Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling

Michael MauchWorldwide Solution Architect - Security

2© Blue Coat Systems, Inc. 2012

SSL – a refresh

Three functions of SSL for HTTPS• Authenticate the end points (usually just server)• Hide the data during transmission• Validate the data arrived unchanged

Steps to an SSL connection setup1. Hello messages (version, cipher negotiation)

2. Certificate exchange (usually server only)

3. Master secret exchange (from which a session key is calculated)

4. Bulk data transmissions (uses session key for encryption)

What IT needs is full SSL visibility and control

3© Blue Coat Systems, Inc. 2012

SSL Handshake and Agenda

Server CertValidation

Client CertAuthentication

Client CertAuthentication

Control Cyphers

Control Cyphers

Web AppControls

Content Inspection

(Malware/DLP)

Application Performance

Server Certificate Validation

5© Blue Coat Systems, Inc. 2012

Why is it important?

In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CAThe attacker has been able to issue fraudulent server

certificatesThis basically breaks the PKI trust model. Users do not get

any certificate warning …

Requirements Detect revoked certificates Detect self-signed certificates Detect expired certificates Detect untrusted issuer Detect hostname mismatch

6© Blue Coat Systems, Inc. 2012

Blue Coat Solution

Revocation checking• Online Certificate Status Protocol (OCSP) – this is real-time!• Certificate Revocation List (CRL)

Validate • CA / issuer signature• Expiry date• Hostname

SSL termination is not required for certificate validation

7© Blue Coat Systems, Inc. 2012

How to enable OCSP (CPL example)

Step 1:

Add OCSP responder

Step 2:

Add certificate validation policy

<ssl>

client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)

SSL Cypher Controls

9© Blue Coat Systems, Inc. 2012

Why should you care?

Compliance reasons (PCI, etc.)• There are cypher suites and SSL versions (e.g. SSL 2.0) that

are not compliant to standards like PCI

Deny weak cypher suites by policy

Deny older SSL protocol version by policy

Can be controlled for:• Connection between client and proxy• Connection between proxy and server

10© Blue Coat Systems, Inc. 2012

How to control cipher strength (VPM example)

2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium www.google.com "Search Engines/Portals” […]

2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied DENIED […] www.google.com […]

Client Certificate Authentication

12© Blue Coat Systems, Inc. 2012

Client certificate authentication use cases

Department / Customer A

Department / Customer B

Department / Customer C

OCS requires client certificate for authenticationSWG fwd proxy using

SSL interception

NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.

NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.

NameEmail AddressCountryCityAddressServer URLKey – UsageEtc.

X.509 certificates

pub / priv key pairs

Policy:Src=A Dst=OCS use client cert ASrc=B Dst=OCS use client cert BSrc=C Dst=OCS use client cert C

SSL

SSL

SSL

SSL

13© Blue Coat Systems, Inc. 2012

Use Cases

This feature enables HTTPS interception for an OCS that requires client certificate based authentication.

This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows• Selection of certificates based on user and/or group• Selection of certificates based on destination URL• Selection of certificates based on all available policy

conditions like server IP, client IP/ subnet / etc

This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.

14© Blue Coat Systems, Inc. 2012

Why is this needed?

Content inspection

Certificate validation

Logging

Centralized client certificate management

Etc.

Web Application Controls

16© Blue Coat Systems, Inc. 2012

Why Web Application Controls?

240%

Growth of malicious

sites in 2011

40%

Users infected by malware from social networking

sites

1 in 14

Downloads containing malware

700B

Minutes users

worldwide spend on

Facebook per month

Companies have had data

loss due to social

networking

41%

17© Blue Coat Systems, Inc. 2012

Granular Web Application Controls

Multimedia

Publishing Sharing

Social Networks

Regulate OperationsRestrict Abuse

Prevent Data Loss

Webmail

Send EmailDownload Attachment

Upload Attachment

Safe Search

Major Search EnginesMedia Search Engines

Keyword Searches

18© Blue Coat Systems, Inc. 2012

Read Only PolicyNo comments, posting, upload/download, games, email, chat, etc

Global Policy

Group PolicyLimited Use PolicyCan comment, post, upload, email and chat, no games, no downloads, etc

Group PolicyExpanded Use PolicyCan comment, post, upload, download, email, chat, but no games, etc.

Full Use PolicyNo Restrictions

Individual Policy

Web Application Control Example

Everyone

Marketing

HR/Recruiting

CEO, CIO

Different Policies for Facebook throughout an Organization

19© Blue Coat Systems, Inc. 2012

Web and Mobile Application Controls Over 200 apps/operations supported

• Safe Search Major Engines supported Media Search engines as well Keyword Searches

• Social Networks Regulate Operations Restrict abuse

• Multi-media Publishing Sharing

• Web Mail• And More!

Upload Video

Upload Photo

Post Message

Send Email

Download Attachment

Upload Attachment

20© Blue Coat Systems, Inc. 2012

Issue: Web applications are using HTTPS

SSL termination is required for granular web app controls!

