The Benefits of SSL Content Inspection ABSTRACT
|
|
- Brittany Poole
- 8 years ago
- Views:
Transcription
1 The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic to new heights. But not all SSL traffic is benign and without the right security tools, SSL can be a blind spot into your network. Web filters that use URL inspection can only provide limited protection against malicious SSL traffic and so a more advanced approach that intercepts the SSL traffic allowing the filter to examine the traffic is fast becoming a critical requirement. This white paper reviews the different approaches that can be used to manage SSL traffic with Web content filters and discusses the limitations of legacy approaches compared to current techniques that can inspect the SSL traffic.
2 INTRODUCTION Every day more and more Web traffic traverses the Internet in a form that provides security and trust for users and is encrypted to prevent unauthorized eavesdropping. This traffic is encrypted with Secure Sockets Layer (SSL), a transport layer encryption protocol that protects data against unauthorized access. Current estimates indicate that 25% to 35% 1 of enterprise traffic is SSL, but this can be as high as 70% depending on the industry vertical. SSL has become the de-facto choice to secure Web-based transactions such as online banking, but the use of SSL has now extended into securing other applications such as secure and providing tunnelling for corporate VPNs and extranets. According to Palo Alto Networks Application Usage and Risk Report 2, more than 40% of the 1,042 applications that were identified on enterprise networks in the study can use SSL or hop ports. The rise of cloud computing and applications is also delivering another uptick in SSL traffic. This white paper reviews the different approaches that can be used to manage SSL traffic with content filters and discusses the limitations of legacy approaches compared to current techniques that can inspect the SSL traffic. THE RISKS IN SSL TRAFFIC In many organizations SSL traffic passes freely in and out of the network because the IT organization lacks the ability to inspect and control SSL-encrypted traffic. However, not all content which is encrypted with SSL is benign. The content may be illegal, inappropriate or contain malware and other threats that could harm the organization s network and endpoint devices, impact user productivity and in some cases damage the organization s reputation. For further information about the risks of SSL, download Bloxx s white paper Protecting Your Network Against Risky SSL Traffic at Without visibility into SSL-encrypted traffic, IT lacks the ability to protect the organization and the reality is that SSL is a potential back door for inappropriate or malicious Web traffic. Fortunately, a Web content filter or Secure Web Gateway that has the ability to securely intercept and inspect SSL traffic can provide IT with the tools it needs to minimize the risks of SSL traffic. SSL PRIMER Secure Sockets Layer (SSL) was originally developed by Netscape Communications to provide security for Internet communications. SSL provides a secure channel between two endpoints, typically a client browser and a Web server, to provide protection against eavesdropping, forgery or tampering of the traffic. To provide this security, SSL uses X.509 digital certificates for authentication, encryption to ensure privacy and digital signatures to ensure integrity. Essentially SSL creates a secure tunnel between the two endpoints and the Web traffic is transmitted inside the tunnel. The encrypted traffic is called HTTPS and uses port 443 to communicate between the client browser and the Web server; unencrypted HTTP traffic uses port 80. It is worth noting that although SSL is primarily used to secure HTTP traffic, SSL was designed so that it could provide security for many other application protocols that run over TCP.
