1. Michael Mauch Worldwide Solution Architect - Security
Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling
It is a little bit like in the Matrix movie: red or blue pill: you have to choice. You could either ignore the SSL issues (allow all or deny all) or you could start looking into the details - And that is what we are going to do today.
Michael Mauch
Worldwide Solution Architect - Security 1

2. What IT needs is full SSL visibility and control
SSL – a refresh
Three functions of SSL for HTTPS
Authenticate the end points (usually just server)
Hide the data during transmission
Validate the data arrived unchanged
Steps to an SSL connection setup
Hello messages (version, cipher negotiation)
Certificate exchange (usually server only)
Master secret exchange (from which a session key is calculated)
Bulk data transmissions (uses session key for encryption)
What IT needs is full SSL visibility and control

3. SSL Handshake and Agenda
Server Cert
Validation
Client Cert
Authentication
Control Cyphers
Web App
Controls
Content Inspection (Malware/DLP)
Application Performance

4. Server Certificate Validation

5. Why is it important?
In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CA
The attacker has been able to issue fraudulent server certificates
This basically breaks the PKI trust model. Users do not get any certificate warning …
Requirements
Detect revoked certificates
Detect self-signed certificates
Detect expired certificates
Detect untrusted issuer
Detect hostname mismatch

6. SSL termination is not required for certificate validation
Blue Coat Solution
Revocation checking
Online Certificate Status Protocol (OCSP) – this is real-time!
Certificate Revocation List (CRL)
Validate
CA / issuer signature
Expiry date
Hostname
SSL termination is not required for certificate validation

7. How to enable OCSP (CPL example)
Step 1:
Add OCSP responder
Step 2:
Add certificate validation policy
<ssl>
client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)

8. SSL Cypher Controls

9. Why should you care? Compliance reasons (PCI, etc.)
There are cypher suites and SSL versions (e.g. SSL 2.0) that are not compliant to standards like PCI
Deny weak cypher suites by policy
Deny older SSL protocol version by policy
Can be controlled for:
Connection between client and proxy
Connection between proxy and server

10. How to control cipher strength (VPM example)
:17: Michael […] medium "Search Engines/Portals” […]
:14: Michael - policy_denied DENIED […] […]

11. Client Certificate Authentication

12. Client certificate authentication use cases
Name
Address
City
Country
Address
Server URL
Key – Usage
Etc.
Name
Country
Address
City
Address
Server URL
Etc.
Key – Usage
Name
Address
City
Country
Address
Server URL
Key – Usage
Etc.
 X.509 certificates
 pub / priv key pairs
Department / Customer A
SSL
SSL
SSL
OCS requires client certificate for authentication
SSL
SWG fwd proxy using SSL interception
Department / Customer B
Policy:
Src=A Dst=OCS  use client cert A
Src=B Dst=OCS  use client cert B
Src=C Dst=OCS  use client cert C
Department / Customer C

13. Use Cases
This feature enables HTTPS interception for an OCS that requires client certificate based authentication.
This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows
Selection of certificates based on user and/or group
Selection of certificates based on destination URL
Selection of certificates based on all available policy conditions like server IP, client IP/ subnet / etc
This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.

14. Why is this needed? Content inspection Certificate validation Logging
Centralized client certificate management
Etc.

15. Web Application Controls

16. Why Web Application Controls?
240%
Growth of malicious sites in 2011
40%
Users infected by malware from social networking sites
1 in 14
Downloads containing malware
700B
Minutes users worldwide spend on Facebook per month
Companies have had data loss due to social networking
41%
Today we’re talking about our new Web Application Policy Engine, a part of our overall Security story. Blue Coat introduced Web Application Controls as part of our SGOS 6.2 release in 2011 and our Cloud Security offering. As a review or if you missed our original announcement, I’ll cover what web application controls are.
But first let’s look at what’s driving the need to control web applications. Part of it is the increase in malware coming over web applications. There was a 240% growth in 2011 (Blue Coat 2012 Web Security Report) of malicious web sites.
And as to where users are getting infected, 40% are getting infected from social networking sites and applications, with 1 in 14 downloads from the internet hosting some form of malware.
If you look at Facebook alone, over 700 billion minutes were spent on Facebook by users in one month. And it’s not just productivity loss, companies also indicated that 41% of companies have had some sort of data loss due to social networking.
These statistics point to a growing need for controls over web apps including social networking. If you think you can just block social networking, think again.
Using that Facebook example, and one of the best known companies in the world, Coca-cola, it may surprise you to learn that Coca-cola receives about 187,000 hits a month on its website, but has over 42 million likes on its Facebook page. When they want to do a marketing campaign, the reach of their Facebook page far outstrips the reach of their website. There’s a corporate imperative to let their marketing organization access Facebook.
And Marketing isn’t the only group, there’s also HR, which wants to recruiting of new employees, and one perk they can offer new employees is the ability to use Facebook at work.

