1 Michael Mauch Worldwide Solution Architect - Security Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate HandlingIt is a little bit like in the Matrix movie: red or blue pill: you have to choice. You could either ignore the SSL issues (allow all or deny all) or you could start looking into the details - And that is what we are going to do today.Michael MauchWorldwide Solution Architect - Security1
2 What IT needs is full SSL visibility and control SSL – a refreshThree functions of SSL for HTTPSAuthenticate the end points (usually just server)Hide the data during transmissionValidate the data arrived unchangedSteps to an SSL connection setupHello messages (version, cipher negotiation)Certificate exchange (usually server only)Master secret exchange (from which a session key is calculated)Bulk data transmissions (uses session key for encryption)What IT needs is full SSL visibility and control
3 SSL Handshake and Agenda Server CertValidationClient CertAuthenticationControl CyphersWeb AppControlsContent Inspection (Malware/DLP)Application Performance
5 Why is it important?In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CAThe attacker has been able to issue fraudulent server certificatesThis basically breaks the PKI trust model. Users do not get any certificate warning …RequirementsDetect revoked certificatesDetect self-signed certificatesDetect expired certificatesDetect untrusted issuerDetect hostname mismatch
6 SSL termination is not required for certificate validation Blue Coat SolutionRevocation checkingOnline Certificate Status Protocol (OCSP) – this is real-time!Certificate Revocation List (CRL)ValidateCA / issuer signatureExpiry dateHostnameSSL termination is not required for certificate validation
7 How to enable OCSP (CPL example) Step 1:Add OCSP responderStep 2:Add certificate validation policy<ssl>client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)
9 Why should you care? Compliance reasons (PCI, etc.) There are cypher suites and SSL versions (e.g. SSL 2.0) that are not compliant to standards like PCIDeny weak cypher suites by policyDeny older SSL protocol version by policyCan be controlled for:Connection between client and proxyConnection between proxy and server
10 How to control cipher strength (VPM example) :17: Michael […] medium "Search Engines/Portals” […]:14: Michael - policy_denied DENIED […] […]
12 Client certificate authentication use cases NameAddressCityCountryAddressServer URLKey – UsageEtc.NameCountryAddressCityAddressServer URLEtc.Key – UsageNameAddressCityCountryAddressServer URLKey – UsageEtc. X.509 certificates pub / priv key pairsDepartment / Customer ASSLSSLSSLOCS requires client certificate for authenticationSSLSWG fwd proxy using SSL interceptionDepartment / Customer BPolicy:Src=A Dst=OCS use client cert ASrc=B Dst=OCS use client cert BSrc=C Dst=OCS use client cert CDepartment / Customer C
13 Use CasesThis feature enables HTTPS interception for an OCS that requires client certificate based authentication.This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allowsSelection of certificates based on user and/or groupSelection of certificates based on destination URLSelection of certificates based on all available policy conditions like server IP, client IP/ subnet / etcThis feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.
14 Why is this needed? Content inspection Certificate validation Logging Centralized client certificate managementEtc.
16 Why Web Application Controls? 240%Growth of malicious sites in 201140%Users infected by malware from social networking sites1 in 14Downloads containing malware700BMinutes users worldwide spend on Facebook per monthCompanies have had data loss due to social networking41%Today we’re talking about our new Web Application Policy Engine, a part of our overall Security story. Blue Coat introduced Web Application Controls as part of our SGOS 6.2 release in 2011 and our Cloud Security offering. As a review or if you missed our original announcement, I’ll cover what web application controls are.But first let’s look at what’s driving the need to control web applications. Part of it is the increase in malware coming over web applications. There was a 240% growth in 2011 (Blue Coat 2012 Web Security Report) of malicious web sites.And as to where users are getting infected, 40% are getting infected from social networking sites and applications, with 1 in 14 downloads from the internet hosting some form of malware.If you look at Facebook alone, over 700 billion minutes were spent on Facebook by users in one month. And it’s not just productivity loss, companies also indicated that 41% of companies have had some sort of data loss due to social networking.These statistics point to a growing need for controls over web apps including social networking. If you think you can just block social networking, think again.Using that Facebook example, and one of the best known companies in the world, Coca-cola, it may surprise you to learn that Coca-cola receives about 187,000 hits a month on its website, but has over 42 million likes on its Facebook page. When they want to do a marketing campaign, the reach of their Facebook page far outstrips the reach of their website. There’s a corporate imperative to let their marketing organization access Facebook.And Marketing isn’t the only group, there’s also HR, which wants to recruiting of new employees, and one perk they can offer new employees is the ability to use Facebook at work.