3 THE CHALLENGES OF MANAGING SSL TRAFFIC Traditionally, SSL has been used to provide security and privacy for confidential information or transactions, for example online banking, e-commerce, and so on, but as previously mentioned many more Websites and Web applications are now moving towards HTTPS as default. However, although HTTPS provides increased security and minimizes the risk for users and organizations, it also creates a blind spot which can allow users to access inappropriate or productivity impacting content and a back door into your network that cyber criminals and malware authors can effectively exploit. A gateway level Web content filter or Secure Web Gateway is typically used to proactively control the Web content that users are allowed to view, typically by checking the URL being requested against a categorized database of URLs. This is easy and straightforward to do when the request is being made using HTTP. However, when the request is being made using HTTPS, only the top level domain, or in some cases its related IP address for the Web page being requested is visible to the Web filter. For example if is being requested, then the Web filter can only make a decision to block or allow on This makes enforcing a granular filtering policy extremely problematic for HTTPS traffic. With more sophisticated Web filters that analyze and categorize content of the page being requested in real-time to determine the type of content and to scan for malware, the encrypted nature of the traffic means that these additional layers of filtering cannot be used. In practical terms, this could mean that when a user deliberately or accidentally accesses inappropriate or illegal content using HTTPS, the Web filter will be unable to determine the type of content being requested and may simply allow access. This could lead to serious consequences for the employee and the organization if, for example, illegal content such as child abuse images or racial hatred content is being accessed. In addition, if an exploited Website containing a malware payload is accessed using SSL then the encrypted page cannot be scanned by the malware detection engine leading to the risks of networks and endpoints becoming infected with malware. A REAL-WORLD SSL EXPLOIT Criminals can exploit the trust that users put in SSL to create a fake web page that will trick victims into providing confidential information. In one example, criminals had hacked into the website of the Malaysian Police force to set up a fake PayPal page. The page used the valid SSL certificate from the site to trick potential victims into thinking that the site was legitimate so that they provided confidential information such as usernames and passwords. Most users had assumed that after seeing HTTPS and a green padlock in their browser that the site was legitimate and safe without checking that the URL matched the site in front of their eyes. For example if the site that a user is connecting to is Paypal, then the address needs to begin and not or The last URL is obviously a fake, but many people will put absolute trust in the green padlock symbol. The SSL certificate in this instance was valid but the certificate authority, in this case Symantec, had not revoked the certificate through a Certificate Revocation list or by using on-demand OSCP responses.
4 BASIC APPROACHES TO MANAGING SSL A draconian approach to minimizing the risk of SSL traffic might be to simply block all SSL traffic using a firewall rule, or to block all SSL traffic with a Web filtering policy, only allowing access to specific web sites or pages. However, with the rapid growth of the Web and the growing use of SSL, this approach has become unsustainable and would likely create a deluge of IT support calls requesting access to specific sites. A more effective and advanced approach is to use SSL certificate based filtering. In this approach, the Web content filter attempts to validate the host name or certificate name from the Web server that is being accessed, so that the URL can be validated against the URL database. This approach has some advantages in that no changes are required to be made to client browsers and a filtering policy can be applied if the URL is obtained. However, there are a number of limitations to SSL certificate filtering. These include the fact that the user will only see a page cannot be displayed error and so will be unsure if this is a filtering policy restriction or a network, website or browser error; filtering relies on only the URL and not the page content; and malware cannot be scanned and blocked. Therefore, the only practical and sustainable approach is to provide a mechanism that allows your Web content filter or Secure Web Gateway to intercept, decrypt and analyze the SSL traffic. A MORE SOPHISTICATED AND SECURE APPROACH TO MANAGING SSL To allow proactive management of SSL, it is necessary to look inside the secure tunnel and examine the encrypted traffic. One effective way to deliver this capability is deploy a Web filter or Secure Web Gateway that is able to intercept and decrypt the SSL traffic. To achieve this, the Web filter creates a secure connection between the client browser and the Web filter, and decrypts the SSL traffic into plain text. Then, after being analyzed the traffic is re-encrypted and another secure connection is created