Michael Mauch Worldwide Solution Architect - Security Solving Your Encryption Dilemma with Blue Coat – SSL & Certificate Handling It is a little bit like in the Matrix movie: red or blue pill: you have to choice. You could either ignore the SSL issues (allow all or deny all) or you could start looking into the details - And that is what we are going to do today. Michael Mauch Worldwide Solution Architect - Security 1

What IT needs is full SSL visibility and control SSL – a refresh Three functions of SSL for HTTPS Authenticate the end points (usually just server) Hide the data during transmission Validate the data arrived unchanged Steps to an SSL connection setup Hello messages (version, cipher negotiation) Certificate exchange (usually server only) Master secret exchange (from which a session key is calculated) Bulk data transmissions (uses session key for encryption) What IT needs is full SSL visibility and control

SSL Handshake and Agenda Server Cert Validation Client Cert Authentication Control Cyphers Web App Controls Content Inspection (Malware/DLP) Application Performance

Server Certificate Validation

Why is it important? In 2011, (at least) 2 Certificate Authorities have been hacked: Comodo CA and DigiNotar CA The attacker has been able to issue fraudulent server certificates This basically breaks the PKI trust model. Users do not get any certificate warning … Requirements Detect revoked certificates Detect self-signed certificates Detect expired certificates Detect untrusted issuer Detect hostname mismatch

SSL termination is not required for certificate validation Blue Coat Solution Revocation checking Online Certificate Status Protocol (OCSP) – this is real-time! Certificate Revocation List (CRL) Validate CA / issuer signature Expiry date Hostname SSL termination is not required for certificate validation

How to enable OCSP (CPL example) Step 1: Add OCSP responder Step 2: Add certificate validation policy <ssl> client.protocol=https server.certificate.validate(yes) server.certificate.validate.check_revocation(auto)

SSL Cypher Controls

Why should you care? Compliance reasons (PCI, etc.) There are cypher suites and SSL versions (e.g. SSL 2.0) that are not compliant to standards like PCI Deny weak cypher suites by policy Deny older SSL protocol version by policy Can be controlled for: Connection between client and proxy Connection between proxy and server

How to control cipher strength (VPM example) 2012-08-22 13:17:47 118 192.168.178.100 Michael […] medium www.google.com "Search Engines/Portals” […] 2012-08-22 13:14:35 43 192.168.178.100 Michael - policy_denied DENIED […] www.google.com […]

Client Certificate Authentication

Client certificate authentication use cases Name Email Address City Country Address Server URL Key – Usage Etc. Name Country Email Address City Address Server URL Etc. Key – Usage Name Email Address City Country Address Server URL Key – Usage Etc.  X.509 certificates  pub / priv key pairs Department / Customer A SSL SSL SSL OCS requires client certificate for authentication SSL SWG fwd proxy using SSL interception Department / Customer B Policy: Src=A Dst=OCS  use client cert A Src=B Dst=OCS  use client cert B Src=C Dst=OCS  use client cert C Department / Customer C

Use Cases This feature enables HTTPS interception for an OCS that requires client certificate based authentication. This feature enables ProxySG to act as a proxy presenting the appropriate client certificate to the OCS based on configured policy. This feature allows Selection of certificates based on user and/or group Selection of certificates based on destination URL Selection of certificates based on all available policy conditions like server IP, client IP/ subnet / etc This feature enables administrators to load a large number of client certificates and their corresponding private keys from a file.

Why is this needed? Content inspection Certificate validation Logging Centralized client certificate management Etc.

Web Application Controls

Why Web Application Controls? 240% Growth of malicious sites in 2011 40% Users infected by malware from social networking sites 1 in 14 Downloads containing malware 700B Minutes users worldwide spend on Facebook per month Companies have had data loss due to social networking 41% Today we’re talking about our new Web Application Policy Engine, a part of our overall Security story. Blue Coat introduced Web Application Controls as part of our SGOS 6.2 release in 2011 and our Cloud Security offering. As a review or if you missed our original announcement, I’ll cover what web application controls are. But first let’s look at what’s driving the need to control web applications. Part of it is the increase in malware coming over web applications. There was a 240% growth in 2011 (Blue Coat 2012 Web Security Report) of malicious web sites. And as to where users are getting infected, 40% are getting infected from social networking sites and applications, with 1 in 14 downloads from the internet hosting some form of malware. If you look at Facebook alone, over 700 billion minutes were spent on Facebook by users in one month. And it’s not just productivity loss, companies also indicated that 41% of companies have had some sort of data loss due to social networking. These statistics point to a growing need for controls over web apps including social networking. If you think you can just block social networking, think again. Using that Facebook example, and one of the best known companies in the world, Coca-cola, it may surprise you to learn that Coca-cola receives about 187,000 hits a month on its website, but has over 42 million likes on its Facebook page. When they want to do a marketing campaign, the reach of their Facebook page far outstrips the reach of their website. There’s a corporate imperative to let their marketing organization access Facebook. And Marketing isn’t the only group, there’s also HR, which wants to recruiting of new employees, and one perk they can offer new employees is the ability to use Facebook at work.

