Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling Michael Mauch Worldwide Solution Architect - Security SSL – a refresh Three functions of SSL for HTTPS • Authenticate the end points (usually just server) • Hide the data during transmission • Validate the data arrived unchanged Steps to an SSL connection setup 1. 2. 3. 4. Hello messages (version, cipher negotiation) Certificate exchange (usually server only) Master secret exchange (from which a session key is calculated) Bulk data transmissions (uses session key for encryption) What IT needs is full SSL visibility and control © Blue Coat Systems, Inc. 2012 2 SSL Handshake and Agenda Server Cert Validation Client Cert Authentication Control Cyphers Control Cyphers Client Cert Authentication Web App Controls Content Inspection (Malware/DLP) Application Performance © Blue Coat Systems, Inc. 2012 3 Server Certificate Validation Why is it important? In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CA The attacker has been able to issue fraudulent server certificates This basically breaks the PKI trust model. Users do not get any certificate warning … Requirements Detect revoked certificates Detect self-signed certificates Detect expired certificates Detect untrusted issuer Detect hostname mismatch © Blue Coat Systems, Inc. 2012 5 Blue Coat Solution Revocation checking • Online Certificate Status Protocol (OCSP) – this is real-time! • Certificate Revocation List (CRL) Validate • CA / issuer signature • Expiry date • Hostname SSL termination is not required for certificate validation © Blue Coat Systems, Inc. 2012 6 How to enable OCSP (CPL example) Step 1: Add OCSP responder Step 2: Add certificate validation policy <ssl> client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) © Blue Coat Systems, Inc. 2012 7 SSL Cypher Controls Why should you care? Compliance reasons (PCI, etc.) • There are cypher suites and SSL versions (e.g. SSL 2.0) that are not compliant to standards like PCI Deny weak cypher suites by policy Deny older SSL protocol version by policy Can be controlled for: • Connection between client and proxy • Connection between proxy and server © Blue Coat Systems, Inc. 2012 9 How to control cipher strength (VPM example) 2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium www.google.com "Search Engines/Portals” […] 2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied DENIED […] www.google.com […] © Blue Coat Systems, Inc. 2012 10 Client Certificate Authentication Client certificate authentication use cases Name Email Address Country City Address Server URL Key – Usage Etc. Name Email Address Country City Address Server URL Key – Usage Etc. Name Email Address Country City Address Server URL Key – Usage Etc. X.509 certificates pub / priv key pairs Department / Customer A SSL SSL OCS requires client certificate for authentication Department / Customer B SWG fwd proxy using SSL interception Department / Customer C Policy: Src=A Dst=OCS use client cert A Src=B Dst=OCS use client cert B Src=C Dst=OCS use client cert C © Blue Coat Systems, Inc. 2012 12 Use Cases This feature enables HTTPS interception for an OCS that requires client certificate based authentication. This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows • Selection of certificates based on user and/or group • Selection of certificates based on destination URL • Selection of certificates based on all available policy conditions like server IP, client IP/ subnet / etc This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file. © Blue Coat Systems, Inc. 2012 13 Why is this needed? Content inspection Certificate validation Logging Centralized client certificate management Etc. © Blue Coat Systems, Inc. 2012 14 Web Application Controls Why Web Application Controls? 240% 40% Growth of malicious sites in 2011 Users infected by malware from social networking sites © Blue Coat Systems, Inc. 2012 1 in 14 700B 41% Downloads containing malware Minutes users worldwide spend on Facebook per month Companies have had data loss due to social networking 16 Granular Web Application Controls Safe Search Social Networks Webmail Multimedia Major Search Engines Media Search Engines Keyword Searches Regulate Operations Restrict Abuse Prevent Data Loss Send Email Download Attachment Upload Attachment Publishing Sharing © Blue Coat Systems, Inc. 2012 17 Web Application Control Example Different Policies for Facebook throughout an Organization Read Only Policy Global Policy Everyone Limited Use Policy Group Policy Marketing Can comment, post, upload, email and chat, no games, no downloads, etc Expanded Use Policy Group Policy HR/Recruiting Can comment, post, upload, download, email, chat, but no games, etc. Full Use Policy Individual Policy No Restrictions CEO, CIO © Blue Coat Systems, Inc. 2012 No comments, posting, upload/download, games, email, chat, etc 18 Web and Mobile Application Controls Over 200 apps/operations supported • Safe Search Major Engines