17. Granular Web Application Controls
Social Networks
Safe Search
Webmail
Multimedia
Major Search Engines
Media Search Engines
Keyword Searches
Regulate Operations
Restrict Abuse
Prevent Data Loss
Send
Download Attachment
Upload Attachment
Publishing
Sharing
So let’s look at an overview of some of the abilities that web app control offers you today.
There’s also safe search capabilities, and the ability to enforce safe search on major search engines. And as we’ve discussed you’ve got controls over social networking and webmail.
In addition you also have controls over multimedia sites, ones that allow sharing of files, pictures, videos, and publishing sites – including blogging sites like Blogger and Wordpress.

18. Web Application Control Example
Different Policies for Facebook throughout an Organization
Read Only Policy
No comments, posting, upload/download, games, , chat, etc
Global Policy
Everyone
Marketing
HR/Recruiting
CEO, CIO
Group Policy
Limited Use Policy
Can comment, post, upload, and chat, no games, no downloads, etc
Group Policy
Expanded Use Policy
Can comment, post, upload, download, , chat, but no games, etc.
To help clarify what we can do with web app controls, let’s look at a specific Facebook example for an enterprise.
Most organizations will likely want to have different policies for different users within an organization and this example shows you some different policies a typical organization may want to implement around Facebook usage.
Let’s say this organization has a corporate wide initiative to allow Facebook to everyone. We can start with a global policy that allows essentially read-only Facebook access. Users can login and check their feeds, but they can’t comment, post, upload/download, no games, or chat.
But as we mentioned earlier, it’s likely the marketing organization has a mandate to use Facebook to promote the company’s activities. So the marketing group could get a specific group policy, that gives them some additional limited use. Say the ability to comment, post, upload, , and chat. But no games or downloads.
The HR group may also want to do some recruiting on Facebook and may need some slightly expanded capability over the marketing group, for example, they may also get the ability to download, for resumes they may receive over Facebook.
And then there may be some individual policy exceptions, say for the CEO or CIO, where they have no restrictions over what they can do in Facebook.
As you can you can set different policies for different members of the organization, giving you flexible and granular control over your web applications.
Full Use Policy
No Restrictions
Individual Policy

19. Web and Mobile Application Controls
Over 200 apps/operations supported
Safe Search
Major Engines supported
Media Search engines as well
Keyword Searches
Social Networks
Regulate Operations
Restrict abuse
Multi-media
Publishing
Sharing
Web Mail
And More!
Upload Video
Upload Photo
Post Message
Send
Download Attachment
Upload Attachment
In this slide we show you some of the commonly used apps and controls we have implemented.
The current list of course much larger spanning over 200 apps and operations supported today.
I also want to take a moment to mention that our latest version of Reporter 9.3 which now has support for web and mobile app reporting in addition to multimedia reporting.
For those that aren’t quite ready to implement web and mobile app control, I highly recommend that you run a version of SGOS that has web and mobile app controls (SGOS and higher) without implementing controls and send your log data to the new Reporter.
It will consolidate and produce reports on what web apps are being used and what operations are most commonly being used in those apps, along with who is using them. Once you get that data, you can decide what types of policies for web apps are appropriate for your organization.

20. Issue: Web applications are using HTTPS
SSL termination is required for granular web app controls!

21. How to enable app controls (VPM example)

22. How to enable app controls (VPM example)
:00: Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/ Firefox/10.0" none - none high "Social Networking" "Facebook" "Post Messages"

