MANAGING SSL ON PROXYSG

 Thank you for joining today’s Blue Coat

Customer Support Technical Webcast!
• The Webcast will begin just a minute or so after the top of the hour to
allow today’s very large audience sufficient time to join
• You may join the teleconference through the numbers provided in your
invite, or listen through your computer speakers
• Audio broadcast will only go live when the Webcast begins – there will
be silence until then
• The Presentation will run approximately 60 minutes
• There will be a 30-minute Q/A session thereafter

 Please submit questions using the Webex Q/A feature!

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 1
 AGENDA

 Overview
 PKI - How trust and certificates work
 Tunneling vs Interception
 SSL Decryption Best Practices
 Configuration Steps

2 Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 2

 OVERVIEW

 Secure Sockets Layer (SSL) provides an encrypted tunnel

through which other protocols can pass
 SSL uses public-key cryptography (PKI)
 HTTPS is HTTP over SSL
 HTTPS traffic exposes enterprises to potential risks
 Traffic is encrypted between client and server so content
remains undected by network devices

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 3

 WHY INTERCEPT SSL TRAFFIC

 Malware scanning (ProxyAV, CAS, MAA)

 Data lose protection (DLP)
 Visibility (Analytics and Reporting)
 Content inspection (BCWF, HTTP Header/Payload)
 Check/Enforce SSL parameters (Cipher and Version)
 Decrypted content can be cached
 Non-HTTPS traffic can be detected and blocked or tunneled

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 4

 LEGAL AND SECURITY CONSIDERATIONS

You are responsible for ensuring that your

organization’s use of the SSL proxy complies with all
relevant laws
and organization policies.

 Know the laws for all locations where you do business

• Decryption and/or logging of SSL traffic might be prohibited
• Notification and consent by users might be required (this can be
configured on the ProxySG)

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 5

 SSL HANDSHAKE

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 6

 HTTPS IN EXPLICIT MODE
(EXPLICIT CONNECT REQUEST)

Explicit
Explicit Proxy
Proxy configured
configured
1.1.1.1
1.1.1.1 :: 8080
8080

CONNECT https://www.happycatco.com:443 http/1.1

Port 8080
TCP Handshake :443

200 CONNECT Established

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 7

CERTIFICATE AUTHORITY

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 8

 CERTIFICATE VALIDATION

 Common Name matches what was typed into the browser exactly

 Certificate is valid per the dates in the certificate.

Compares to system clock

 Certificate chains to a trusted Certificate Authority

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 9

TUNNELING VS INTERCEPTION

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 10

EXPLICIT VS. TRANSPARENT PROXY

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 11

SSL PROXY TRAFFIC OPTIONS

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 12

 MESSAGE FLOW

 ProxySG emulates server certificates

 ProxySG functions as both SSL client and SSL server
 To avoid browser security warnings, client must be
configured to recognize ProxySG certificate

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 13

 SSL PROXY FUNCTIONS

SSL SSL
Tunneling Interception
Validate server certificates Yes Yes
Check SSL parameters such as cipher and version Yes Yes
Log information about the HTTPS connection Yes Yes
Cache HTTPS content No Yes
Apply HTTP-based user authentication No Yes
Perform malware scanning and content filtering No Yes
Apply granular ProxySG policy No Yes

 SSL Proxy tunnels HTTPS traffic by default unless there is an

exception (such as certificate error, policy denial)
 On an exception, ProxySG sends error page to user

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 14

 INTERCEPT ON EXCEPTION

 Recent browser versions do not interpret HTML code if SSL

Handshake is not properly completed
 Default Browser’s error page will be displayed
• User is not aware of the reason of the block
 Starting from 6.2.10.x « intercept on Exceptions » is enabled
by default :
• ProxySG Intercepts only failed sessions in order to display a proper
error message to the end-user
• Requires SSL Proxy to be configured in order to avoid security
warning to end-users

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 15

 HTTPS PROXY
(POLICY ACTIONS)

