Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling Michael Mauch Worldwide Solution Architect - Security.

Similar presentations


Presentation on theme: "Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling Michael Mauch Worldwide Solution Architect - Security."— Presentation transcript:

1 Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling Michael Mauch Worldwide Solution Architect - Security

2 2 © Blue Coat Systems, Inc SSL – a refresh  Three functions of SSL for HTTPS Authenticate the end points (usually just server) Hide the data during transmission Validate the data arrived unchanged  Steps to an SSL connection setup 1.Hello messages (version, cipher negotiation) 2.Certificate exchange (usually server only) 3.Master secret exchange (from which a session key is calculated) 4.Bulk data transmissions (uses session key for encryption) What IT needs is full SSL visibility and control

3 3 © Blue Coat Systems, Inc SSL Handshake and Agenda Server Cert Validation Server Cert Validation Client Cert Authentication Client Cert Authentication Client Cert Authentication Client Cert Authentication Control Cyphers Web App Controls Web App Controls Content Inspection (Malware/DLP) Application Performance

4 Server Certificate Validation

5 5 © Blue Coat Systems, Inc Why is it important?  In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CA  The attacker has been able to issue fraudulent server certificates  This basically breaks the PKI trust model. Users do not get any certificate warning …  Requirements  Detect revoked certificates  Detect self-signed certificates  Detect expired certificates  Detect untrusted issuer  Detect hostname mismatch

6 6 © Blue Coat Systems, Inc Blue Coat Solution  Revocation checking Online Certificate Status Protocol (OCSP) – this is real-time! Certificate Revocation List (CRL)  Validate CA / issuer signature Expiry date Hostname SSL termination is not required for certificate validation

7 7 © Blue Coat Systems, Inc How to enable OCSP (CPL example)  Step 1: Add OCSP responder  Step 2: Add certificate validation policy client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)

8 SSL Cypher Controls

9 9 © Blue Coat Systems, Inc Why should you care?  Compliance reasons (PCI, etc.) There are cypher suites and SSL versions (e.g. SSL 2.0) that are not compliant to standards like PCI  Deny weak cypher suites by policy  Deny older SSL protocol version by policy  Can be controlled for: Connection between client and proxy Connection between proxy and server

10 10 © Blue Coat Systems, Inc How to control cipher strength (VPM example)  :17: Michael […] medium "Search Engines/Portals” […]  :14: Michael - policy_denied DENIED […] […]www.google.com

11 Client Certificate Authentication

12 12 © Blue Coat Systems, Inc Client certificate authentication use cases Department / Customer A Department / Customer B Department / Customer C OCS requires client certificate for authentication SWG fwd proxy using SSL interception Name Address Country City Address Server URL Key – Usage Etc. Name Address Country City Address Server URL Key – Usage Etc. Name Address Country City Address Server URL Key – Usage Etc.  X.509 certificates  pub / priv key pairs Policy: Src=A Dst=OCS  use client cert A Src=B Dst=OCS  use client cert B Src=C Dst=OCS  use client cert C SSL

13 13 © Blue Coat Systems, Inc Use Cases  This feature enables HTTPS interception for an OCS that requires client certificate based authentication.  This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows Selection of certificates based on user and/or group Selection of certificates based on destination URL Selection of certificates based on all available policy conditions like server IP, client IP/ subnet / etc  This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.

14 14 © Blue Coat Systems, Inc Why is this needed?  Content inspection  Certificate validation  Logging  Centralized client certificate management  Etc.

15 Web Application Controls

16 16 © Blue Coat Systems, Inc Why Web Application Controls? 240%240% Growth of malicious sites in %40% Users infected by malware from social networking sites 1 in 14 Downloads containing malware 700B700B Minutes users worldwide spend on Facebook per month Companies have had data loss due to social networking 41%

17 17 © Blue Coat Systems, Inc Granular Web Application Controls Multimedia Publishing Sharing Social Networks Regulate Operations Restrict Abuse Prevent Data Loss Webmail Send Download Attachment Upload Attachment Safe Search Major Search Engines Media Search Engines Keyword Searches

18 18 © Blue Coat Systems, Inc Read Only Policy No comments, posting, upload/download, games, , chat, etc Global Policy Group Policy Limited Use Policy Can comment, post, upload, and chat, no games, no downloads, etc Group Policy Expanded Use Policy Can comment, post, upload, download, , chat, but no games, etc. Full Use Policy No Restrictions Individual Policy Web Application Control Example Everyone Marketing HR/Recruiting CEO, CIO Different Policies for Facebook throughout an Organization

19 19 © Blue Coat Systems, Inc Web and Mobile Application Controls  Over 200 apps/operations supported Safe Search  Major Engines supported  Media Search engines as well  Keyword Searches Social Networks  Regulate Operations  Restrict abuse Multi-media  Publishing  Sharing Web Mail And More! Upload Video Upload Photo Post Message Send Download Attachment Upload Attachment

20 20 © Blue Coat Systems, Inc Issue: Web applications are using HTTPS SSL termination is required for granular web app controls!