23. Content Inspection
Anti-Malware, DLP, etc.

24. Evolving Threat Landscape
Social Networking
MALNETS
240% Increase in Malicious Sites
2/3 of All Attacks in Will Be Launched via Malnets
1 in 16 Malicious Attacks
Internet within an Internet
Mobile Devices
Saas & cloud- based Applications
2011 was not a dull year – RSA was hacked, Symantec had source code stolen. With these reputed security firms under fire, IT leaders should be worried – no business would sign up for a program that exposes them to 500 threats per month much less 5,000. <CLICK>
In 2011, the discovery of malnets, infrastructures that are embedded within the Internet for the sole purpose of funneling unsuspecting users to malware, changed the game for both how cybercriminals launch attacks as well as how we can protect against those attacks. In our 2012 Web Security report, we reported a 240% increase in malicious sites in Much of this growth was driven by malnets, of which Blue Coat Security Labs is tracking This year we project that 2/3 of ALL attacks will be launched from these same infrastructures. <CLICK>
We also saw that social networking was one of the leading attack vectors, and in fact grew over the last six months of Today, 1 in 16 malnet attacks originates from social networking. Recently there has been a flurry of fake photo attacks through Facebook, a valuable target for cybercrime given the large numbers of users that visit daily.
Given the threats posed by social networking, it is important that businesses have the tools to manage it. The challenge of managing social networking is more complicated, though, when you start to look at the content within it. In 2011, 95% of all Internet content types were represented in Social Networking. Effectively SNs have become an Internet within the internet, allowing users to exist within and conduct all the same activities they previously did on the web – only now within a self contained, trusted environment. This trust base has long been exploited by cybercrime, and the wealth of content creates openings for the attack vectors we have seen on the internet (malvertising, drive by downloads etc) now penetrate these internets with the internet. <CLCIK>
Like Social Networking, the rapid adoption of cloud-based applications is changing user behavior, creating new attack targets. In 2011, the SaaS market reached $12.1 billion, up 20.7% over By 2015, SaaS will account for 15% of enterprise application purchases, up from 10% today (Gartner). This adoption is increasing web usage, and, in turn, exposure to malware. A second side effect of the growing adoption of cloud-based applications is the that it presents cybercriminals with a new way to target users and gain potentially lucrative login information. Web apps are attacked on average every two minutes (Imperva, 2011). When they are successful, they can be very profitable. For example, the MySQL attack last November targeted the log in information of database admins, information that would likely gain them access to other more sensitive information within a corporate network. The attack utilized an iFrame injection and was set up by cybercriminals who purchased root access for $3,000 on the black market. <CLICK>
If SaaS is the future of applications, mobile devices are the future for communications and accessing corporate assets. Today, 76% of businesses have BYOD initiatives in place (CDW IT Monitor, June 2011), allowing employees to choose their own devices and access corporate assets from those devices. These initiatives are increasing the blurring of corporate and personal usage that has been taking place for years. However, now it creates a security risk by providing a new entry point into the corporate network and potential source for data loss. The security problem is magnified even more as mobile users are increasingly on the mobile web. Today, users spend an average of 72 minutes per day browsing the mobile web (Flurry Analytics). And that is all done without any true protection against web-based threats. While the instances of targeted mobile malware are low today, we are starting to see examples. A recent Android attack redirected the browser to a malicious site, that looked like a legitimate Opera browser update site. We have also seen attacks mimicking popular games. Late last year, a legitimate looking version of Angry Birds was available on the Android apps store. Once downloaded an premium rate SMS trojan that started texting destinations owned by cybercriminals
The bottom line here is that this problem is not going away any time soon. The barrier to entry is low for mass market malware with off the shelf exploit kits and call center-style help available for those looking to launch attacks. Malnets themselves offer a low investment, high return strategy by reusing existing infrastructures for hundreds of attacks. Above all, it continues to be profitable for malware operators. So how does an enterprise cope with these threats? <CLICK>
76% Businesses Have BYOD Initiatives
72 Minutes Browsing the Mobile Web
15% of Enterprise Apps by 2015
Web Applications Attacked Every Two Minutes
© Blue Coat Systems, Inc 24

25. Inline Threat Detection
Protection Layer Over Desktops
Second AV engine
Faster update cycles
Deep inspection
99 layers of compression, up to 2GB files
Users cannot tamper or disable
Latest AV Technology
Checksum database for known threats
Behavioral analysis on commands/content
Emulation of scripts and active content
Detect and block tunneled applications
No longer optional, required defense layer
All web traffic including SSL/TLS
ProxyAV provides a reliable second layer of AV protection over desktops for a minimal expense. A second AV engine different than the desktop AV engine can be deployed providing increased coverage having to known brands and labs providing protection. ProxyAV can be set to check for updates every 5mins whereas desktops are often daily or less frequent, thus providing the most up-to-date protection at the web gateway. ProxyAV can be configured with more detection depth than standard desktop AV settings, plus users and malware cannot tamper with ProxyAV or disable it.
ProxyAV provides the latest advancements in AV technology including traditional checksums/signatures for known threats, plus behavioral analysis on commands and content similar to a DNA fingerprint for scripts and active content, plus full emulation mode as required for scripts and active content to detect threats. Given malware growth in 2008 where 2/3s of all known malware the past 15 years has been detected, and now for 2009 the malware volume has doubled, not having inline threat detection is a huge risk and betting against the odds.
Prior to 2007 web malware was known, however not excessive, in the past three years it has exploded past and other threats to lead the pack. All web traffic including SSL should be inspected for web threats. Even more so as Google and other web mail providers are now turning on SSL as a default for users.

