The Benefits of SSL Content Inspection ABSTRACT

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The Benefits of SSL Content Inspection ABSTRACT"

Transcription

1 The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic to new heights. But not all SSL traffic is benign and without the right security tools, SSL can be a blind spot into your network. Web filters that use URL inspection can only provide limited protection against malicious SSL traffic and so a more advanced approach that intercepts the SSL traffic allowing the filter to examine the traffic is fast becoming a critical requirement. This white paper reviews the different approaches that can be used to manage SSL traffic with Web content filters and discusses the limitations of legacy approaches compared to current techniques that can inspect the SSL traffic.

2 INTRODUCTION Every day more and more Web traffic traverses the Internet in a form that provides security and trust for users and is encrypted to prevent unauthorized eavesdropping. This traffic is encrypted with Secure Sockets Layer (SSL), a transport layer encryption protocol that protects data against unauthorized access. Current estimates indicate that 25% to 35% 1 of enterprise traffic is SSL, but this can be as high as 70% depending on the industry vertical. SSL has become the de-facto choice to secure Web-based transactions such as online banking, but the use of SSL has now extended into securing other applications such as secure and providing tunnelling for corporate VPNs and extranets. According to Palo Alto Networks Application Usage and Risk Report 2, more than 40% of the 1,042 applications that were identified on enterprise networks in the study can use SSL or hop ports. The rise of cloud computing and applications is also delivering another uptick in SSL traffic. This white paper reviews the different approaches that can be used to manage SSL traffic with content filters and discusses the limitations of legacy approaches compared to current techniques that can inspect the SSL traffic. THE RISKS IN SSL TRAFFIC In many organizations SSL traffic passes freely in and out of the network because the IT organization lacks the ability to inspect and control SSL-encrypted traffic. However, not all content which is encrypted with SSL is benign. The content may be illegal, inappropriate or contain malware and other threats that could harm the organization s network and endpoint devices, impact user productivity and in some cases damage the organization s reputation. For further information about the risks of SSL, download Bloxx s white paper Protecting Your Network Against Risky SSL Traffic at Without visibility into SSL-encrypted traffic, IT lacks the ability to protect the organization and the reality is that SSL is a potential back door for inappropriate or malicious Web traffic. Fortunately, a Web content filter or Secure Web Gateway that has the ability to securely intercept and inspect SSL traffic can provide IT with the tools it needs to minimize the risks of SSL traffic. SSL PRIMER Secure Sockets Layer (SSL) was originally developed by Netscape Communications to provide security for Internet communications. SSL provides a secure channel between two endpoints, typically a client browser and a Web server, to provide protection against eavesdropping, forgery or tampering of the traffic. To provide this security, SSL uses X.509 digital certificates for authentication, encryption to ensure privacy and digital signatures to ensure integrity. Essentially SSL creates a secure tunnel between the two endpoints and the Web traffic is transmitted inside the tunnel. The encrypted traffic is called HTTPS and uses port 443 to communicate between the client browser and the Web server; unencrypted HTTP traffic uses port 80. It is worth noting that although SSL is primarily used to secure HTTP traffic, SSL was designed so that it could provide security for many other application protocols that run over TCP.