between the Web filter and the Web server. This means that the Web filter is effectively acting like an SSL proxy server and so can both intercept the SSL connection and inspect the content. Bloxx SSL Intercept (SSLI) is used to provide this capability in the Bloxx Web Filter and Secure Web Gateway. SSLI operates by temporarily capturing the SSL traffic so that the Web page being requested can be analyzed, categorized and filtered before it is delivered to the client browser. The unencrypted traffic is also passed to the malware detection engine to identify and block malicious traffic. In order to provide further security, the SSL certificate from the Web site in question is checked against a list of valid certificate authorities. This is an extra check on top of those that are performed by Web browsers. The key difference is that this check is enforced at the gateway and can prevent users from proceeding to sites with invalid certificates, whereas browsers will let them access these sites. It also means that if a browser s list of trusted Certificate Authorities (CA) or Certificate Revocation List (CRL) are out of date, that the gateway will still catch the invalid certificate and block access to the site. This level of functionality is available in Bloxx Secure Web Gateway and does not require decryption of SSL traffic. This combination of safeguards increases security levels on your network and protects users from inappropriate or illegal content. Bloxx SSLI provides SSL traffic inspection and filtering in any deployment, regardless of where your Bloxx filtering appliance is situated on your network. SSLI intercepts SSL requests, and checks the validity of all server, intermediate and root server certificates. These certificates are then replaced by a spoof certificate. The spoof certificate is generated dynamically on the Bloxx appliance and signed by the Bloxx CA certificate, signifying the fact that the page is being delivered by the Bloxx Web filter, and not the remote Web server. To the endpoint browser however, the certificate appears as if it is from the remote website. This approach allows SSL traffic to be securely intercepted, decrypted, analyzed for content and potential security threats. There are a number of significant advantages to this approach, coupled with implications for the network in question, and several options for certificate deployment. These are discussed in the following sections in further detail.
5 HOW BLOXX WEB FILTERING WITH SSLI ENHANCES SECURITY There are a number of significant benefits that are delivered by using the Bloxx Web Filter or Secure Web Gateway to manage SSL traffic. Confidential Information Remains Secure A principal concern with intercepting and decrypting SSL traffic is the security of the data being decrypted. After all, the HTTPS traffic has been encrypted because of its sensitive nature, and security of data such as bank account details is paramount (especially from the perspective of the end user). In order to preserve the security of sensitive data, the Bloxx filtering appliance decrypts the traffic but it does not log or store any plain text data. Protecting Sensitive SSL Traffic There will be specific sites that use SSL (such as banking or healthcare sites) where you do not want the Bloxx filter decrypt and inspect the traffic. To allow this, the Bloxx filtering appliance allows you to easily select specific categories of SSL traffic that you may consider particularly sensitive so that any related SSL traffic remains encrypted. This capability of decryption exception ensures that the sensitive SSL data involved remains completely encrypted, but still allows the validity of the SSL certificate to be verified. SSLI and Dynamic Real-Time Categorization The combination of SSLI and Bloxx s patented real-time content categorizer, Tru-View Technology (TVT), provides an effective method of categorizing and filtering SSL content whilst applying the appropriate filtering policy. Once the requested Web page has been retrieved, SSLI decrypts the content and passes this to TVT for analysis and categorization. In addition, the page is also passed to the filter s malware scanner to detect for viruses or other potentially harmful content. This means that the filtering policy for SSL traffic is applied based on the content of the page, not just the URL being requested. So for example, if the SSL page contains adult content, then TVT has the ability to categorize and block the page. Real-time content analysis and categorization coupled with the ability to decrypt and scan content for harmful malware programs ensures that your network is protected from newly emerging security threats and that your users and organization are further protected against accessing inappropriate or illegal content Securing End Points Increasingly, the types of malware programs mentioned above are being hidden within SSL traffic. Without decrypting SSL, how will you minimize the risk of infecting end points? The Bloxx Web Filter can help increase network security by checking for these potential threats hidden in SSL traffic before they reach end points. The Bloxx content filter decrypts the secure Web content which is passed to the filter s malware detection engine, enabling the content to be scanned and assessed for malicious code before it is passed on to the endpoint.