17 Granular Web Application Controls Social NetworksSafe SearchWebmailMultimediaMajor Search EnginesMedia Search EnginesKeyword SearchesRegulate OperationsRestrict AbusePrevent Data LossSendDownload AttachmentUpload AttachmentPublishingSharingSo let’s look at an overview of some of the abilities that web app control offers you today.There’s also safe search capabilities, and the ability to enforce safe search on major search engines. And as we’ve discussed you’ve got controls over social networking and webmail.In addition you also have controls over multimedia sites, ones that allow sharing of files, pictures, videos, and publishing sites – including blogging sites like Blogger and Wordpress.
18 Web Application Control Example Different Policies for Facebook throughout an OrganizationRead Only PolicyNo comments, posting, upload/download, games, , chat, etcGlobal PolicyEveryoneMarketingHR/RecruitingCEO, CIOGroup PolicyLimited Use PolicyCan comment, post, upload, and chat, no games, no downloads, etcGroup PolicyExpanded Use PolicyCan comment, post, upload, download, , chat, but no games, etc.To help clarify what we can do with web app controls, let’s look at a specific Facebook example for an enterprise.Most organizations will likely want to have different policies for different users within an organization and this example shows you some different policies a typical organization may want to implement around Facebook usage.Let’s say this organization has a corporate wide initiative to allow Facebook to everyone. We can start with a global policy that allows essentially read-only Facebook access. Users can login and check their feeds, but they can’t comment, post, upload/download, no games, or chat.But as we mentioned earlier, it’s likely the marketing organization has a mandate to use Facebook to promote the company’s activities. So the marketing group could get a specific group policy, that gives them some additional limited use. Say the ability to comment, post, upload, , and chat. But no games or downloads.The HR group may also want to do some recruiting on Facebook and may need some slightly expanded capability over the marketing group, for example, they may also get the ability to download, for resumes they may receive over Facebook.And then there may be some individual policy exceptions, say for the CEO or CIO, where they have no restrictions over what they can do in Facebook.As you can you can set different policies for different members of the organization, giving you flexible and granular control over your web applications.Full Use PolicyNo RestrictionsIndividual Policy
19 Web and Mobile Application Controls Over 200 apps/operations supportedSafe SearchMajor Engines supportedMedia Search engines as wellKeyword SearchesSocial NetworksRegulate OperationsRestrict abuseMulti-mediaPublishingSharingWeb MailAnd More!Upload VideoUpload PhotoPost MessageSendDownload AttachmentUpload AttachmentIn this slide we show you some of the commonly used apps and controls we have implemented.The current list of course much larger spanning over 200 apps and operations supported today.I also want to take a moment to mention that our latest version of Reporter 9.3 which now has support for web and mobile app reporting in addition to multimedia reporting.For those that aren’t quite ready to implement web and mobile app control, I highly recommend that you run a version of SGOS that has web and mobile app controls (SGOS and higher) without implementing controls and send your log data to the new Reporter.It will consolidate and produce reports on what web apps are being used and what operations are most commonly being used in those apps, along with who is using them. Once you get that data, you can decide what types of policies for web apps are appropriate for your organization.
20 Issue: Web applications are using HTTPS SSL termination is required for granular web app controls!
25 Inline Threat Detection Protection Layer Over DesktopsSecond AV engineFaster update cyclesDeep inspection99 layers of compression, up to 2GB filesUsers cannot tamper or disableLatest AV TechnologyChecksum database for known threatsBehavioral analysis on commands/contentEmulation of scripts and active contentDetect and block tunneled applicationsNo longer optional, required defense layerAll web traffic including SSL/TLSProxyAV provides a reliable second layer of AV protection over desktops for a minimal expense. A second AV engine different than the desktop AV engine can be deployed providing increased coverage having to known brands and labs providing protection. ProxyAV can be set to check for updates every 5mins whereas desktops are often daily or less frequent, thus providing the most up-to-date protection at the web gateway. ProxyAV can be configured with more detection depth than standard desktop AV settings, plus users and malware cannot tamper with ProxyAV or disable it.ProxyAV provides the latest advancements in AV technology including traditional checksums/signatures for known threats, plus behavioral analysis on commands and content similar to a DNA fingerprint for scripts and active content, plus full emulation mode as required for scripts and active content to detect threats. Given malware growth in 2008 where 2/3s of all known malware the past 15 years has been detected, and now for 2009 the malware volume has doubled, not having inline threat detection is a huge risk and betting against the odds.Prior to 2007 web malware was known, however not excessive, in the past three years it has exploded past and other threats to lead the pack. All web traffic including SSL should be inspected for web threats. Even more so as Google and other web mail providers are now turning on SSL as a default for users.