Granular Web Application Controls Social Networks Safe Search Webmail Multimedia Major Search Engines Media Search Engines Keyword Searches Regulate Operations Restrict Abuse Prevent Data Loss Send Email Download Attachment Upload Attachment Publishing Sharing So let’s look at an overview of some of the abilities that web app control offers you today. There’s also safe search capabilities, and the ability to enforce safe search on major search engines. And as we’ve discussed you’ve got controls over social networking and webmail. In addition you also have controls over multimedia sites, ones that allow sharing of files, pictures, videos, and publishing sites – including blogging sites like Blogger and Wordpress.

Web Application Control Example Different Policies for Facebook throughout an Organization Read Only Policy No comments, posting, upload/download, games, email, chat, etc Global Policy Everyone Marketing HR/Recruiting CEO, CIO Group Policy Limited Use Policy Can comment, post, upload, email and chat, no games, no downloads, etc Group Policy Expanded Use Policy Can comment, post, upload, download, email, chat, but no games, etc. To help clarify what we can do with web app controls, let’s look at a specific Facebook example for an enterprise. Most organizations will likely want to have different policies for different users within an organization and this example shows you some different policies a typical organization may want to implement around Facebook usage. Let’s say this organization has a corporate wide initiative to allow Facebook to everyone. We can start with a global policy that allows essentially read-only Facebook access. Users can login and check their feeds, but they can’t comment, post, upload/download, no games, email or chat. But as we mentioned earlier, it’s likely the marketing organization has a mandate to use Facebook to promote the company’s activities. So the marketing group could get a specific group policy, that gives them some additional limited use. Say the ability to comment, post, upload, email, and chat. But no games or downloads. The HR group may also want to do some recruiting on Facebook and may need some slightly expanded capability over the marketing group, for example, they may also get the ability to download, for resumes they may receive over Facebook. And then there may be some individual policy exceptions, say for the CEO or CIO, where they have no restrictions over what they can do in Facebook. As you can you can set different policies for different members of the organization, giving you flexible and granular control over your web applications. Full Use Policy No Restrictions Individual Policy

Web and Mobile Application Controls Over 200 apps/operations supported Safe Search Major Engines supported Media Search engines as well Keyword Searches Social Networks Regulate Operations Restrict abuse Multi-media Publishing Sharing Web Mail And More! Upload Video Upload Photo Post Message Send Email Download Attachment Upload Attachment In this slide we show you some of the commonly used apps and controls we have implemented. The current list of course much larger spanning over 200 apps and operations supported today. I also want to take a moment to mention that our latest version of Reporter 9.3 which now has support for web and mobile app reporting in addition to multimedia reporting. For those that aren’t quite ready to implement web and mobile app control, I highly recommend that you run a version of SGOS that has web and mobile app controls (SGOS 6.2.3.1 and higher) without implementing controls and send your log data to the new Reporter. It will consolidate and produce reports on what web apps are being used and what operations are most commonly being used in those apps, along with who is using them. Once you get that data, you can decide what types of policies for web apps are appropriate for your organization.

Issue: Web applications are using HTTPS SSL termination is required for granular web app controls!

How to enable app controls (VPM example)

How to enable app controls (VPM example) 2012-08-22 14:00:16 3 192.168.178.100 Michael - policy_denied DENIED "Social Networking" 403 TCP_DENIED POST - https www.facebook.com 443 /ajax/updatestatus.php - php "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0) Gecko/20100101 Firefox/10.0" 192.168.178.223 3460 2619 - none - none high www.facebook.com "Social Networking" "Facebook" "Post Messages"

Content Inspection Anti-Malware, DLP, etc.