6 DEPLOYING BLOXX FILTERING WITH SSLI AND SSL ROOT CERTIFICATES To ensure that the browsing experience of users is not impacted when you deploy the Bloxx Web Filter or Secure Web Gateway to inspect SSL content, it is recommended that you install a new SSL Root Certificate on end point devices. It is worth highlighting that this is not an issue that is related to the way SSLI operates, but is a result of the way the SSL certificates have been designed to prevent tampering or other malicious activities. As previously mentioned, SSL uses X.509 digital certificates for authentication during an SSL session. When deployed to intercept SSL traffic, the Bloxx filter needs to become a Certificate Authority (CA) to ensure seamless and uninterrupted operation of SSL. To achieve this, To ensure that the browsing experience of users is not impacted when you deploy the Bloxx Web Filter or Secure Web Gateway to inspect SSL content, it is recommended that you install a new SSL Root Certificate on end point devices. It is worth highlighting that this is not an issue that is related to the way SSLI operates, but is a result of the way the SSL certificates have been designed to prevent tampering or other malicious activities. As previously mentioned, SSL uses X.509 digital certificates for authentication during an SSL session. When deployed to intercept SSL traffic, the Bloxx filter needs to become a Certificate Authority (CA) to ensure seamless and uninterrupted operation of SSL. To achieve this, the certificate provided by the Web server being accessed is automatically regenerated by SSLI. The name of the remote server and its altname are not changed. To achieve this seamless operation, all SSL clients must use the Bloxx SSL Certificate (or an alternative one that you generate) as a trusted Certificate Authority. To achieve this seamless operation, all SSL clients must use the Bloxx SSL Certificate (or an alternative one that you generate) as a trusted Certificate Authority. INSTALLING A ROOT CERTIFICATE To prevent warning and exception messages being displayed in users browsers, it is necessary to install a Root Certificate on client devices. There is a misplaced belief that doing this could expose organizations to additional security risks. However, it is important to note that when you create your own root certificate on the Bloxx filtering appliance, you are the only one with access your private key. Bloxx does not have access to this, and as such a potential hacker would need to be able to compromise the Bloxx appliance in order to capture sensitive information. This is due to the fact that no clear traffic travels over the network, but remains within the Bloxx filtering appliance. Installing the Certificate on End Points There are two possible approaches for installing a certificate on a client device. A default Bloxx CA certificate can be automatically generated, or alternatively it is possible to upload your own certificate, where you have the ability to control the issuer, subject, and expiry date. The auto-genetrated Bloxx certificate is valid for 10 years. Installing the Certificate on Wireless End Points For wireless devices such as tablets and smartphones, it is recommended that you place a link to download the Bloxx CA certificate (or whichever certificate you choose to use) on your Wi-Fi landing page.
7 DECRYPTION EXCEPTIONS A decryption exception means that SSLI will no longer intercept the secure traffic, but will simply verify that a site s security certificate is valid. There are two situations where you may require SSL traffic to remain encrypted. The most common use case is to ensure that personal details or highly sensitive data remain completely encrypted. This means that the Web filter cannot analyze and categorize traffic but will simply verify that a site s security certificate is valid and perform non-content-based filtering using the domain or IP address of the remote server, or CN and altnames from the certificate The other use case is when the SSL client is incompatible with SSLI because it does not provide a way to trust the Bloxx CA certificate. CONCLUSION In this white paper we have discussed several ways in which intercepting SSL traffic can increase network security, reduce the risk of inappropriate content being accessed and allow content filtering based on the content of the secure Web page being requested. The recommended approach to implementing SSL content inspection on your network is to consider the security implications from both perspectives. If SSL content inspection is not implemented, risks to your organization include allowing access to inappropriate content, increased risk from SSL anonymous proxies, and exposing your network to harmful malware which can compromise confidential information. On the other hand, the minimal possibility of your SSL traffic being compromised through the Bloxx content filter may present the lesser risk. When making use of SSLI capabilities, you have complete flexibility to select which sites to decrypt, thus creating the option to completely customize the way you filter different types of SSL traffic. For example you could choose to tunnel banking sites, but intercept all other SSL traffic. REFERENCES 1. SSL Performance Problems NSS Labs Analyst Brief, files/ %20ab%20ssl%20performance%20problems% c.pdfsdfsdrtrfsdf 2. Palo Alto Networks, Application Usage and Risk Report (7th Edition, May 2011). com/documents/application_usage_risk_report_ pdf t e. info@bloxx.com w. Copyright 2015 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Bloxx. Specifications are subject to change without notice.
