemma with Blue Coat –
SSL & Certificate Handling
Michael Mauch
Worldwide Solution Architect - Security
SSL – a refresh
 Three functions of SSL for HTTPS
• Authenticate the end points (usually just server)
• Hide the data during transmission
• Validate the data arrived unchanged
 Steps to an SSL connection setup
1.
2.
3.
4.
Hello messages (version, cipher negotiation)
Certificate exchange (usually server only)
Master secret exchange (from which a session key is
calculated)
Bulk data transmissions (uses session key for encryption)
What IT needs is full SSL visibility and control
© Blue Coat Systems, Inc. 2012
2
SSL Handshake and Agenda
Server Cert
Validation
Client Cert
Authentication
Control
Cyphers
Control
Cyphers
Client Cert
Authentication
Web App
Controls
Content
Inspection
(Malware/DLP)
Application
Performance
© Blue Coat Systems, Inc. 2012
3
Server Certificate
Validation
Why is it important?
 In 2011, (at least) 2 Certificate Authorities have been
hacked: Comodo CA and DigiNotar CA
The attacker has been able to issue fraudulent server
certificates
This basically breaks the PKI trust model. Users do not get
any certificate warning …
 Requirements





Detect revoked certificates
Detect self-signed certificates
Detect expired certificates
Detect untrusted issuer
Detect hostname mismatch
© Blue Coat Systems, Inc. 2012
5
Blue Coat Solution
 Revocation checking
• Online Certificate Status Protocol (OCSP) – this is real-time!
• Certificate Revocation List (CRL)
 Validate
• CA / issuer signature
• Expiry date
• Hostname
SSL termination is not required for certificate validation
© Blue Coat Systems, Inc. 2012
6
How to enable OCSP (CPL example)
 Step 1:
Add OCSP responder
 Step 2:
Add certificate validation policy
<ssl>
client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)
© Blue Coat Systems, Inc. 2012
7
SSL Cypher Controls
Why should you care?
 Compliance reasons (PCI, etc.)
• There are cypher suites and SSL versions (e.g. SSL 2.0) that
are not compliant to standards like PCI
 Deny weak cypher suites by policy
 Deny older SSL protocol version by policy
 Can be controlled for:
• Connection between client and proxy
• Connection between proxy and server
© Blue Coat Systems, Inc. 2012
9
How to control cipher strength (VPM example)
 2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium
www.google.com "Search Engines/Portals” […]
 2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied
DENIED […] www.google.com […]
© Blue Coat Systems, Inc. 2012
10
Client Certificate
Authentication
Client certificate authentication use cases
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
Name
Email Address
Country
City
Address
Server URL
Key – Usage
Etc.
 X.509 certificates
 pub / priv key pairs
Department / Customer A
SSL
SSL
OCS requires client certificate
for authentication
Department / Customer B
SWG fwd proxy using
SSL interception
Department / Customer C
Policy:
Src=A Dst=OCS  use client cert A
Src=B Dst=OCS  use client cert B
Src=C Dst=OCS  use client cert C
© Blue Coat Systems, Inc. 2012
12
Use Cases
 This feature enables HTTPS interception for an OCS that
requires client certificate based authentication.
 This feature enables ProxySG to act as a proxy presenting
the appropriate client certificate to the OCS based on
configured policy. This feature allows
• Selection of certificates based on user and/or group
• Selection of certificates based on destination URL
• Selection of certificates based on all available policy
conditions like server IP, client IP/ subnet / etc
 This feature enables administrators to load a large number
of client certificates and their corresponding private keys
from a file.
© Blue Coat Systems, Inc. 2012
13
Why is this needed?
 Content inspection
 Certificate validation
 Logging
 Centralized client certificate management
 Etc.
© Blue Coat Systems, Inc. 2012
14
Web Application
Controls
Why Web Application Controls?
240%
40%
Growth of
malicious
sites in 2011
Users infected
by malware
from social
networking
sites
© Blue Coat Systems, Inc. 2012
1 in 14
700B
41%
Downloads
containing
malware
Minutes
users
worldwide
spend on
Facebook per
month
Companies
have had data
loss due to
social
networking
16
Granular Web Application Controls
Safe Search
Social
Networks
Webmail
Multimedia
Major Search Engines
Media Search Engines
Keyword Searches
Regulate Operations
Restrict Abuse
Prevent Data Loss
Send Email
Download Attachment
Upload Attachment
Publishing
Sharing
© Blue Coat Systems, Inc. 2012
17
Web Application Control Example
Different Policies for Facebook throughout an Organization
Read Only Policy
Global Policy
Everyone
Limited Use Policy
Group Policy
Marketing
Can comment, post, upload, email and
chat, no games, no downloads, etc
Expanded Use Policy
Group Policy
HR/Recruiting
Can comment, post, upload, download,
email, chat, but no games, etc.
Full Use Policy
Individual Policy
No Restrictions
CEO, CIO
© Blue Coat Systems, Inc. 2012
No comments, posting, upload/download,
games, email, chat, etc
18
Web and Mobile Application Controls
 Over 200 apps/operations supported
• Safe Search
 Major Engines supported
 Media Search engines as well
 Keyword Searches
• Social Networks
 Regulate Operations
 Restrict abuse
• Multi-media
 Publishing
 Sharing
• Web Mail
• And More!
© Blue Coat Systems, Inc. 2012
Upload Video
Upload Photo
Post Message
Send Email
Download Attachment
Upload Attachment
19
Issue: Web applications are using HTTPS
SSL termination is required for granular web app controls!
