MANAGING SSL ON PROXYSG

Thank you for joining todays Blue Coat

Customer Support Technical Webcast!
The Webcast will begin just a minute or so after the top of the hour to
allow todays very large audience sufficient time to join
You may join the teleconference through the numbers provided in
your invite, or listen through your computer speakers
Audio broadcast will only go live when the Webcast begins there
will be silence until then
The Presentation will run approximately 60 minutes
There will be a 30-minute Q/A session thereafter

Please submit questions using the Webex Q/A feature!

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

AGENDA
Overview
PKI - How trust and certificates work
Tunneling vs Interception
SSL Decryption Best Practices
Configuration Steps

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

OVERVIEW

Secure Sockets Layer (SSL) provides an encrypted tunnel

through which other protocols can pass
SSL uses public-key cryptography (PKI)
HTTPS is HTTP over SSL
HTTPS traffic exposes enterprises to potential risks
Traffic is encrypted between client and server so content
remains undected by network devices

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

WHY INTERCEPT SSL TRAFFIC

Malware scanning (ProxyAV, CAS, MAA)

Data lose protection (DLP)
Visibility (Analytics and Reporting)
Content inspection (BCWF, HTTP Header/Payload)
Check/Enforce SSL parameters (Cipher and Version)
Decrypted content can be cached
Non-HTTPS traffic can be detected and blocked or tunneled

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

LEGAL AND SECURITY CONSIDERATIONS

You are responsible for ensuring that your
organizations use of the SSL proxy complies with all
relevant laws
and organization policies.

Know the laws for all locations where you do business

Decryption and/or logging of SSL traffic might be prohibited
Notification and consent by users might be required (this can be
configured on the ProxySG)

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

SSL HANDSHAKE

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

HTTPS IN EXPLICIT MODE

(EXPLICIT CONNECT REQUEST)

Explicit
Explicit Proxy
Proxy
configured
configured
1.1.1.1
1.1.1.1 :: 8080
8080

CONNECT https://www.happycatco.com:443
http/1.1
Port 8080
TCP Handshake :
443
200 CONNECT
Established

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

CERTIFICATE AUTHORITY

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

CERTIFICATE VALIDATION

Common Name matches what was typed into the browser

exactly

Certificate is valid per the dates in the certificate.

Compares to system clock

Certificate chains to a trusted Certificate Authority

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

TUNNELING VS INTERCEPTION

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

10

EXPLICIT VS. TRANSPARENT PROXY

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

11

SSL PROXY TRAFFIC OPTIONS

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

12

MESSAGE FLOW

ProxySG emulates server certificates

ProxySG functions as both SSL client and SSL server
To avoid browser security warnings, client must be
configured to recognize ProxySG certificate

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

13

SSL PROXY FUNCTIONS

SSL
Tunneling

SSL
Interception

Validate server certificates

Yes

Yes

Check SSL parameters such as cipher and version

Yes

Yes

Log information about the HTTPS connection

Yes

Yes

Cache HTTPS content

No

Yes

Apply HTTP-based user authentication

No

Yes

Perform malware scanning and content filtering

No

Yes

Apply granular ProxySG policy

No

Yes

SSL Proxy tunnels HTTPS traffic by default unless there is an

exception (such as certificate error, policy denial)
On an exception, ProxySG sends error page to user
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

14

INTERCEPT ON EXCEPTION

Recent browser versions do not interpret HTML code if SSL

Handshake is not properly completed
Default Browsers error page will be displayed
User is not aware of the reason of the block

Starting from 6.2.10.x intercept on Exceptions is enabled

by default :
ProxySG Intercepts only failed sessions in order to display a proper
error message to the end-user
Requires SSL Proxy to be configured in order to avoid security
warning to end-users

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

15

HTTPS PROXY
(POLICY ACTIONS)

SSL :
443

SSL :
443
Certifica
te
Tunnel (do not intercept)/ Decrypt / Deny

Certificate

Tunnel

(unmodified)
Traffic
Tunneled

Decrypt/Deny

Certificate (SG cert)