Protecting Your Network Against Risky SSL Traffic ABSTRACT
Protecting Your Network Against Risky SSL Traffic ABSTRACT Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationDecryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
Decryption Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationHTTPS Inspection with Cisco CWS
White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a
More informationStopping secure Web traffic from bypassing your content filter. BLACK BOX
Stopping secure Web traffic from bypassing your content filter. BLACK BOX 724-746-5500 blackbox.com Table of Contents Introduction... 3 Implications... 4 Approaches... 4 SSL CGI Proxy... 5 SSL Full Proxy...
More informationIntegrated SSL Scanning
Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive
More informationHow to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper
How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter A Cymphonix White Paper How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter Introduction Internet connectivity
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationNext-Generation Firewalls: Critical to SMB Network Security
Next-Generation Firewalls: Critical to SMB Network Security Next-Generation Firewalls provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today s more
More informationThe Impact of Anonymous Proxies In Education
The Impact of Anonymous Proxies In Education 2014 Survey Results Proxies can be used to access pornographic or file sharing sites. during Once a student successfully finds a proxy site, everyone knows
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationSSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES
SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES Contents Introduction 3 SSL Encryption Basics 3 The Need for SSL Traffic Inspection
More informationDirect or Transparent Proxy?
Direct or Transparent Proxy? Choose the right configuration for your gateway. Table of Contents Direct Proxy...3 Transparent Proxy...4 Other Considerations: Managing authentication made easier.....4 SSL
More informationINSTANT MESSAGING SECURITY
INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationContent-ID. Content-ID URLS THREATS DATA
Content-ID DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware Content-ID URLS Web Filtering Content-ID combines a real-time threat prevention engine with a comprehensive URL database and
More informationHow Attackers are Targeting Your Mobile Devices. Wade Williamson
How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best
More informationTop five strategies for combating modern threats Is anti-virus dead?
Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.
More informationWhite paper. How to choose a Certificate Authority for safer web security
White paper How to choose a Certificate Authority for safer web security Executive summary Trust is the cornerstone of the web. Without it, no website or online service can succeed in the competitive online
More informationContent-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.
Content-ID Content-ID enables customers to apply policies to inspect and control content traversing the network. Malware & Vulnerability Research 0-day Malware and Exploits from WildFire Industry Collaboration
More informationSSL Certificates: A Simple Solution to Website Security
SSL Certificates: A Simple Solution to Website Security SSL Certificates: A Simple Solution to Website Security 2 Secure Sockets Layer (SSL) Certificates, also known as digital certificates, assure you
More informationIntegrated SSL Scanning
Version 9.2 SSL Enhancements Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive
More informationThe Hidden Dangers of Public WiFi
WHITEPAPER: OCTOBER 2014 The Hidden Dangers of Public WiFi 2 EXECUTIVE SUMMARY 4 MARKET DYNAMICS 4 The Promise of Public WiFi 5 The Problem with Public WiFi 6 MARKET BEHAVIOR 6 Most People Do Not Protect
More informationWebsense Content Gateway HTTPS Configuration
Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationTable of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index
Table of Contents Chapter 1: Installing Endpoint Application Control System Requirements... 1-2 Installation Flow... 1-2 Required Components... 1-3 Welcome... 1-4 License Agreement... 1-5 Proxy Server...
More informationWildFire. Preparing for Modern Network Attacks
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
More informationSecuring your Online Data Transfer with SSL
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationIntroduction to the Mobile Access Gateway
Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationSecuring your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.
