Beruflich Dokumente
Kultur Dokumente
Overview
PKI - How trust and certificates work
Tunneling vs Interception
SSL Decryption Best Practices
Configuration Steps
Explicit
Explicit Proxy
Proxy configured
configured
1.1.1.1
1.1.1.1 :: 8080
8080
Common Name matches what was typed into the browser exactly
SSL SSL
Tunneling Interception
Validate server certificates Yes Yes
Check SSL parameters such as cipher and version Yes Yes
Log information about the HTTPS connection Yes Yes
Cache HTTPS content No Yes
Apply HTTP-based user authentication No Yes
Perform malware scanning and content filtering No Yes
Apply granular ProxySG policy No Yes
Caveats :
• Country specific legal policies may prevent use of SSL decryption without
user notification
• SSL traffic is often considered by law as private/confidential traffic for end
users
SSL encrypted applications that are not HTTP based will be denied (Webex,
Skype are good examples…)
• SSL Interception will block access to applications in case the app is not http based
• Stunnel Interception will allow application to go through without being blocked
Be sure to identify all of them before decrypting SSL sessions (at least the
critical ones) :
• Management can be done through Whitelist
• These applications won’t be decrypted
• Consider to test Intranet applications in case they are accessed through Proxies
Explict Environments
• Set Explict HTTP service to Intercpet
• Edit the Explicit Proxy Service and check detect protocol (global)
• HTTP Proxy will ‘detect’ CONNECT request
• ‘Detected’ session will be passed to the SSL Proxy for processing
• VPM/CPL allows for selective protocol detection
Transparant Environments
• Set HTTPS service to Intercept
Every application which doesn’t respect SSL standards will
be blocked
Give it a name
Issuer CCL:
• The issuer CCL attribute allows
the administrator to specify the
certificate authorities (issuers) for
which the responder in question
is the designated responder
Reponse CCL:
• This attribute is used during
verification of OCSP responses
Specific errors can be
ignored
Questions?