Evolving Threat Landscape Social Networking MALNETS 240% Increase in Malicious Sites 2/3 of All Attacks in 2012 Will Be Launched via Malnets 1 in 16 Malicious Attacks Internet within an Internet Mobile Devices Saas & cloud- based Applications 2011 was not a dull year – RSA was hacked, Symantec had source code stolen. With these reputed security firms under fire, IT leaders should be worried – no business would sign up for a program that exposes them to 500 threats per month much less 5,000. <CLICK> In 2011, the discovery of malnets, infrastructures that are embedded within the Internet for the sole purpose of funneling unsuspecting users to malware, changed the game for both how cybercriminals launch attacks as well as how we can protect against those attacks. In our 2012 Web Security report, we reported a 240% increase in malicious sites in 2011. Much of this growth was driven by malnets, of which Blue Coat Security Labs is tracking 500. This year we project that 2/3 of ALL attacks will be launched from these same infrastructures. <CLICK> We also saw that social networking was one of the leading attack vectors, and in fact grew over the last six months of 2011. Today, 1 in 16 malnet attacks originates from social networking. Recently there has been a flurry of fake photo attacks through Facebook, a valuable target for cybercrime given the large numbers of users that visit daily. Given the threats posed by social networking, it is important that businesses have the tools to manage it. The challenge of managing social networking is more complicated, though, when you start to look at the content within it. In 2011, 95% of all Internet content types were represented in Social Networking. Effectively SNs have become an Internet within the internet, allowing users to exist within and conduct all the same activities they previously did on the web – only now within a self contained, trusted environment. This trust base has long been exploited by cybercrime, and the wealth of content creates openings for the attack vectors we have seen on the internet (malvertising, drive by downloads etc) now penetrate these internets with the internet. <CLCIK> Like Social Networking, the rapid adoption of cloud-based applications is changing user behavior, creating new attack targets. In 2011, the SaaS market reached $12.1 billion, up 20.7% over 2010. By 2015, SaaS will account for 15% of enterprise application purchases, up from 10% today (Gartner). This adoption is increasing web usage, and, in turn, exposure to malware. A second side effect of the growing adoption of cloud-based applications is the that it presents cybercriminals with a new way to target users and gain potentially lucrative login information. Web apps are attacked on average every two minutes (Imperva, 2011). When they are successful, they can be very profitable. For example, the MySQL attack last November targeted the log in information of database admins, information that would likely gain them access to other more sensitive information within a corporate network. The attack utilized an iFrame injection and was set up by cybercriminals who purchased root access for $3,000 on the black market. <CLICK> If SaaS is the future of applications, mobile devices are the future for communications and accessing corporate assets. Today, 76% of businesses have BYOD initiatives in place (CDW IT Monitor, June 2011), allowing employees to choose their own devices and access corporate assets from those devices. These initiatives are increasing the blurring of corporate and personal usage that has been taking place for years. However, now it creates a security risk by providing a new entry point into the corporate network and potential source for data loss. The security problem is magnified even more as mobile users are increasingly on the mobile web. Today, users spend an average of 72 minutes per day browsing the mobile web (Flurry Analytics). And that is all done without any true protection against web-based threats. While the instances of targeted mobile malware are low today, we are starting to see examples. A recent Android attack redirected the browser to a malicious site, that looked like a legitimate Opera browser update site. We have also seen attacks mimicking popular games. Late last year, a legitimate looking version of Angry Birds was available on the Android apps store. Once downloaded an premium rate SMS trojan that started texting destinations owned by cybercriminals The bottom line here is that this problem is not going away any time soon. The barrier to entry is low for mass market malware with off the shelf exploit kits and call center-style help available for those looking to launch attacks. Malnets themselves offer a low investment, high return strategy by reusing existing infrastructures for hundreds of attacks. Above all, it continues to be profitable for malware operators. So how does an enterprise cope with these threats? <CLICK> 76% Businesses Have BYOD Initiatives 72 Minutes Browsing the Mobile Web 15% of Enterprise Apps by 2015 Web Applications Attacked Every Two Minutes © Blue Coat Systems, Inc. 2011. 24