3 THE CHALLENGES OF MANAGING SSL TRAFFIC Traditionally, SSL has been used to provide security and privacy for confidential information or transactions, for example online banking, e-commerce, and so on, but as previously mentioned many more Websites and Web applications are now moving towards HTTPS as default. However, although HTTPS provides increased security and minimizes the risk for users and organizations, it also creates a blind spot which can allow users to access inappropriate or productivity impacting content and a back door into your network that cyber criminals and malware authors can effectively exploit. A gateway level Web content filter or Secure Web Gateway is typically used to proactively control the Web content that users are allowed to view, typically by checking the URL being requested against a categorized database of URLs. This is easy and straightforward to do when the request is being made using HTTP. However, when the request is being made using HTTPS, only the top level domain, or in some cases its related IP address for the Web page being requested is visible to the Web filter. For example if is being requested, then the Web filter can only make a decision to block or allow on This makes enforcing a granular filtering policy extremely problematic for HTTPS traffic. With more sophisticated Web filters that analyze and categorize content of the page being requested in real-time to determine the type of content and to scan for malware, the encrypted nature of the traffic means that these additional layers of filtering cannot be used. In practical terms, this could mean that when a user deliberately or accidentally accesses inappropriate or illegal content using HTTPS, the Web filter will be unable to determine the type of content being requested and may simply allow access. This could lead to serious consequences for the employee and the organization if, for example, illegal content such as child abuse images or racial hatred content is being accessed. In addition, if an exploited Website containing a malware payload is accessed using SSL then the encrypted page cannot be scanned by the malware detection engine leading to the risks of networks and endpoints becoming infected with malware. A REAL-WORLD SSL EXPLOIT Criminals can exploit the trust that users put in SSL to create a fake web page that will trick victims into providing confidential information. In one example, criminals had hacked into the website of the Malaysian Police force to set up a fake PayPal page. The page used the valid SSL certificate from the site to trick potential victims into thinking that the site was legitimate so that they provided confidential information such as usernames and passwords. Most users had assumed that after seeing HTTPS and a green padlock in their browser that the site was legitimate and safe without checking that the URL matched the site in front of their eyes. For example if the site that a user is connecting to is Paypal, then the address needs to begin and not or The last URL is obviously a fake, but many people will put absolute trust in the green padlock symbol. The SSL certificate in this instance was valid but the certificate authority, in this case Symantec, had not revoked the certificate through a Certificate Revocation list or by using on-demand OSCP responses.

4 BASIC APPROACHES TO MANAGING SSL A draconian approach to minimizing the risk of SSL traffic might be to simply block all SSL traffic using a firewall rule, or to block all SSL traffic with a Web filtering policy, only allowing access to specific web sites or pages. However, with the rapid growth of the Web and the growing use of SSL, this approach has become unsustainable and would likely create a deluge of IT support calls requesting access to specific sites. A more effective and advanced approach is to use SSL certificate based filtering. In this approach, the Web content filter attempts to validate the host name or certificate name from the Web server that is being accessed, so that the URL can be validated against the URL database. This approach has some advantages in that no changes are required to be made to client browsers and a filtering policy can be applied if the URL is obtained. However, there are a number of limitations to SSL certificate filtering. These include the fact that the user will only see a page cannot be displayed error and so will be unsure if this is a filtering policy restriction or a network, website or browser error; filtering relies on only the URL and not the page content; and malware cannot be scanned and blocked. Therefore, the only practical and sustainable approach is to provide a mechanism that allows your Web content filter or Secure Web Gateway to intercept, decrypt and analyze the SSL traffic. A MORE SOPHISTICATED AND SECURE APPROACH TO MANAGING SSL To allow proactive management of SSL, it is necessary to look inside the secure tunnel and examine the encrypted traffic. One effective way to deliver this capability is deploy a Web filter or Secure Web Gateway that is able to intercept and decrypt the SSL traffic. To achieve this, the Web filter creates a secure connection between the client browser and the Web filter, and decrypts the SSL traffic into plain text. Then, after being analyzed the traffic is re-encrypted and another secure connection is created between the Web filter and the Web server. This means that the Web filter is effectively acting like an SSL proxy server and so can both intercept the SSL connection and inspect the content. Bloxx SSL Intercept (SSLI) is used to provide this capability in the Bloxx Web Filter and Secure Web Gateway. SSLI operates by temporarily capturing the SSL traffic so that the Web page being requested can be analyzed, categorized and filtered before it is delivered to the client browser. The unencrypted traffic is also passed to the malware detection engine to identify and block malicious traffic. In order to provide further security, the SSL certificate from the Web site in question is checked against a list of valid certificate authorities. This is an extra check on top of those that are performed by Web browsers. The key difference is that this check is enforced at the gateway and can prevent users from proceeding to sites with invalid certificates, whereas browsers will let them access these sites. It also means that if a browser s list of trusted Certificate Authorities (CA) or Certificate Revocation List (CRL) are out of date, that the gateway will still catch the invalid certificate and block access to the site. This level of functionality is available in Bloxx Secure Web Gateway and does not require decryption of SSL traffic. This combination of safeguards increases security levels on your network and protects users from inappropriate or illegal content. Bloxx SSLI provides SSL traffic inspection and filtering in any deployment, regardless of where your Bloxx filtering appliance is situated on your network. SSLI intercepts SSL requests, and checks the validity of all server, intermediate and root server certificates. These certificates are then replaced by a spoof certificate. The spoof certificate is generated dynamically on the Bloxx appliance and signed by the Bloxx CA certificate, signifying the fact that the page is being delivered by the Bloxx Web filter, and not the remote Web server. To the endpoint browser however, the certificate appears as if it is from the remote website. This approach allows SSL traffic to be securely intercepted, decrypted, analyzed for content and potential security threats. There are a number of significant advantages to this approach, coupled with implications for the network in question, and several options for certificate deployment. These are discussed in the following sections in further detail.