21© Blue Coat Systems, Inc. 2012

How to enable app controls (VPM example)

VPM

22© Blue Coat Systems, Inc. 2012

How to enable app controls (VPM example)

2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https www.facebook.com 443 /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high www.facebook.com "Social Networking" "Facebook" "Post Messages"

Content InspectionAnti-Malware, DLP, etc.

© Blue Coat Systems, Inc. 2011. 24

Evolving Threat Landscape

© Blue Coat Systems, Inc. 2011. 24

76% Businesses Have BYOD Initiatives

72 Minutes Browsing the Mobile Web

240% Increase in Malicious Sites

2/3 of All Attacks in 2012 Will Be Launched via Malnets

1 in 16 Malicious Attacks

Internet within an Internet

15% of Enterprise Apps by 2015

Web Applications Attacked Every Two Minutes

MALNETS

MOBILEDEVICES

SAAS & CLOUD-BASED APPLICATIONS

SOCIAL NETWORKING

25© Blue Coat Systems, Inc. 2012

Inline Threat Detection

Protection Layer Over Desktops• Second AV engine • Faster update cycles• Deep inspection

99 layers of compression, up to 2GB files

• Users cannot tamper or disable

Latest AV Technology• Checksum database for known threats• Behavioral analysis on commands/content• Emulation of scripts and active content

Detect and block tunneled applications

No longer optional, required defense layer• All web traffic including SSL/TLS

26© Blue Coat Systems, Inc. 2012

Malware Scanning / DLP: Co-Processor Architecture

Improved utilization with M:N ratio

Higher throughput per gateway

Results in less hardware

Optimized design

EnterpriseNetwork

Internet

ProxySG

ProxyAV ProxyAV DLP

Clean Object Cache

Finger Print Cache

Dual Cache Design

• Patience Page • Trickle First• Trickle Last • Defer Scan (media)

ICAP, ICAP+, S-ICAP

Web Application Performance

28© Blue Coat Systems, Inc. 2012

Dominant Trends in Apps & Networks

Cloud-Delivered Applications

Next-generationNetworks

IPv6

Virtualization & IT Consolidation

Internet

StreamingVideo

HTML5

29© Blue Coat Systems, Inc. 2012

Cloud Infrastructure as-a-Service (IaaS)

Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization

Requirements

Asymmetric Cloud Caching

Symmetric Cloud or DC (Virtual) Appliance

Internal & External SSL Decryption

INTERNET

WAN Branch Office6MB

Apple

ImagesRTSP

CloudCachingEngine

SSLFiles & Objects

HTML5

HTTPFiles & Objects

Silver-light

Flash RTMP

6MB6MB6MB

Blue Coat Branch to Cloud and internal HTTPS Optimization

Speed Cloud-delivered Apps 5-93X

Low TCO with Single Box Solution

Accelerate Internet & Web Applications

Cloud SaaS

Asymmetric

Symmetric

DATA CENTER

Cloud M5 VA

6MB

Symmetric

30© Blue Coat Systems, Inc. 2012

Cloud-Delivered Microsoft SharePointOne-Armed “Cloud Caching”

250k.doc

1340k.doc

7108k.doc

1100k.xs

500k.xls

250k.ppt

500k.ppt

3500k.ppt

0 20 40 60 80 100 120

3.0

22.0

121.3

17.0

6.3

3.0

13.0

58.0

1.0

1.0

1.3

1.0

1.0

1.0

1.0

1.2

BCSI Warm

Baseline

Blue Coat 22x faster

93x

17x

13x

47x

Summary and Q&A

32© Blue Coat Systems, Inc. 2012

SSL Option 1: Passthrough

Applications passed through

No cache

Visibility and context of: • Network-level information• User/group • Applications (very limited)

SSL

TCP

User

Internet

Apps

TCP

Control

Option 1

33© Blue Coat Systems, Inc. 2012

SSL Option 2: Check, then Pass

Certificate validation No cache

Visibility and context of: • Network-level information• Certificates & certificate categories• User/group • Applications (very limited)

Can warn user and remind of AUP

SSL

TCP

User

Internet

Apps

TCP

Control

Option 2

34© Blue Coat Systems, Inc. 2012

Intercept SSL based on:• User/group• Server certificate category• Request URL Category• Request URL• Src. & dest. IP• Client hostname• Etc.

SSL Option 3: Full SSL Proxy

Full caching and logging options

Visibility and context of: • Network-level information• Certificates & certificate categories• User/group • Applications&Operations• Content• Etc.

Preserve untrusted issuer

SSL

Internet

Apps

User

TCP TCP

SSL

Control

Option 3

35© Blue Coat Systems, Inc. 2012

SSL Proxy requirements

SSL license

Trust between client and ProxySG

1. Roll-out SGs self-signed certificate

2. Integrate ProxySG into an internal CA

Legal requirements:

• This has to be verified on a per country base. Examples Germany: SSL interception has to be conform with data protection laws

(BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved.

Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.

36© Blue Coat Systems, Inc. 2012

Questions?

michael.mauch@bluecoat.com

Blue Coat Confidential – Internal Use Only

Please provide feedback on this webcast to:

supportnewsletter@bluecoat.com

Webcast replay and slide deck found here:

https://bto.bluecoat.com/training/customer-support-technical-webcasts(requires BTO login)