supported Media Search engines as well Keyword Searches • Social Networks Regulate Operations Restrict abuse • Multi-media Publishing Sharing • Web Mail • And More! © Blue Coat Systems, Inc. 2012 Upload Video Upload Photo Post Message Send Email Download Attachment Upload Attachment 19 Issue: Web applications are using HTTPS SSL termination is required for granular web app controls! © Blue Coat Systems, Inc. 2012 20 How to enable app controls (VPM example) VPM © Blue Coat Systems, Inc. 2012 21 How to enable app controls (VPM example) 2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https www.facebook.com 443 /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high www.facebook.com "Social Networking" "Facebook" "Post Messages" © Blue Coat Systems, Inc. 2012 22 Content Inspection Anti-Malware, DLP, etc. Evolving Threat Landscape SOCIAL NETWORKING MALNETS 240% Increase in Malicious Sites 1 in 16 Malicious Attacks 2/3 of All Attacks in 2012 Will Be Launched via Malnets Internet within an Internet MOBILE DEVICES SAAS & CLOUDBASED APPLICATIONS 15% of Enterprise Apps by 2015 76% Businesses Have BYOD Initiatives Web Applications Attacked Every Two Minutes 72 Minutes Browsing the Mobile Web © Blue Coat Systems, Inc. 2011. 24 Inline Threat Detection Protection Layer Over Desktops • Second AV engine • Faster update cycles • Deep inspection 99 layers of compression, up to 2GB files • Users cannot tamper or disable Latest AV Technology • Checksum database for known threats • Behavioral analysis on commands/content • Emulation of scripts and active content Detect and block tunneled applications No longer optional, required defense layer • All web traffic including SSL/TLS © Blue Coat Systems, Inc. 2012 25 Malware Scanning / DLP: Co-Processor Architecture Improved utilization with M:N ratio Higher throughput per gateway Results in less hardware Optimized design ProxyAV ProxyAV ICAP, ICAP+, S-ICAP DLP Dual Cache Design Clean Object Cache Finger Print Cache Enterprise Network ProxySG © Blue Coat Systems, Inc. 2012 • Patience Page • Trickle First • Trickle Last • Defer Scan (media) 26 Internet Web Application Performance Dominant Trends in Apps & Networks Virtualization & IT Consolidation © Blue Coat Systems, Inc. 2012 Streaming Video Cloud-Delivered Applications 28 Next-generation Networks Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization Cloud SaaS Cloud Infrastructure as-a-Service (IaaS) Cloud M5 VA 6MB INTERNET Flash RTMP Silverlight Cloud Caching Engine HTML5 6MB RTSP DATA CENTER Symmetric WAN Blue Coat Branch to Cloud and internal HTTPS Optimization Apple HTTP Files & Objects SSL Files & Objects Images Branch Office Requirements Speed Cloud-delivered Apps 5-93X Asymmetric Cloud Caching Low TCO with Single Box Solution Symmetric Cloud or DC (Virtual) Appliance Accelerate Internet & Web Applications Internal & External SSL Decryption © Blue Coat Systems, Inc. 2012 29 Cloud-Delivered Microsoft SharePoint One-Armed “Cloud Caching” 0 250k.doc 1340k.doc 7108k.doc 1100k.xs 500k.xls 250k.ppt 500k.ppt 3500k.ppt © Blue Coat Systems, Inc. 2012 20 40 60 3.0 1.0 80 100 120 Blue Coat 22x faster 22.0 1.0 121.3 93x 1.3 17.0 1.0 17x Baseline 6.3 1.0 BCSI Warm 3.0 1.0 13.0 1.0 13x 58.0 1.2 47x 30 Summary and Q&A SSL Option 1: Passthrough Applications passed through No cache Visibility and context of: Option 1 • Network-level information • User/group • Applications (very limited) Control Apps User SSL Internet TCP © Blue Coat Systems, Inc. 2012 TCP 32 SSL Option 2: Check, then Pass Certificate validation No cache Visibility and context of: • • • • Option 2 Network-level information Certificates & certificate categories User/group Applications (very limited) Can warn user and remind of AUP Control Apps User SSL Internet TCP © Blue Coat Systems, Inc. 2012 TCP 33 SSL Option 3: Full SSL Proxy Full caching and logging options Intercept SSL based on: Visibility and context of: • • • • • • Network-level information Certificates & certificate categories User/group Applications&Operations Content Etc. Preserve untrusted issuer • • • • • • • User/group Server certificate category Request URL Category Request URL Option Src. & dest. IP Client hostname Etc. 3 Control Apps User Internet © Blue Coat Systems, Inc. 2012 SSL SSL TCP TCP 34 SSL Proxy requirements SSL license Trust between client and ProxySG 1. Roll-out SGs self-signed certificate 2. Integrate ProxySG into an internal CA Legal requirements: • This has to be verified on a per country base. Examples Germany: SSL interception has to be conform with data protection laws (BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved. Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur. © Blue Coat Systems, Inc. 2012 35 Questions? michael.mauch@bluecoat.com © Blue Coat Systems, Inc. 2012 36 Please provide feedback on this webcast to: supportnewsletter@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login) Blue Coat Confidential – Internal Use Only