5 HOW BLOXX WEB FILTERING WITH SSLI ENHANCES SECURITY There are a number of significant benefits that are delivered by using the Bloxx Web Filter or Secure Web Gateway to manage SSL traffic. Confidential Information Remains Secure A principal concern with intercepting and decrypting SSL traffic is the security of the data being decrypted. After all, the HTTPS traffic has been encrypted because of its sensitive nature, and security of data such as bank account details is paramount (especially from the perspective of the end user). In order to preserve the security of sensitive data, the Bloxx filtering appliance decrypts the traffic but it does not log or store any plain text data. Protecting Sensitive SSL Traffic There will be specific sites that use SSL (such as banking or healthcare sites) where you do not want the Bloxx filter decrypt and inspect the traffic. To allow this, the Bloxx filtering appliance allows you to easily select specific categories of SSL traffic that you may consider particularly sensitive so that any related SSL traffic remains encrypted. This capability of decryption exception ensures that the sensitive SSL data involved remains completely encrypted, but still allows the validity of the SSL certificate to be verified. SSLI and Dynamic Real-Time Categorization The combination of SSLI and Bloxx s patented real-time content categorizer, Tru-View Technology (TVT), provides an effective method of categorizing and filtering SSL content whilst applying the appropriate filtering policy. Once the requested Web page has been retrieved, SSLI decrypts the content and passes this to TVT for analysis and categorization. In addition, the page is also passed to the filter s malware scanner to detect for viruses or other potentially harmful content. This means that the filtering policy for SSL traffic is applied based on the content of the page, not just the URL being requested. So for example, if the SSL page contains adult content, then TVT has the ability to categorize and block the page. Real-time content analysis and categorization coupled with the ability to decrypt and scan content for harmful malware programs ensures that your network is protected from newly emerging security threats and that your users and organization are further protected against accessing inappropriate or illegal content Securing End Points Increasingly, the types of malware programs mentioned above are being hidden within SSL traffic. Without decrypting SSL, how will you minimize the risk of infecting end points? The Bloxx Web Filter can help increase network security by checking for these potential threats hidden in SSL traffic before they reach end points. The Bloxx content filter decrypts the secure Web content which is passed to the filter s malware detection engine, enabling the content to be scanned and assessed for malicious code before it is passed on to the endpoint.