More informationNetwork protection and UTM Buyers Guide
Network protection and UTM Buyers Guide Using a UTM solution for your network protection used to be a compromise while you gained in resource savings and ease of use, there was a payoff in terms of protection
More informationITSC Training Courses Student IT Competence Programme SIIS1 Information Security
ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know
More informationhttp://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint-applicationcontrol.aspx
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationTop tips for improved network security
Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a
More informationBest Practices for Secure Remote Access. Aventail Technical White Paper
Aventail Technical White Paper Table of contents Overview 3 1. Strong, secure access policy for the corporate network 3 2. Personal firewall, anti-virus, and intrusion-prevention for all desktops 4 3.
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationSSL Performance Problems
ANALYST BRIEF SSL Performance Problems SIGNIFICANT SSL PERFORMANCE LOSS LEAVES MUCH ROOM FOR IMPROVEMENT Author John W. Pirc Overview In early 2013, NSS Labs released the results of its Next Generation
More informationApplications erode the secure network How can malware be stopped?
Vulnerabilities will continue to persist Vulnerabilities in the software everyone uses everyday Private Cloud Security It s Human Nature Programmers make mistakes Malware exploits mistakes Joe Gast Recent
More informationSSL Inspection Step-by-Step Guide. June 6, 2016
SSL Inspection Step-by-Step Guide June 6, 2016 Key Drivers for Inspecting Outbound SSL Traffic Eliminate blind spots of SSL encrypted communication to/from the enterprise Maintaining information s communication
More informationBEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options
BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options BEGINNERS GUIDE TO SSL CERTIFICATES Introduction Whether you are an individual or a company, you
More informationExtending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper
with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationSecure Traffic Inspection
Overview, page 1 Legal Disclaimer, page 2 Secure Sockets Layer Certificates, page 3 Filters, page 4 Policy, page 5 Overview When a user connects to a website via HTTPS, the session is encrypted with a
More informationNorton Mobile Privacy Notice
Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy
More informationPermeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions
Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an
More informationIntegrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013
Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013 Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary. 2008: HTTP,
More informationB database Security - A Case Study
WHITE PAPER: ENTERPRISE SECURITY Strengthening Database Security White Paper: Enterprise Security Strengthening Database Security Contents Introduction........................................................................4
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationMUNICIPAL WIRELESS NETWORK
MUNICIPAL WIRELESS NETWORK May 2009 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationQuick Start 5: Introducing and configuring Websense Cloud Web Security solution
Quick Start 5: Introducing and configuring Websense Cloud Web Security solution Websense Support Webinar April 2013 TRITON STOPS MORE THREATS. WE CAN PROVE IT. 2013 Websense, Inc. Page 1 Presenter Greg
More informationSecuring an IP SAN. Application Brief
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
More informationSSL Overview for Resellers
Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationJort Kollerie SonicWALL
Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential
More informationWhy You Need an SSL Certificate
Why You Need an SSL Certificate WHY YOU NEED AN SSL CERTIFICATE Introduction Recent numbers from the U.S. Department of Commerce show that online retail is continuing its rapid growth. However, malicious
More informationDownloading and Configuring WebFilter
Downloading and Configuring WebFilter What is URL Filtering? URL filtering is a type of transaction content filtering that limits a user s Web site access through a policy that is associated with a specific
More informationNext Gen Firewall and UTM Buyers Guide
Next Gen Firewall and UTM Buyers Guide Implementing and managing a network protected by point solutions is far from simple. But complete protection doesn t have to be complicated. This buyers guide explains
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More informationProxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009
Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy
More informationA Modern Framework for Network Security in the Federal Government
A Modern Framework for Network Security in the Federal Government 1 A MODERN FRAMEWORK FOR NETWORK SECURITY IN THE FEDERAL GOVERNMENT Trends in Federal Requirements for Network Security In recent years,
More informationThe enemy within: Stop students from bypassing your defenses
The enemy within: Stop students from bypassing your defenses Computer literate K-12 students regularly use anonymizing proxies to bypass their school s web filters to access pornography, social networking,
More informationHow To Understand And Understand The Security Of A Key Infrastructure
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used
More informationExtended SSL Certificates
Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is
More informationCertificate Management. PAN-OS Administrator s Guide. Version 7.0
Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationLooking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015
WHITEPAPER Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015 Malcolm Orekoya Network & Security Specialist 30 th January 2015 Table of Contents Introduction... 2 Identity Defines
More informationSecure Web Appliance. SSL Intercept
Secure Web Appliance SSL Intercept Table of Contents 1. Introduction... 1 1.1. About CYAN Secure Web Appliance... 1 1.2. About SSL Intercept... 1 1.3. About this Manual... 1 1.3.1. Document Conventions...