© Blue Coat Systems, Inc. 2012
20
How to enable app controls (VPM example)
 VPM
© Blue Coat Systems, Inc. 2012
21
How to enable app controls (VPM
example)
 2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social
Networking" 403 TCP_DENIED POST - https www.facebook.com 443
/ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0)
Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high
www.facebook.com "Social Networking" "Facebook" "Post Messages"
© Blue Coat Systems, Inc. 2012
22
Content Inspection
Anti-Malware, DLP, etc.
Evolving Threat Landscape
SOCIAL
NETWORKING
MALNETS
 240% Increase in
Malicious Sites
 1 in 16 Malicious
Attacks
 2/3 of All Attacks in
2012 Will Be
Launched via Malnets
 Internet within an
Internet
MOBILE
DEVICES
SAAS & CLOUDBASED APPLICATIONS
 15% of Enterprise
Apps by 2015
 76% Businesses
Have BYOD
Initiatives
 Web Applications
Attacked Every Two
Minutes
 72 Minutes
Browsing the
Mobile Web
© Blue Coat Systems, Inc. 2011.
24
Inline Threat Detection
 Protection Layer Over Desktops
• Second AV engine
• Faster update cycles
• Deep inspection
99 layers of compression, up to 2GB files
• Users cannot tamper or disable
 Latest AV Technology
• Checksum database for known threats
• Behavioral analysis on commands/content
• Emulation of scripts and active content
 Detect and block tunneled applications
 No longer optional, required defense layer
• All web traffic including SSL/TLS
© Blue Coat Systems, Inc. 2012
25
Malware Scanning / DLP: Co-Processor
Architecture
 Improved utilization with M:N ratio
 Higher throughput per gateway
 Results in less hardware
 Optimized design
ProxyAV
ProxyAV
ICAP, ICAP+, S-ICAP
DLP
Dual Cache Design
Clean Object Cache
Finger Print Cache
Enterprise
Network
ProxySG
© Blue Coat Systems, Inc. 2012
• Patience Page
• Trickle First
• Trickle Last
• Defer Scan (media)
26
Internet
Web Application
Performance
Dominant Trends in Apps & Networks
Virtualization & IT
Consolidation
© Blue Coat Systems, Inc. 2012
Streaming
Video
Cloud-Delivered
Applications
28
Next-generation
Networks
Use Case example: Cloud SaaS & IaaS and
internal HTTPS Optimization
Cloud SaaS
Cloud Infrastructure
as-a-Service (IaaS)
Cloud
M5 VA
6MB
INTERNET
Flash
RTMP
Silverlight
Cloud
Caching
Engine
HTML5
6MB
RTSP
DATA CENTER
Symmetric
WAN
Blue Coat Branch to
Cloud and internal HTTPS Optimization
Apple
HTTP
Files &
Objects
SSL
Files &
Objects
Images
Branch Office
Requirements
 Speed Cloud-delivered Apps 5-93X
 Asymmetric Cloud Caching
 Low TCO with Single Box Solution
 Symmetric Cloud or DC (Virtual) Appliance
 Accelerate Internet & Web Applications
 Internal & External SSL Decryption
© Blue Coat Systems, Inc. 2012
29
Cloud-Delivered Microsoft SharePoint
One-Armed “Cloud Caching”
0
250k.doc
1340k.doc
7108k.doc
1100k.xs
500k.xls
250k.ppt
500k.ppt
3500k.ppt
© Blue Coat Systems, Inc. 2012
20
40
60
3.0
1.0
80
100
120
Blue Coat
22x faster
22.0
1.0
121.3
93x
1.3
17.0
1.0
17x
Baseline
6.3
1.0
BCSI Warm
3.0
1.0
13.0
1.0
13x
58.0
1.2
47x
30
Summary and Q&A
SSL Option 1: Passthrough
 Applications passed through
 No cache
 Visibility and context of:
Option 1
• Network-level information
• User/group
• Applications (very limited)
Control
Apps
User
SSL
Internet
TCP
© Blue Coat Systems, Inc. 2012
TCP
32
SSL Option 2: Check, then Pass
 Certificate validation
 No cache
 Visibility and context of:
•
•
•
•
Option 2
Network-level information
Certificates & certificate categories
User/group
Applications (very limited)
 Can warn user and remind of AUP
Control
Apps
User
SSL
Internet
TCP
© Blue Coat Systems, Inc. 2012
TCP
33
SSL Option 3: Full SSL Proxy
 Full caching and logging options  Intercept SSL based on:
 Visibility and context of:
•
•
•
•
•
•
Network-level information
Certificates & certificate categories
User/group
Applications&Operations
Content
Etc.
 Preserve untrusted issuer
•
•
•
•
•
•
•
User/group
Server certificate category
Request URL Category
Request URL
Option
Src. & dest. IP
Client hostname
Etc.
3
Control
Apps
User
Internet
© Blue Coat Systems, Inc. 2012
SSL
SSL
TCP
TCP
34
SSL Proxy requirements
 SSL license
 Trust between client and ProxySG
1. Roll-out SGs self-signed certificate
2. Integrate ProxySG into an internal CA
 Legal requirements:
• This has to be verified on a per country base. Examples
 Germany: SSL interception has to be conform with data protection laws
(BDSG). To be allowed to intercept SSL, the reasoning has to be, that
the customer would like to prevent possible damage by internet threats
and there must be a concrete risk potential (which here is of course).
SSL scanning must happen in a "black box" without disclosing the
encrypted content. Users have to be informed about SSL interception,
work councils have to be involved.
 Sweden: There are no laws regarding SSL interception in Sweden.
However, it is recommend to inform the user that SSL interception will
occur.
© Blue Coat Systems, Inc. 2012
35
Questions?
 [email protected]
© Blue Coat Systems, Inc. 2012
36
Please provide feedback on
this webcast to:
[email protected]
Webcast replay and
slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts
(requires BTO login)
Blue Coat Confidential – Internal Use Only