6 DEPLOYING BLOXX FILTERING WITH SSLI AND SSL ROOT CERTIFICATES To ensure that the browsing experience of users is not impacted when you deploy the Bloxx Web Filter or Secure Web Gateway to inspect SSL content, it is recommended that you install a new SSL Root Certificate on end point devices. It is worth highlighting that this is not an issue that is related to the way SSLI operates, but is a result of the way the SSL certificates have been designed to prevent tampering or other malicious activities. As previously mentioned, SSL uses X.509 digital certificates for authentication during an SSL session. When deployed to intercept SSL traffic, the Bloxx filter needs to become a Certificate Authority (CA) to ensure seamless and uninterrupted operation of SSL. To achieve this, To ensure that the browsing experience of users is not impacted when you deploy the Bloxx Web Filter or Secure Web Gateway to inspect SSL content, it is recommended that you install a new SSL Root Certificate on end point devices. It is worth highlighting that this is not an issue that is related to the way SSLI operates, but is a result of the way the SSL certificates have been designed to prevent tampering or other malicious activities. As previously mentioned, SSL uses X.509 digital certificates for authentication during an SSL session. When deployed to intercept SSL traffic, the Bloxx filter needs to become a Certificate Authority (CA) to ensure seamless and uninterrupted operation of SSL. To achieve this, the certificate provided by the Web server being accessed is automatically regenerated by SSLI. The name of the remote server and its altname are not changed. To achieve this seamless operation, all SSL clients must use the Bloxx SSL Certificate (or an alternative one that you generate) as a trusted Certificate Authority. To achieve this seamless operation, all SSL clients must use the Bloxx SSL Certificate (or an alternative one that you generate) as a trusted Certificate Authority. INSTALLING A ROOT CERTIFICATE To prevent warning and exception messages being displayed in users browsers, it is necessary to install a Root Certificate on client devices. There is a misplaced belief that doing this could expose organizations to additional security risks. However, it is important to note that when you create your own root certificate on the Bloxx filtering appliance, you are the only one with access your private key. Bloxx does not have access to this, and as such a potential hacker would need to be able to compromise the Bloxx appliance in order to capture sensitive information. This is due to the fact that no clear traffic travels over the network, but remains within the Bloxx filtering appliance. Installing the Certificate on End Points There are two possible approaches for installing a certificate on a client device. A default Bloxx CA certificate can be automatically generated, or alternatively it is possible to upload your own certificate, where you have the ability to control the issuer, subject, and expiry date. The auto-genetrated Bloxx certificate is valid for 10 years. Installing the Certificate on Wireless End Points For wireless devices such as tablets and smartphones, it is recommended that you place a link to download the Bloxx CA certificate (or whichever certificate you choose to use) on your Wi-Fi landing page.

7 DECRYPTION EXCEPTIONS A decryption exception means that SSLI will no longer intercept the secure traffic, but will simply verify that a site s security certificate is valid. There are two situations where you may require SSL traffic to remain encrypted. The most common use case is to ensure that personal details or highly sensitive data remain completely encrypted. This means that the Web filter cannot analyze and categorize traffic but will simply verify that a site s security certificate is valid and perform non-content-based filtering using the domain or IP address of the remote server, or CN and altnames from the certificate The other use case is when the SSL client is incompatible with SSLI because it does not provide a way to trust the Bloxx CA certificate. CONCLUSION In this white paper we have discussed several ways in which intercepting SSL traffic can increase network security, reduce the risk of inappropriate content being accessed and allow content filtering based on the content of the secure Web page being requested. The recommended approach to implementing SSL content inspection on your network is to consider the security implications from both perspectives. If SSL content inspection is not implemented, risks to your organization include allowing access to inappropriate content, increased risk from SSL anonymous proxies, and exposing your network to harmful malware which can compromise confidential information. On the other hand, the minimal possibility of your SSL traffic being compromised through the Bloxx content filter may present the lesser risk. When making use of SSLI capabilities, you have complete flexibility to select which sites to decrypt, thus creating the option to completely customize the way you filter different types of SSL traffic. For example you could choose to tunnel banking sites, but intercept all other SSL traffic. REFERENCES 1. SSL Performance Problems NSS Labs Analyst Brief, files/ %20ab%20ssl%20performance%20problems% c.pdfsdfsdrtrfsdf 2. Palo Alto Networks, Application Usage and Risk Report (7th Edition, May 2011). com/documents/application_usage_risk_report_ pdf t e. w. Copyright 2015 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Bloxx. Specifications are subject to change without notice.

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Protecting Your Network Against Risky SSL Traffic ABSTRACT Protecting Your Network Against Risky SSL Traffic ABSTRACT Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure

More information

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks Decryption Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Inspection of Encrypted HTTPS Traffic

Inspection of Encrypted HTTPS Traffic Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents

More information

HTTPS Inspection with Cisco CWS

HTTPS Inspection with Cisco CWS White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a

More information

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Stopping secure Web traffic from bypassing your content filter. BLACK BOX Stopping secure Web traffic from bypassing your content filter. BLACK BOX 724-746-5500 blackbox.com Table of Contents Introduction... 3 Implications... 4 Approaches... 4 SSL CGI Proxy... 5 SSL Full Proxy...