26 Malware Scanning / DLP: Co-Processor Architecture Improved utilization with M:N ratioHigher throughput per gatewayResults in less hardwareOptimized designProxyAVProxyAVDLPProxySG supports integration with third party solutions for an extended web gateway architecture. This co-processor architecture for large enterprise web gateways results on higher performance, better utilization of each appliance and results on less hardware for an optimized design.ProxySG support three modes of ICAP.ICAP+ was developed for ProxyAV integration where the traditional eight handshakes if ICAP were reduced to six, plus over 17 msg/response enhancements were made for tighter integration, smooth deployments and serviceability. ProxySG also keeps a dual cache intelligence to improve performance and minimizing inline threat detection analysis. A clean object cache with timestamps is kept plus a fingerprint cache of non-cacheable objects with timestamps. Thus any clean cached objects or frequently seen non-cached objects are delivered quickly to users free of any malware. Once an update is made to the inline detection engine, timestamps signal the ProxySG to send the object to ProxyAV for analysis. When updates are made to ProxyAV, the dual caches are not flushed, nor are the object caches for ProxySG, thus providing seamless high throughput for frequent updates.Standard ICAP (RFC 3507) is provided for any off-proxy integration of URL filtering or threat detection, however less popular today as on-proxy URL filtering has higher performance and more policy controls.S-ICAP (or SSL of ICAP) was recently introduced recognizing that DLP deployments have involve the separation of the client and server across a WAN for branch offices.As an example of scalability, we had a large customer in the EDU market with a very large user base. The Blue Coat solution using the co-processor architecture required 8 ProxySGs and 20 ProxyAVs while our top SWG competitor required 96 appliances. As threat detection is CPU and memory intensive, it is often the lowest performing factor in a web gateway, embedding into one appliance makes sense for 1,000 or less users, however for large enterprise web gateways, the design wastes utilization within each appliance…thus requiring more rack space, more energy and administration.By design, Blue Coat is the green solution.ICAP, ICAP+, S-ICAPClean Object CacheFinger Print CacheDual Cache DesignInternetEnterpriseNetworkPatience PageTrickle FirstTrickle LastDefer Scan (media)ProxySG
28 Dominant Trends in Apps & Networks Virtualization & IT ConsolidationStreaming VideoHTML5Cloud-Delivered ApplicationsNext-generation NetworksIPv6InternetThere are a number of shifts in the landscape of users and how businesses use applications that are really driving some new requirements in this space that originally served the application performance problems created by data center centralization. First, an explosion in mobile devices. Who here doesn’t have a smartphone or an iPad? Or really both? Mobile devices are exploding in their use both in the workplace and at home. In fact, by 2014, more users are expected to access the Internet via mobile devices than computers. Workers too are becoming more mobile – this year alone an estimated 75% of the workforce in the U.S. will be mobile.Cloud-delivered applications are fundamentally changing the way enterprises deploy applications and deliver them to their user base. There’s a lot of flexibility in cloud applications. There are a lot of operational efficiencies and it’s definitely a growth area for customers that we serve. By 2014, analysts are projecting that this market will reach $16.5 billion.And then finally, video. Video has dominated recreational use – in fact 52% of all traffic on the Internet is video and that is projected to rise to 91% by Now, though it’s increasingly being harnessed by the enterprise for training and communications.Those three areas, mobile, cloud-delivered applications and streaming video are undergoing tremendous shifts that are really impacting the evolution of WAN optimization. <CLICK>28