More informationEnterprise Buyer Guide
Enterprise Buyer Guide Umbrella s Secure Cloud Gateway vs. Web Proxies or Firewall Filters Evaluating usability, performance and efficacy to ensure that IT teams and end users will be happy. Lightweight
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationHow to Gain Visibility and Control of Encrypted SSL Web Sessions >
White Paper How to Gain Visibility and Control of Encrypted SSL Web Sessions > Executive Summary Web applications (and their derivatives IM, P2P, Web Services) continue to comprise the overwhelming majority
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationApplication Firewall Overview. Published: February 2007 For the latest information, please see http://www.microsoft.com/iag
Application Firewall Overview Published: February 2007 For the latest information, please see http://www.microsoft.com/iag Contents IAG Application Firewall: An Overview... 1 Features and Benefits... 2
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationSecure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications. www.vidyo.com 1.866.99.VIDYO
TECHNICAL NOTE Secure VidyoConferencing SM Protecting your communications 2012 Vidyo, Inc. All rights reserved. Vidyo, VidyoTechnology, VidyoConferencing, VidyoLine, VidyoRouter, VidyoPortal,, VidyoRouter,
More informationPortal Administration. Administrator Guide
Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationEndpoint web control overview guide. Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control
Endpoint web control overview guide Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control Document date: December 2011 Contents 1 Endpoint web control...3 2 Enterprise Console
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More information2010 White Paper Series. Layer 7 Application Firewalls
2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;
More informationThe Benefits of the thawte ISP Program
The Benefits of the thawte ISP Program Earn additional revenue by reselling thawte digital certificate products... 1. Overview 2. Who Should Join? 3. The ISP Program what are the Benefits? 4. How can you
More informationWildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks
WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on
More informationez Agent Administrator s Guide
ez Agent Administrator s Guide Copyright This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing, integrating, translating, modifying, enhancing,
More informationWebsense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications
Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications November, 2010 2010 Websense, Inc. All rights reserved. Websense is a registered
More informationWhitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot
Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot Since the mid-90 s, users transacting on the internet have been assured of security by the lock icon displayed on their browser and
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationUnderstanding Digital Certificates and Secure Sockets Layer (SSL)
Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?
More informationAVG AntiVirus. How does this benefit you?
AVG AntiVirus Award-winning antivirus protection detects, blocks, and removes viruses and malware from your company s PCs and servers. And like all of our cloud services, there are no license numbers to
More informationWhen your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.
Deployment Guide Revision C McAfee Web Protection Hybrid Introduction Web Protection provides the licenses and software for you to deploy Web Gateway, SaaS Web Protection, or a hybrid deployment using
More informationThe Key to Secure Online Financial Transactions
Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationSSL Certificates 101
Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. Not only does it make you feel safer
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationA Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway
A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway Table of Contents Introduction... 3 Implementing Best Practices with the Websense Web Security
More informationWEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES
WEB PROTECTION Features SECURITY OF INFORMATION TECHNOLOGIES The web today has become an indispensable tool for running a business, and is as such a favorite attack vector for hackers. Injecting malicious
More informationDEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES *
DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES * Shamima Rahman Tuan Anh Nguyen T. Andrew Yang Univ. of Houston Clear Lake 2700 Bay Area Blvd., Houston, TX 77058 rahmans3984@uhcl.edu nguyent2591@uhcl.edu
More information