More information

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter A Cymphonix White Paper How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter Introduction Internet connectivity

More information

Integrated SSL Scanning

Integrated SSL Scanning Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

The Impact of Anonymous Proxies In Education

The Impact of Anonymous Proxies In Education The Impact of Anonymous Proxies In Education 2014 Survey Results Proxies can be used to access pornographic or file sharing sites. during Once a student successfully finds a proxy site, everyone knows

More information

Next-Generation Firewalls: Critical to SMB Network Security

Next-Generation Firewalls: Critical to SMB Network Security Next-Generation Firewalls: Critical to SMB Network Security Next-Generation Firewalls provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today s more

More information

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES Contents Introduction 3 SSL Encryption Basics 3 The Need for SSL Traffic Inspection

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Direct or Transparent Proxy?

Direct or Transparent Proxy? Direct or Transparent Proxy? Choose the right configuration for your gateway. Table of Contents Direct Proxy...3 Transparent Proxy...4 Other Considerations: Managing authentication made easier.....4 SSL

More information

Securing your Online Data Transfer with SSL

Securing your Online Data Transfer with SSL Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does

More information

INSTANT MESSAGING SECURITY

INSTANT MESSAGING SECURITY INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

Content-ID. Content-ID URLS THREATS DATA

Content-ID. Content-ID URLS THREATS DATA Content-ID DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware Content-ID URLS Web Filtering Content-ID combines a real-time threat prevention engine with a comprehensive URL database and

More information

Integrated SSL Scanning

Integrated SSL Scanning Version 9.2 SSL Enhancements Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.

More information

How Attackers are Targeting Your Mobile Devices. Wade Williamson

How Attackers are Targeting Your Mobile Devices. Wade Williamson How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best

More information

White paper. How to choose a Certificate Authority for safer web security

White paper. How to choose a Certificate Authority for safer web security White paper How to choose a Certificate Authority for safer web security Executive summary Trust is the cornerstone of the web. Without it, no website or online service can succeed in the competitive online

More information

Top five strategies for combating modern threats Is anti-virus dead?

Top five strategies for combating modern threats Is anti-virus dead? Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

More information

The Hidden Dangers of Public WiFi

The Hidden Dangers of Public WiFi WHITEPAPER: OCTOBER 2014 The Hidden Dangers of Public WiFi 2 EXECUTIVE SUMMARY 4 MARKET DYNAMICS 4 The Promise of Public WiFi 5 The Problem with Public WiFi 6 MARKET BEHAVIOR 6 Most People Do Not Protect

More information

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network. Content-ID Content-ID enables customers to apply policies to inspect and control content traversing the network. Malware & Vulnerability Research 0-day Malware and Exploits from WildFire Industry Collaboration

More information

Introduction to the Mobile Access Gateway

Introduction to the Mobile Access Gateway Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch

More information

SSL Certificates: A Simple Solution to Website Security

SSL Certificates: A Simple Solution to Website Security SSL Certificates: A Simple Solution to Website Security SSL Certificates: A Simple Solution to Website Security 2 Secure Sockets Layer (SSL) Certificates, also known as digital certificates, assure you

More information

WildFire. Preparing for Modern Network Attacks

WildFire. Preparing for Modern Network Attacks WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends

More information

Websense Content Gateway HTTPS Configuration

Websense Content Gateway HTTPS Configuration Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know

More information

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index Table of Contents Chapter 1: Installing Endpoint Application Control System Requirements... 1-2 Installation Flow... 1-2 Required Components... 1-3 Welcome... 1-4 License Agreement... 1-5 Proxy Server...

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

SSL Performance Problems

SSL Performance Problems ANALYST BRIEF SSL Performance Problems SIGNIFICANT SSL PERFORMANCE LOSS LEAVES MUCH ROOM FOR IMPROVEMENT Author John W. Pirc Overview In early 2013, NSS Labs released the results of its Next Generation

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

Secure Traffic Inspection

Secure Traffic Inspection Overview, page 1 Legal Disclaimer, page 2 Secure Sockets Layer Certificates, page 3 Filters, page 4 Policy, page 5 Overview When a user connects to a website via HTTPS, the session is encrypted with a

More information

Topics in Network Security

Topics in Network Security Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure

More information

White Paper Secure Reverse Proxy Server and Web Application Firewall

White Paper Secure Reverse Proxy Server and Web Application Firewall White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two

More information

Norton Mobile Privacy Notice

Norton Mobile Privacy Notice Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy

More information

Network protection and UTM Buyers Guide

Network protection and UTM Buyers Guide Network protection and UTM Buyers Guide Using a UTM solution for your network protection used to be a compromise while you gained in resource savings and ease of use, there was a payoff in terms of protection

More information

Applications erode the secure network How can malware be stopped?