SSL :443 SSL :443

Certificate

Tunnel (do not intercept)/ Decrypt / Deny

Certificate (unmodified) Tunnel

Traffic Tunneled

Certificate (SG cert) Decrypt/Deny

3 HTTPS Security checks

TCP FIN(Page cannot be displayed) Deny (no intercept)

TCP FIN

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 16

 LOGGING FACILITIES

 ProxySG logs SSL information in different logfiles

• In SSL Accesslogs for connection details (IP, certificate FQDN,
timestamps…)
2014-01-21 12:50:50 368 10.80.0.53 - - - PROXIED “Search Engine/Portal" 0 TUNNELED unknown - ssl www.google.fr 443 - - 10.80.12.33 0 0 - none - - medium *.google.fr "unlicensed"

• In Accesslogs « Main » only if SSL traffic is intercepted . This

includes applicative data (URLs, content-type, user-agent…) :
2014-01-21 12:59:40 223 10.80.0.53 - - - PROXIED "unlicensed;unavailable" https://www.cia.gov/about-cia 404 TCP_NC_MISS GET text/html https www.cia.gov 443
/++theme++contextual.agencytheme/images/youtube-noscript.jpg - jpg "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101
Firefox/25.0" 10.80.12.33 6513 375 - "unlicensed" "unlicensed"

• In Configuration -> Access Logging -> General :

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 17

SSL DECRYPTION BEST PRACTICES

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 18

 SSL DECRYPTION
METHODOLOGY

 A proper workflow MUST be in place before :

• Need to make sure ProxySG can be trusted by end-users browsers
• Need to identify SSL based applications that are not http-based to prevent
denied access (handling through Whitelist)
• Need to identify interception scope (all traffic or specific categories)
• Need to build a Privacy policy
• Need to define a Server Certificate Validation Strategy (OCSP)
• (Optional) : TAP SSL Decrypted data

 Caveats :
• Country specific legal policies may prevent use of SSL decryption without
user notification
• SSL traffic is often considered by law as private/confidential traffic for end
users

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 19

 PROXYSG MUST BE TRUSTED BY BROWSERS

 Only Certificate Signature may trigger a warning

• The rest of the certificate is copied from the original one
 Internal PKI can issue Intermediate CA Certificate
• Will be imported on a ProxySG (as keyring) and used to sign
emulated certificates (different than a server cert.)
• Import the Root CA as well (in the trusted CA store)
 In case there’s no PKI available :
• Use the existing cert. from the ProxySG (or generate a new one)
• Browsers will have to install it in the Certificate Authority store
 Active Directory (GPO) can automate certificates
distribution

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 20

 CAREFULLY IDENTIFY APPLICATIONS SCOPE

 SSL encrypted applications that are not HTTP based will be denied (Webex,
Skype are good examples…)
• SSL Interception will block access to applications in case the app is not http based
• Stunnel Interception will allow application to go through without being blocked

 If client certificate is requested during SSL Handshake, it will break SSL

Interception
• Use whitelist to exempt SSL interception for regular applications
• Use keylist to store Client Certificates directly on the ProxySG (requires SGOS 6.3.x and
later) so that ProxySG knows which user maps to which certificate

 Be sure to identify all of them before decrypting SSL sessions (at least the
critical ones) :
• Management can be done through Whitelist
• These applications won’t be decrypted
• Consider to test Intranet applications in case they are accessed through Proxies

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 21

 IDENTIFY INTERNET INTERCEPTION SCOPE

 SSL decryption can be done through categories

 Server Certificate Category is the best trigger
 Work with Human Resources and Legal departments
 Categories that should not be intercepted
• Financial Services
• Health

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 22

 CERTIFICATE VALIDATION STRATEGY

 Errors in certificates (server-side, if tolerated) are not propagated to

client browsers by default :
• Need SGOS 6.3.x or later (Preserve untrusted issuer). SSL Proxy allows to
choose a Untrusted Issuer Keyring to reflect Certificates errors

 Consider Certificate Validation for Intranet applications (if proxified)

• Some of them may use self-signed certificates
 Recommended Strategy for Internet is :
• Don’t tolerate certificate errors (except for trusted apps)
• Configure OCSP to check revocation list