Inline Threat Detection Protection Layer Over Desktops Second AV engine Faster update cycles Deep inspection 99 layers of compression, up to 2GB files Users cannot tamper or disable Latest AV Technology Checksum database for known threats Behavioral analysis on commands/content Emulation of scripts and active content Detect and block tunneled applications No longer optional, required defense layer All web traffic including SSL/TLS ProxyAV provides a reliable second layer of AV protection over desktops for a minimal expense. A second AV engine different than the desktop AV engine can be deployed providing increased coverage having to known brands and labs providing protection. ProxyAV can be set to check for updates every 5mins whereas desktops are often daily or less frequent, thus providing the most up-to-date protection at the web gateway. ProxyAV can be configured with more detection depth than standard desktop AV settings, plus users and malware cannot tamper with ProxyAV or disable it. ProxyAV provides the latest advancements in AV technology including traditional checksums/signatures for known threats, plus behavioral analysis on commands and content similar to a DNA fingerprint for scripts and active content, plus full emulation mode as required for scripts and active content to detect threats. Given malware growth in 2008 where 2/3s of all known malware the past 15 years has been detected, and now for 2009 the malware volume has doubled, not having inline threat detection is a huge risk and betting against the odds. Prior to 2007 web malware was known, however not excessive, in the past three years it has exploded past email and other threats to lead the pack. All web traffic including SSL should be inspected for web threats. Even more so as Google and other web mail providers are now turning on SSL as a default for users.

Malware Scanning / DLP: Co-Processor Architecture Improved utilization with M:N ratio Higher throughput per gateway Results in less hardware Optimized design ProxyAV ProxyAV DLP ProxySG supports integration with third party solutions for an extended web gateway architecture. This co-processor architecture for large enterprise web gateways results on higher performance, better utilization of each appliance and results on less hardware for an optimized design. ProxySG support three modes of ICAP. ICAP+ was developed for ProxyAV integration where the traditional eight handshakes if ICAP were reduced to six, plus over 17 msg/response enhancements were made for tighter integration, smooth deployments and serviceability. ProxySG also keeps a dual cache intelligence to improve performance and minimizing inline threat detection analysis. A clean object cache with timestamps is kept plus a fingerprint cache of non-cacheable objects with timestamps. Thus any clean cached objects or frequently seen non-cached objects are delivered quickly to users free of any malware. Once an update is made to the inline detection engine, timestamps signal the ProxySG to send the object to ProxyAV for analysis. When updates are made to ProxyAV, the dual caches are not flushed, nor are the object caches for ProxySG, thus providing seamless high throughput for frequent updates. Standard ICAP (RFC 3507) is provided for any off-proxy integration of URL filtering or threat detection, however less popular today as on-proxy URL filtering has higher performance and more policy controls. S-ICAP (or SSL of ICAP) was recently introduced recognizing that DLP deployments have involve the separation of the client and server across a WAN for branch offices. As an example of scalability, we had a large customer in the EDU market with a very large user base. The Blue Coat solution using the co-processor architecture required 8 ProxySGs and 20 ProxyAVs while our top SWG competitor required 96 appliances. As threat detection is CPU and memory intensive, it is often the lowest performing factor in a web gateway, embedding into one appliance makes sense for 1,000 or less users, however for large enterprise web gateways, the design wastes utilization within each appliance…thus requiring more rack space, more energy and administration. By design, Blue Coat is the green solution. ICAP, ICAP+, S-ICAP Clean Object Cache Finger Print Cache Dual Cache Design Internet Enterprise Network Patience Page Trickle First Trickle Last Defer Scan (media) ProxySG

Web Application Performance

Dominant Trends in Apps & Networks Virtualization & IT Consolidation Streaming Video HTML5 Cloud-Delivered Applications Next-generation Networks IPv6 Internet There are a number of shifts in the landscape of users and how businesses use applications that are really driving some new requirements in this space that originally served the application performance problems created by data center centralization. First, an explosion in mobile devices. Who here doesn’t have a smartphone or an iPad? Or really both? Mobile devices are exploding in their use both in the workplace and at home. In fact, by 2014, more users are expected to access the Internet via mobile devices than computers. Workers too are becoming more mobile – this year alone an estimated 75% of the workforce in the U.S. will be mobile. Cloud-delivered applications are fundamentally changing the way enterprises deploy applications and deliver them to their user base. There’s a lot of flexibility in cloud applications. There are a lot of operational efficiencies and it’s definitely a growth area for customers that we serve. By 2014, analysts are projecting that this market will reach $16.5 billion. And then finally, video. Video has dominated recreational use – in fact 52% of all traffic on the Internet is video and that is projected to rise to 91% by 2014. Now, though it’s increasingly being harnessed by the enterprise for training and communications. Those three areas, mobile, cloud-delivered applications and streaming video are undergoing tremendous shifts that are really impacting the evolution of WAN optimization. <CLICK> 28