3 HTTPS Security
checks

Deny (no intercept)

TCP FIN(Page cannot be displayed)

TCP FIN

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

16

LOGGING FACILITIES

ProxySG logs SSL information in different logfiles

In SSL Accesslogs for connection details (IP, certificate FQDN,
timestamps)
2014-01-21 12:50:50 368 10.80.0.53 - - - PROXIED Search Engine/Portal" 0 TUNNELED unknown - ssl www.google.fr 443 - - 10.80.12.33 0 0 - none - - medium *.google.fr "unlicensed"

In Accesslogs Main only if SSL traffic is intercepted . This includes

applicative data (URLs, content-type, user-agent) :
2014-01-21 12:59:40 223 10.80.0.53 - - - PROXIED "unlicensed;unavailable" https://www.cia.gov/about-cia 404 TCP_NC_MISS GET text/html https www.cia.gov 443
/++theme++contextual.agencytheme/images/youtube-noscript.jpg - jpg "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101
Firefox/25.0" 10.80.12.33 6513 375 - "unlicensed" "unlicensed"

In Configuration -> Access Logging -> General :

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

17

SSL DECRYPTION BEST PRACTICES

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

18

SSL DECRYPTION
METHODOLOGY

A proper workflow MUST be in place before :

Need to make sure ProxySG can be trusted by end-users browsers
Need to identify SSL based applications that are not http-based to prevent
denied access (handling through Whitelist)
Need to identify interception scope (all traffic or specific categories)
Need to build a Privacy policy
Need to define a Server Certificate Validation Strategy (OCSP)
(Optional) : TAP SSL Decrypted data

Caveats :
Country specific legal policies may prevent use of SSL decryption without
user notification
SSL traffic is often considered by law as private/confidential traffic for end
users

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

19

PROXYSG MUST BE TRUSTED BY BROWSERS

Only Certificate Signature may trigger a warning
The rest of the certificate is copied from the original one

Internal PKI can issue Intermediate CA Certificate

Will be imported on a ProxySG (as keyring) and used to sign
emulated certificates (different than a server cert.)
Import the Root CA as well (in the trusted CA store)

In case theres no PKI available :

Use the existing cert. from the ProxySG (or generate a new one)
Browsers will have to install it in the Certificate Authority store

Active Directory (GPO) can automate certificates

distribution

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

20

CAREFULLY IDENTIFY APPLICATIONS SCOPE

SSL encrypted applications that are not HTTP based will be denied (Webex,
Skype are good examples)
SSL Interception will block access to applications in case the app is not http based
Stunnel Interception will allow application to go through without being blocked

If client certificate is requested during SSL Handshake, it will break SSL

Interception
Use whitelist to exempt SSL interception for regular applications
Use keylist to store Client Certificates directly on the ProxySG (requires SGOS 6.3.x and
later) so that ProxySG knows which user maps to which certificate

Be sure to identify all of them before decrypting SSL sessions (at least the
critical ones) :
Management can be done through Whitelist
These applications wont be decrypted
Consider to test Intranet applications in case they are accessed through Proxies

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

21

IDENTIFY INTERNET INTERCEPTION SCOPE

SSL decryption can be done through categories
Server Certificate Category is the best trigger
Work with Human Resources and Legal departments
Categories that should not be intercepted
Financial Services
Health

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

22

CERTIFICATE VALIDATION STRATEGY

Errors in certificates (server-side, if tolerated) are not propagated to
client browsers by default :
Need SGOS 6.3.x or later (Preserve untrusted issuer). SSL Proxy allows to
choose a Untrusted Issuer Keyring to reflect Certificates errors

Consider Certificate Validation for Intranet applications (if proxified)

Some of them may use self-signed certificates

Recommended Strategy for Internet is :

Dont tolerate certificate errors (except for trusted apps)
Configure OCSP to check revocation list
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