26. Malware Scanning / DLP: Co-Processor Architecture
Improved utilization with M:N ratio
Higher throughput per gateway
Results in less hardware
Optimized design
ProxyAV
ProxyAV
DLP
ProxySG supports integration with third party solutions for an extended web gateway architecture. This co-processor architecture for large enterprise web gateways results on higher performance, better utilization of each appliance and results on less hardware for an optimized design.
ProxySG support three modes of ICAP.
ICAP+ was developed for ProxyAV integration where the traditional eight handshakes if ICAP were reduced to six, plus over 17 msg/response enhancements were made for tighter integration, smooth deployments and serviceability. ProxySG also keeps a dual cache intelligence to improve performance and minimizing inline threat detection analysis. A clean object cache with timestamps is kept plus a fingerprint cache of non-cacheable objects with timestamps. Thus any clean cached objects or frequently seen non-cached objects are delivered quickly to users free of any malware. Once an update is made to the inline detection engine, timestamps signal the ProxySG to send the object to ProxyAV for analysis. When updates are made to ProxyAV, the dual caches are not flushed, nor are the object caches for ProxySG, thus providing seamless high throughput for frequent updates.
Standard ICAP (RFC 3507) is provided for any off-proxy integration of URL filtering or threat detection, however less popular today as on-proxy URL filtering has higher performance and more policy controls.
S-ICAP (or SSL of ICAP) was recently introduced recognizing that DLP deployments have involve the separation of the client and server across a WAN for branch offices.
As an example of scalability, we had a large customer in the EDU market with a very large user base. The Blue Coat solution using the co-processor architecture required 8 ProxySGs and 20 ProxyAVs while our top SWG competitor required 96 appliances. As threat detection is CPU and memory intensive, it is often the lowest performing factor in a web gateway, embedding into one appliance makes sense for 1,000 or less users, however for large enterprise web gateways, the design wastes utilization within each appliance…thus requiring more rack space, more energy and administration.
By design, Blue Coat is the green solution.
ICAP, ICAP+, S-ICAP
Clean Object Cache
Finger Print Cache
Dual Cache Design
Internet
Enterprise
Network
Patience Page
Trickle First
Trickle Last
Defer Scan (media)
ProxySG

27. Web Application Performance

28. Dominant Trends in Apps & Networks
Virtualization & IT Consolidation
Streaming Video
HTML5
Cloud-Delivered Applications
Next-generation Networks
IPv6
Internet
There are a number of shifts in the landscape of users and how businesses use applications that are really driving some new requirements in this space that originally served the application performance problems created by data center centralization. First, an explosion in mobile devices. Who here doesn’t have a smartphone or an iPad? Or really both? Mobile devices are exploding in their use both in the workplace and at home. In fact, by 2014, more users are expected to access the Internet via mobile devices than computers. Workers too are becoming more mobile – this year alone an estimated 75% of the workforce in the U.S. will be mobile.
Cloud-delivered applications are fundamentally changing the way enterprises deploy applications and deliver them to their user base. There’s a lot of flexibility in cloud applications. There are a lot of operational efficiencies and it’s definitely a growth area for customers that we serve. By 2014, analysts are projecting that this market will reach $16.5 billion.
And then finally, video. Video has dominated recreational use – in fact 52% of all traffic on the Internet is video and that is projected to rise to 91% by Now, though it’s increasingly being harnessed by the enterprise for training and communications.
Those three areas, mobile, cloud-delivered applications and streaming video are undergoing tremendous shifts that are really impacting the evolution of WAN optimization. <CLICK> 28

29. Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization
Cloud Infrastructure
as-a-Service (IaaS)
6MB
INTERNET
Cloud
M5 VA
Symmetric
Asymmetric
DATA CENTER
Apple
Images
RTSP
Cloud
Caching
Engine
SSL Files & Objects
HTML5
HTTP Files & Objects
Silver- light
Flash RTMP
6MB
6MB
6MB
6MB
Branch Office
WAN
Symmetric
Blue Coat Branch to Cloud and internal HTTPS Optimization
Requirements
Now, let’s turn our attention to a different, more difficult use case. Cloud-based application delivery. Because when it comes to the cloud, realize that these are applications that don’t sit in your internal data center. You don’t control the infrastructure in most cases. <CLICK>
Where you do control the infrastructure, for example, in a private cloud or Infrastructure as a Service environment such as Amazon’s EC2 cloud, you can deploy a virtual appliance so you can maintain that same old symmetric WAN optimization approach used in traditional WAN optimization. <CLICK>
But in the case of a public cloud SaaS offering, where you can’t control the infrastructure, <CLICK> that’s where you need an asymmetric cloud caching capability in addition to the ability to decrypt external SSL. <CLICK>
So this is where Blue Coat comes in. We not only have a virtual appliance that you can put in the private cloud infrastructure, we also have that cloud caching that’s able to optimize directly from the branch office to the public cloud SaaS without having anything in the public cloud infrastructure. So, with that type of solution, we can speed cloud-delivered apps by up to 93 times. We lower the actual total cost of ownership because you don’t need something deployed in the public cloud, you don’t need something deployed at the data center. <CLICK>
So with a single box, you actually optimize those cloud-based applications that are delivered to your employees in the branch office. <CLICK>
They are cached in the Blue Coat Cloud Caching Engine on the first request <CLICK>
And subsequent requests for the same file are served directly from the Cloud Caching Engine. <CLICK>
Speed Cloud-delivered Apps 5-93X
Low TCO with Single Box Solution
Accelerate Internet & Web Applications
Asymmetric Cloud Caching
Symmetric Cloud or DC (Virtual) Appliance
Internal & External SSL Decryption

30. Cloud-Delivered Microsoft SharePoint One-Armed “Cloud Caching”
Blue Coat 22x faster
93x
17x
13x
47x

31. Summary and Q&A

32. SSL Option 1: Passthrough
Applications passed through
No cache
Visibility and context of:
Network-level information
User/group
Applications (very limited)
Option 1
Control
Apps
Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)
Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction
Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)
Administrative granularity – can log all, none, certain elements; can log off-box, securely
Fine-grained content security controls (over 500 different triggers and actions) include:
Trusted Domains
Rogue Categories
Active Content Categories
Drive-by Installers (.CAB, .OCX, .MSI)
Executable file types & executable MIMEs
Active Content & MIME Types
User Agents
Speeds up business processes
High-performance: over 400Mbps
Low-latency: 3-4msec
Internet
User
SSL
TCP
TCP

33. SSL Option 2: Check, then Pass
Certificate validation
No cache
Visibility and context of:
Network-level information
Certificates & certificate categories
User/group
Applications (very limited)
Can warn user and remind of AUP
Option 2
Control
Apps
Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)
Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction
Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)
Administrative granularity – can log all, none, certain elements; can log off-box, securely
Fine-grained content security controls (over 500 different triggers and actions) include:
Trusted Domains
Rogue Categories
Active Content Categories
Drive-by Installers (.CAB, .OCX, .MSI)
Executable file types & executable MIMEs
Active Content & MIME Types
User Agents
Speeds up business processes
High-performance: over 400Mbps
Low-latency: 3-4msec
Internet
User
SSL
TCP
TCP

34. SSL Option 3: Full SSL Proxy
Full caching and logging options
Visibility and context of:
Network-level information
Certificates & certificate categories
User/group
Applications&Operations
Content
Etc.
Preserve untrusted issuer
Intercept SSL based on:
User/group
Server certificate category
Request URL Category
Request URL
Src. & dest. IP
Client hostname
Etc.
Option 3
Control
Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)
Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction
Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)
Administrative granularity – can log all, none, certain elements; can log off-box, securely
Fine-grained content security controls (over 500 different triggers and actions) include:
Trusted Domains
Rogue Categories
Active Content Categories
Drive-by Installers (.CAB, .OCX, .MSI)
Executable file types & executable MIMEs
Active Content & MIME Types
User Agents
Speeds up business processes
High-performance: over 400Mbps
Low-latency: 3-4msec
Apps
User
SSL
SSL
Internet
TCP
TCP

35. SSL Proxy requirements
SSL license
Trust between client and ProxySG
Roll-out SGs self-signed certificate
Integrate ProxySG into an internal CA
Legal requirements:
This has to be verified on a per country base. Examples
Germany: SSL interception has to be conform with data protection laws (BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved.
Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.

36. Questions?

37. Please provide feedback on this webcast to:
Webcast replay and slide deck found here:
er-support-technical-webcasts
(requires BTO login)

38. 38