21 21 © Blue Coat Systems, Inc How to enable app controls (VPM example)  VPM

22 22 © Blue Coat Systems, Inc How to enable app controls (VPM example)  :00: Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https 443 /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/ Firefox/10.0" none - none high "Social Networking" "Facebook" "Post Messages"

23 Content Inspection Anti-Malware, DLP, etc.

24 © Blue Coat Systems, Inc Evolving Threat Landscape © Blue Coat Systems, Inc  76% Businesses Have BYOD Initiatives  72 Minutes Browsing the Mobile Web  240% Increase in Malicious Sites  2/3 of All Attacks in 2012 Will Be Launched via Malnets  1 in 16 Malicious Attacks  Internet within an Internet  15% of Enterprise Apps by 2015  Web Applications Attacked Every Two MinutesMALNETS MOBILE DEVICES SAAS & CLOUD- BASED APPLICATIONS SOCIAL NETWORKING

25 25 © Blue Coat Systems, Inc Inline Threat Detection  Protection Layer Over Desktops Second AV engine Faster update cycles Deep inspection 99 layers of compression, up to 2GB files Users cannot tamper or disable  Latest AV Technology Checksum database for known threats Behavioral analysis on commands/content Emulation of scripts and active content  Detect and block tunneled applications  No longer optional, required defense layer All web traffic including SSL/TLS

26 26 © Blue Coat Systems, Inc Malware Scanning / DLP: Co-Processor Architecture  Improved utilization with M:N ratio  Higher throughput per gateway  Results in less hardware  Optimized design Enterprise Network Internet ProxySG ProxyAV DLP Clean Object Cache Finger Print Cache Dual Cache Design Patience Page Trickle First Trickle Last Defer Scan (media) ICAP, ICAP+, S-ICAP

27 Web Application Performance

28 28 © Blue Coat Systems, Inc Dominant Trends in Apps & Networks Cloud-Delivered Applications Next-generation Networks Virtualization & IT Consolidation Streaming Video

29 29 © Blue Coat Systems, Inc Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization Requirements  Asymmetric Cloud Caching  Symmetric Cloud or DC (Virtual) Appliance  Internal & External SSL Decryption Branch Office 6MB Apple ImagesRTSP Cloud Caching Engine SSL Files & Objects HTML5 HTTP Files & Objects Silver- light Flash RTMP 6MB Blue Coat Branch to Cloud and internal HTTPS Optimization  Speed Cloud-delivered Apps 5-93X  Low TCO with Single Box Solution  Accelerate Internet & Web Applications Asymmetric Symmetric Cloud M5 VA Cloud M5 VA 6MB Symmetric

30 30 © Blue Coat Systems, Inc Cloud-Delivered Microsoft SharePoint One-Armed “Cloud Caching” Blue Coat 22x faster 93x 17x 13x 47x

31 Summary and Q&A

32 32 © Blue Coat Systems, Inc SSL Option 1: Passthrough  Applications passed through  No cache  Visibility and context of: Network-level information User/group Applications (very limited) SSL TCP User Internet Apps TCP Control Option 1

33 33 © Blue Coat Systems, Inc SSL Option 2: Check, then Pass  Certificate validation  No cache  Visibility and context of: Network-level information Certificates & certificate categories User/group Applications (very limited)  Can warn user and remind of AUP SSL TCP User Internet Apps TCP Control Option 2

34 34 © Blue Coat Systems, Inc  Intercept SSL based on: User/group Server certificate category Request URL Category Request URL Src. & dest. IP Client hostname Etc. SSL Option 3: Full SSL Proxy  Full caching and logging options  Visibility and context of: Network-level information Certificates & certificate categories User/group Applications&Operations Content Etc.  Preserve untrusted issuer SSL Internet Apps User TCP SSL Control Option 3

35 35 © Blue Coat Systems, Inc SSL Proxy requirements  SSL license  Trust between client and ProxySG 1.Roll-out SGs self-signed certificate 2.Integrate ProxySG into an internal CA  Legal requirements: This has to be verified on a per country base. Examples  Germany: SSL interception has to be conform with data protection laws (BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved.  Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.

36 36 © Blue Coat Systems, Inc Questions? 

37 Blue Coat Confidential – Internal Use Only Please provide feedback on this webcast to: Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login)

38


Download ppt "Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling Michael Mauch Worldwide Solution Architect - Security."

Similar presentations


Ads by Google