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 23

 TAP ENCRYPTED DATA

 Requires Encrypted TAP license

• SGOS 6.5.1.x allows to tap SSL based traffic (through Stunnel Proxy)
• SGOS 6.5.2.x allows to tap SSL based traffic, (including SSL Proxy)
 The Tap output is pseudo TCP and cannot be routed
 Can only be configured to tap client side SSL traffic (bi-
directional)
 Tapped (decrypted) SSL data is sent to a dedicated Interface
and can be consumed by network forensics tools such as
Security Analytics Platform (or IPS …)
 VPM/CPL SSL Access layers allow to decide which traffic to
TAP

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 24

 CONFIGURATION STEPS

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 25

 IMPORT CERTIFICATES AUTHORITY

 In Management Console, Configuration -> SSL -> CA

Certificates :
• Import the Root Certificate of your PKI solution
• Import the certificate chain (if applicable) in case multiple
Intermediate CA are used
• Import the ProxySG subordinate CA (the one you have generated to
delegate signature of emulated certificates)

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 26

 CONFIGURE SSL PROXY

 In Management Console, Configuration -> Proxy Settings ->

SSL Proxy
• Choose the default Certificate Authority the SG will use to sign the
emulated Certificates (the one you just have imported)
• Choose the Server Certificate List that ProxySG will use to validate
server Certificate (browser-trusted)
• Tick « Preserve untrusted certificate Issuer » in
case you need to propagate Certificate errors
towards end users

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 27

 PROXY SERVICES CONFIGURATION

 Explict Environments
• Set Explict HTTP service to Intercpet
• Edit the Explicit Proxy Service and check detect protocol (global)
• HTTP Proxy will ‘detect’ CONNECT request
• ‘Detected’ session will be passed to the SSL Proxy for processing
• VPM/CPL allows for selective protocol detection
 Transparant Environments
• Set HTTPS service to Intercept
 Every application which doesn’t respect SSL standards will
be blocked

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 28

 CREATE SSL INTERCEPTION RULES

 In VPM, use SSL Intercept Layer to define interception

policies
• Interception action will let you choose the keyring used to sign
emulated server certificates

Enable HTTPS Interception : SSL decryption will be performed.

Non https applications will be blocked
Enable HTTPS Interception on exception : Allow the ProxySG to
intercept the SSL session to present an exception message to the
end user
Enable STunnel Interception : SSL decryption will be performed.
Application layer won’t be inspected (no application logs…). Allow
non https applications to go through the Proxy. Decrypted traffic
can be optimized (MACH5) and TAPed in clear text.
Enable SSL Interception with automatic protocol detection : https
based applications will be handoff to SSL Proxy, others will be
handled by Stunnel Proxy
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 29
CREATE OCSP RESPONDER

 Give it a name
 Issuer CCL:
• The issuer CCL attribute allows
the administrator to specify the
certificate authorities (issuers) for
which the responder in question
is the designated responder
 Reponse CCL:
• This attribute is used during
verification of OCSP responses
 Specific errors can be
ignored

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 30

CREATE SERVER CERTIFICATES VALIDATION
RULES

 In VPM, use SSL Access Layer to

define certificate validation rules
• Server certificates validation can be
enabled or disabled with specific triggers
• Rules can ignore specific information
(hostname mismatch, expiration date
and/or certificate issuer)
• OCSP revocation check can be performed
(recommended) by using the responder
created in the last slide

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 31

 VERIFY SSL INTERCEPTION

 Go on a https website where SSL interception has been

configured
 Have a look on the SSL certificate for the website to check
SSL interception

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 32

 BLUE COAT CUSTOMER FORUMS

Community where you can learn from and

share your valuable knowledge and experience
with other Blue Coat customers
Research, post and reply to topics relevant to
you at your own convenience
Blue Coat Moderator Team ready to offer
guidance, answer questions, and help get you
on the right track
Access at forums.bluecoat.com and register
for an account today!
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 33
 THANK YOU FOR JOINING TODAY!

 Please provide feedback on this webcast and suggestions

for future webcasts to:
john.dyer@bluecoat.com

Webcast replay and

slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 34

 Q&A

Questions?

Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 35