23

TAP ENCRYPTED DATA

Requires Encrypted TAP license

SGOS 6.5.1.x allows to tap SSL based traffic (through Stunnel Proxy)
SGOS 6.5.2.x allows to tap SSL based traffic, (including SSL Proxy)

The Tap output is pseudo TCP and cannot be routed

Can only be configured to tap client side SSL traffic (bidirectional)
Tapped (decrypted) SSL data is sent to a dedicated Interface
and can be consumed by network forensics tools such as
Security Analytics Platform (or IPS )
VPM/CPL SSL Access layers allow to decide which traffic to
TAP
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

24

CONFIGURATION STEPS

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

25

IMPORT CERTIFICATES AUTHORITY

In Management Console, Configuration -> SSL -> CA
Certificates :
Import the Root Certificate of your PKI solution
Import the certificate chain (if applicable) in case multiple
Intermediate CA are used
Import the ProxySG subordinate CA (the one you have generated to
delegate signature of emulated certificates)

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

26

CONFIGURE SSL PROXY

In Management Console, Configuration -> Proxy Settings ->
SSL Proxy
Choose the default Certificate Authority the SG will use to sign the
emulated Certificates (the one you just have imported)
Choose the Server Certificate List that ProxySG will use to validate
server Certificate (browser-trusted)
Tick Preserve untrusted certificate Issuer in
case you need to propagate Certificate errors
towards end users

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

27

PROXY SERVICES CONFIGURATION

Explict Environments

Set Explict HTTP service to Intercpet

Edit the Explicit Proxy Service and check detect protocol (global)
HTTP Proxy will detect CONNECT request
Detected session will be passed to the SSL Proxy for processing
VPM/CPL allows for selective protocol detection

Transparant Environments
Set HTTPS service to Intercept

Every application which doesnt respect SSL standards will

be blocked

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

28

CREATE SSL INTERCEPTION RULES

In VPM, use SSL Intercept Layer to define interception
policies
Interception action will let you choose the keyring used to sign
emulated server certificates

Enable HTTPS Interception : SSL decryption will be performed.

Non https applications will be blocked
Enable HTTPS Interception on exception : Allow the ProxySG to
intercept the SSL session to present an exception message to the
end user
Enable STunnel Interception : SSL decryption will be performed.
Application layer wont be inspected (no application logs). Allow
non https applications to go through the Proxy. Decrypted traffic
can be optimized (MACH5) and TAPed in clear text.
Enable SSL Interception with automatic protocol detection : https
based applications will be handoff to SSL Proxy, others will be
handled by Stunnel Proxy
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

29

CREATE OCSP RESPONDER

Give it a name
Issuer CCL:
The issuer CCL attribute allows
the administrator to specify the
certificate authorities (issuers) for
which the responder in question
is the designated responder

Reponse CCL:
This attribute is used during
verification of OCSP responses

Specific errors can be

ignored
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

30

CREATE SERVER CERTIFICATES VALIDATION

RULES
In VPM, use SSL Access Layer to
define certificate validation rules
Server certificates validation can be
enabled or disabled with specific triggers
Rules can ignore specific information
(hostname mismatch, expiration date
and/or certificate issuer)
OCSP revocation check can be performed
(recommended) by using the responder
created in the last slide

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

31

VERIFY SSL INTERCEPTION

Go on a https website where SSL interception has been
configured
Have a look on the SSL certificate for the website to check
SSL interception

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

32

BLUE COAT CUSTOMER FORUMS

Community where you can learn from and

share your valuable knowledge and experience
with other Blue Coat customers
Research, post and reply to topics relevant to
you at your own convenience
Blue Coat Moderator Team ready to offer
guidance, answer questions, and help get you
on the right track
Access at forums.bluecoat.com and register
for an account today!
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

33

THANK YOU FOR JOINING TODAY!

Please provide feedback on this webcast and suggestions

for future webcasts to:

john.dyer@bluecoat.com

Webcast replay and

slide deck found here:
https://bto.bluecoat.com/training/custo
mer-support-technical-webcasts

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

34

Q&A

Questions?

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved.

35