29 Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization Cloud Infrastructureas-a-Service (IaaS)6MBINTERNETCloudM5 VASymmetricAsymmetricDATA CENTERAppleImagesRTSPCloudCachingEngineSSL Files & ObjectsHTML5HTTP Files & ObjectsSilver- lightFlash RTMP6MB6MB6MB6MBBranch OfficeWANSymmetricBlue Coat Branch to Cloud and internal HTTPS OptimizationRequirementsNow, let’s turn our attention to a different, more difficult use case. Cloud-based application delivery. Because when it comes to the cloud, realize that these are applications that don’t sit in your internal data center. You don’t control the infrastructure in most cases. <CLICK>Where you do control the infrastructure, for example, in a private cloud or Infrastructure as a Service environment such as Amazon’s EC2 cloud, you can deploy a virtual appliance so you can maintain that same old symmetric WAN optimization approach used in traditional WAN optimization. <CLICK>But in the case of a public cloud SaaS offering, where you can’t control the infrastructure, <CLICK> that’s where you need an asymmetric cloud caching capability in addition to the ability to decrypt external SSL. <CLICK>So this is where Blue Coat comes in. We not only have a virtual appliance that you can put in the private cloud infrastructure, we also have that cloud caching that’s able to optimize directly from the branch office to the public cloud SaaS without having anything in the public cloud infrastructure. So, with that type of solution, we can speed cloud-delivered apps by up to 93 times. We lower the actual total cost of ownership because you don’t need something deployed in the public cloud, you don’t need something deployed at the data center. <CLICK>So with a single box, you actually optimize those cloud-based applications that are delivered to your employees in the branch office. <CLICK>They are cached in the Blue Coat Cloud Caching Engine on the first request <CLICK>And subsequent requests for the same file are served directly from the Cloud Caching Engine. <CLICK>Speed Cloud-delivered Apps 5-93XLow TCO with Single Box SolutionAccelerate Internet & Web ApplicationsAsymmetric Cloud CachingSymmetric Cloud or DC (Virtual) ApplianceInternal & External SSL Decryption
30 Cloud-Delivered Microsoft SharePoint One-Armed “Cloud Caching” Blue Coat 22x faster93x17x13x47x
32 SSL Option 1: Passthrough Applications passed throughNo cacheVisibility and context of:Network-level informationUser/groupApplications (very limited)Option 1ControlAppsCan granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transactionCaching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)Administrative granularity – can log all, none, certain elements; can log off-box, securelyFine-grained content security controls (over 500 different triggers and actions) include:Trusted DomainsRogue CategoriesActive Content CategoriesDrive-by Installers (.CAB, .OCX, .MSI)Executable file types & executable MIMEsActive Content & MIME TypesUser AgentsSpeeds up business processesHigh-performance: over 400MbpsLow-latency: 3-4msecInternetUserSSLTCPTCP
33 SSL Option 2: Check, then Pass Certificate validationNo cacheVisibility and context of:Network-level informationCertificates & certificate categoriesUser/groupApplications (very limited)Can warn user and remind of AUPOption 2ControlAppsCan granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transactionCaching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)Administrative granularity – can log all, none, certain elements; can log off-box, securelyFine-grained content security controls (over 500 different triggers and actions) include:Trusted DomainsRogue CategoriesActive Content CategoriesDrive-by Installers (.CAB, .OCX, .MSI)Executable file types & executable MIMEsActive Content & MIME TypesUser AgentsSpeeds up business processesHigh-performance: over 400MbpsLow-latency: 3-4msecInternetUserSSLTCPTCP
34 SSL Option 3: Full SSL Proxy Full caching and logging optionsVisibility and context of:Network-level informationCertificates & certificate categoriesUser/groupApplications&OperationsContentEtc.Preserve untrusted issuerIntercept SSL based on:User/groupServer certificate categoryRequest URL CategoryRequest URLSrc. & dest. IPClient hostnameEtc.Option 3ControlCan granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel)Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transactionCaching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs)Administrative granularity – can log all, none, certain elements; can log off-box, securelyFine-grained content security controls (over 500 different triggers and actions) include:Trusted DomainsRogue CategoriesActive Content CategoriesDrive-by Installers (.CAB, .OCX, .MSI)Executable file types & executable MIMEsActive Content & MIME TypesUser AgentsSpeeds up business processesHigh-performance: over 400MbpsLow-latency: 3-4msecAppsUserSSLSSLInternetTCPTCP
35 SSL Proxy requirements SSL licenseTrust between client and ProxySGRoll-out SGs self-signed certificateIntegrate ProxySG into an internal CALegal requirements:This has to be verified on a per country base. ExamplesGermany: SSL interception has to be conform with data protection laws (BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved.Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.