Applications erode the secure network How can malware be stopped? Vulnerabilities will continue to persist Vulnerabilities in the software everyone uses everyday Private Cloud Security It s Human Nature Programmers make mistakes Malware exploits mistakes Joe Gast Recent

More information

COORDINATED THREAT CONTROL

COORDINATED THREAT CONTROL APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,

More information

Downloading and Configuring WebFilter

Downloading and Configuring WebFilter Downloading and Configuring WebFilter What is URL Filtering? URL filtering is a type of transaction content filtering that limits a user s Web site access through a policy that is associated with a specific

More information

Top tips for improved network security

Top tips for improved network security Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a

More information

Best Practices for Secure Remote Access. Aventail Technical White Paper

Best Practices for Secure Remote Access. Aventail Technical White Paper Aventail Technical White Paper Table of contents Overview 3 1. Strong, secure access policy for the corporate network 3 2. Personal firewall, anti-virus, and intrusion-prevention for all desktops 4 3.

More information

Computer Security and Privacy

Computer Security and Privacy Computer Security and Privacy 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Guidelines for Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures

More information

SSL Inspection Step-by-Step Guide. June 6, 2016

SSL Inspection Step-by-Step Guide. June 6, 2016 SSL Inspection Step-by-Step Guide June 6, 2016 Key Drivers for Inspecting Outbound SSL Traffic Eliminate blind spots of SSL encrypted communication to/from the enterprise Maintaining information s communication

More information

http://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint-applicationcontrol.aspx

http://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint-applicationcontrol.aspx Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options BEGINNERS GUIDE TO SSL CERTIFICATES Introduction Whether you are an individual or a company, you

More information

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,

More information

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009 Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy

More information

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013 Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013 Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary. 2008: HTTP,

More information

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution Quick Start 5: Introducing and configuring Websense Cloud Web Security solution Websense Support Webinar April 2013 TRITON STOPS MORE THREATS. WE CAN PROVE IT. 2013 Websense, Inc. Page 1 Presenter Greg

More information

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an

More information

Secure Web Appliance. SSL Intercept

Secure Web Appliance. SSL Intercept Secure Web Appliance SSL Intercept Table of Contents 1. Introduction... 1 1.1. About CYAN Secure Web Appliance... 1 1.2. About SSL Intercept... 1 1.3. About this Manual... 1 1.3.1. Document Conventions...

More information

Endpoint web control overview guide. Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control

Endpoint web control overview guide. Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control Endpoint web control overview guide Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control Document date: December 2011 Contents 1 Endpoint web control...3 2 Enterprise Console

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Jort Kollerie SonicWALL

Jort Kollerie SonicWALL Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential

More information

CyBlock SSL Inspection

CyBlock SSL Inspection WavecrestTechBrief CyBlock SSL Inspection www.wavecrest.net Introduction to SSL Inspection General. The SSL Inspection feature is a value-added, security enhancement incorporated into CyBlock. As explained

More information

A Modern Framework for Network Security in the Federal Government

A Modern Framework for Network Security in the Federal Government A Modern Framework for Network Security in the Federal Government 1 A MODERN FRAMEWORK FOR NETWORK SECURITY IN THE FEDERAL GOVERNMENT Trends in Federal Requirements for Network Security In recent years,

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

ez Agent Administrator s Guide

ez Agent Administrator s Guide ez Agent Administrator s Guide Copyright This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing, integrating, translating, modifying, enhancing,

More information

Why You Need an SSL Certificate

Why You Need an SSL Certificate Why You Need an SSL Certificate WHY YOU NEED AN SSL CERTIFICATE Introduction Recent numbers from the U.S. Department of Commerce show that online retail is continuing its rapid growth. However, malicious

More information

SSL Overview for Resellers

SSL Overview for Resellers Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an

More information

The enemy within: Stop students from bypassing your defenses

The enemy within: Stop students from bypassing your defenses The enemy within: Stop students from bypassing your defenses Computer literate K-12 students regularly use anonymizing proxies to bypass their school s web filters to access pornography, social networking,

More information

Portal Administration. Administrator Guide

Portal Administration. Administrator Guide Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot

Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot Since the mid-90 s, users transacting on the internet have been assured of security by the lock icon displayed on their browser and

More information

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

More information

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work. Deployment Guide Revision C McAfee Web Protection Hybrid Introduction Web Protection provides the licenses and software for you to deploy Web Gateway, SaaS Web Protection, or a hybrid deployment using

More information

Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015

Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015 WHITEPAPER Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015 Malcolm Orekoya Network & Security Specialist 30 th January 2015 Table of Contents Introduction... 2 Identity Defines

More information

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway Table of Contents Introduction... 3 Implementing Best Practices with the Websense Web Security

More information

Enterprise Buyer Guide

Enterprise Buyer Guide Enterprise Buyer Guide Umbrella s Secure Cloud Gateway vs. Web Proxies or Firewall Filters Evaluating usability, performance and efficacy to ensure that IT teams and end users will be happy. Lightweight

More information

Website Security: It s Not all About the Hacker Anymore

Website Security: It s Not all About the Hacker Anymore Website Security: It s Not all About the Hacker Anymore Mike Smart Sr. Manager, Products and Solutions Trust Services & Website Security Website Security 1 Website Security Challenges Evolving Web Use

More information

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents

More information

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security WHITE PAPER: ENTERPRISE SECURITY Strengthening Database Security White Paper: Enterprise Security Strengthening Database Security Contents Introduction........................................................................4

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute

More information

DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES *

DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES * DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES * Shamima Rahman Tuan Anh Nguyen T. Andrew Yang Univ. of Houston Clear Lake 2700 Bay Area Blvd., Houston, TX 77058 rahmans3984@uhcl.edu nguyent2591@uhcl.edu

More information

Extended SSL Certificates

Extended SSL Certificates Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is

More information

Securing an IP SAN. Application Brief

Securing an IP SAN. Application Brief Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.

More information

Security Features of SellerDeck Web Sites

Security Features of SellerDeck Web Sites Security Features of SellerDeck Web Sites Introduction This paper describes the security techniques used by SellerDeck and the possible attacks that might be made. It compares SellerDeck products with

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

The 10 myths of safe web browsing

The 10 myths of safe web browsing Are you suffering from misconceptions about safe web browsing? You might think you re being safe, but with a newly infected webpage discovered every few seconds, it s next to impossible to stay up to date

More information

MUNICIPAL WIRELESS NETWORK

MUNICIPAL WIRELESS NETWORK MUNICIPAL WIRELESS NETWORK May 2009 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications November, 2010 2010 Websense, Inc. All rights reserved. Websense is a registered

More information

AVG AntiVirus. How does this benefit you?

AVG AntiVirus. How does this benefit you? AVG AntiVirus Award-winning antivirus protection detects, blocks, and removes viruses and malware from your company s PCs and servers. And like all of our cloud services, there are no license numbers to

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Controlling Web 2.0 Applications in the Enterprise SOLUTION GUIDE

Controlling Web 2.0 Applications in the Enterprise SOLUTION GUIDE Controlling Web 2.0 Applications in the Enterprise SOLUTION GUIDE FORTINET Controlling Web 2.0 Applications in the Enterprise PAGE 2 Summary New technologies used in Web 2.0 applications have increased

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption Introduction This Technical FAQ explains the functionality of the optional HTTPS/SSL scanning and inspection module available for the Web Gateway and

More information

The Benefits of the thawte ISP Program

The Benefits of the thawte ISP Program The Benefits of the thawte ISP Program Earn additional revenue by reselling thawte digital certificate products... 1. Overview 2. Who Should Join? 3. The ISP Program what are the Benefits? 4. How can you

More information

SSL Certificates 101

SSL Certificates 101 Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. Not only does it make you feel safer

More information

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES WEB PROTECTION Features SECURITY OF INFORMATION TECHNOLOGIES The web today has become an indispensable tool for running a business, and is as such a favorite attack vector for hackers. Injecting malicious

More information

Next Gen Firewall and UTM Buyers Guide

Next Gen Firewall and UTM Buyers Guide Next Gen Firewall and UTM Buyers Guide Implementing and managing a network protected by point solutions is far from simple. But complete protection doesn t have to be complicated. This buyers guide explains

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information