Use Case example: Cloud SaaS & IaaS and internal HTTPS Optimization Cloud Infrastructure as-a-Service (IaaS) 6MB INTERNET Cloud M5 VA Symmetric Asymmetric DATA CENTER Apple Images RTSP Cloud Caching Engine SSL Files & Objects HTML5 HTTP Files & Objects Silver- light Flash RTMP 6MB 6MB 6MB 6MB Branch Office WAN Symmetric Blue Coat Branch to Cloud and internal HTTPS Optimization Requirements Now, let’s turn our attention to a different, more difficult use case. Cloud-based application delivery. Because when it comes to the cloud, realize that these are applications that don’t sit in your internal data center. You don’t control the infrastructure in most cases. <CLICK> Where you do control the infrastructure, for example, in a private cloud or Infrastructure as a Service environment such as Amazon’s EC2 cloud, you can deploy a virtual appliance so you can maintain that same old symmetric WAN optimization approach used in traditional WAN optimization. <CLICK> But in the case of a public cloud SaaS offering, where you can’t control the infrastructure, <CLICK> that’s where you need an asymmetric cloud caching capability in addition to the ability to decrypt external SSL. <CLICK> So this is where Blue Coat comes in. We not only have a virtual appliance that you can put in the private cloud infrastructure, we also have that cloud caching that’s able to optimize directly from the branch office to the public cloud SaaS without having anything in the public cloud infrastructure. So, with that type of solution, we can speed cloud-delivered apps by up to 93 times. We lower the actual total cost of ownership because you don’t need something deployed in the public cloud, you don’t need something deployed at the data center. <CLICK> So with a single box, you actually optimize those cloud-based applications that are delivered to your employees in the branch office. <CLICK> They are cached in the Blue Coat Cloud Caching Engine on the first request <CLICK> And subsequent requests for the same file are served directly from the Cloud Caching Engine. <CLICK> Speed Cloud-delivered Apps 5-93X Low TCO with Single Box Solution Accelerate Internet & Web Applications Asymmetric Cloud Caching Symmetric Cloud or DC (Virtual) Appliance Internal & External SSL Decryption

Cloud-Delivered Microsoft SharePoint One-Armed “Cloud Caching” Blue Coat 22x faster 93x 17x 13x 47x

Summary and Q&A

SSL Option 1: Passthrough Applications passed through No cache Visibility and context of: Network-level information User/group Applications (very limited) Option 1 Control Apps Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Internet User SSL TCP TCP

SSL Option 2: Check, then Pass Certificate validation No cache Visibility and context of: Network-level information Certificates & certificate categories User/group Applications (very limited) Can warn user and remind of AUP Option 2 Control Apps Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Internet User SSL TCP TCP

SSL Option 3: Full SSL Proxy Full caching and logging options Visibility and context of: Network-level information Certificates & certificate categories User/group Applications&Operations Content Etc. Preserve untrusted issuer Intercept SSL based on: User/group Server certificate category Request URL Category Request URL Src. & dest. IP Client hostname Etc. Option 3 Control Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Apps User SSL SSL Internet TCP TCP

SSL Proxy requirements SSL license Trust between client and ProxySG Roll-out SGs self-signed certificate Integrate ProxySG into an internal CA Legal requirements: This has to be verified on a per country base. Examples Germany: SSL interception has to be conform with data protection laws (BDSG). To be allowed to intercept SSL, the reasoning has to be, that the customer would like to prevent possible damage by internet threats and there must be a concrete risk potential (which here is of course). SSL scanning must happen in a "black box" without disclosing the encrypted content. Users have to be informed about SSL interception, work councils have to be involved. Sweden: There are no laws regarding SSL interception in Sweden. However, it is recommend to inform the user that SSL interception will occur.

Questions? michael.mauch@bluecoat.com

Please provide feedback on this webcast to: supportnewsletter@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login)

38