Decrypt Inbound SSL Traffic for Passive Security Device (D-H)



Similar documents
Blue Coat Security First Steps Solution for Controlling HTTPS

Blue Coat Security First Steps. Solution for HTTP Object Caching

Blue Coat Security First Steps Transparent Proxy Deployments

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

Blue Coat ICS PROTECTION Scanner Station Version

Web Application Classification Feature

Blue Coat Security First Steps Solution for Controlling Web Applications

Blue Coat Security First Steps Solution for Recording and Reporting Employee Web Activity

Blue Coat Security First Steps Solution for Streaming Media

Blue Coat Security First Steps Solution for Integrating Authentication Using LDAP

Blue Coat Security First Steps Solution for Integrating Authentication

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

WAN OPTIMIZATION FOR MICROSOFT SHAREPOINT BPOS

Blue Coat Systems. Client Manager Redundancy for ProxyClient Deployments

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

A TECHNICAL REVIEW OF CACHING TECHNOLOGIES

Security Report. Security Empowers Business DO NOT ENTER. Blue Coat Research Maps the Web s Shadiest Neighborhoods. September 2015

NEXT GENERATION SECURE WEB GATEWAY: THE CORNERSTONE OF YOUR SECURITY ARCHITECTURE

Policy Guide. Version 6.8.2/Doc Revision: 10/23/15

Reverse Proxy Deployment Guide

Blue Coat ProxySG Authentication Guide. SGOS 6.5.x

VIRTUALIZED SECURITY: THE NEXT GENERATION OF CONSOLIDATION

IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES

BOOSTING INTERNET ACCESS LINK PERFORMANCE WITH BLUE COAT WAN OPTIMIZATION TECHNOLOGIES

Integrating the ProxySG and ProxyAV Appliances. For SGOS 6.5 and later and AVOS 3.5 and later

Blue Coat Cloud Data Protection Server Administration Guide

Initial Configuration Guide

Content Analysis System Guide

Unified Agent Access Method

Proxy Forwarding Access Method

Proxy Forwarding Access Method

Secure Web Gateway Virtual Appliance Initial Configuration Guide Platform: VMware vsphere Hypervisor

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS

Blue Coat Systems. PacketShaper Redundant Setup

SNMP Critical Resource Monitoring

Initial Configuration Guide

BCAAA 6.1 Service Requirements

ProxySG 510/810 Series. Hard Disk Drive Installation

SSL Proxy Deployment Guide

Blue Coat Systems Cloud Security Service Overview. Blue Coat Cloud Security Service (ThreatPulse)

Deploying Blue Coat and FireEye Inline with Gigamon

NEXT GENERATION SECURITY ANALYTICS: REAL WORLD USE CASES KEY FEATURES AND NEW USES FOR THE BLUE COAT SECURITY ANALYTICS PLATFORM

Blue Coat Systems Reporter 9.x

SV800 and SV1800 Getting Started Guide

Administration Guide. Content Analysis x

Using PacketShaper to Control Bring Your Own Device Traffic

Spotlight Management Pack for SCOM

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

REVOLUTIONIZING ADVANCED THREAT PROTECTION

SSL-VPN 200 Getting Started Guide

ProxySG TechBrief Enabling Transparent Authentication

HP Device Manager 4.6

1 You will need the following items to get started:

Configuring a single-tenant BIG-IP Virtual Edition in the Cloud

Blue Coat Systems. Reference Guide. SSL Proxy. For SGOS 5.5.x and later

Technical Brief for Windows Home Server Remote Access

Dell One Identity Cloud Access Manager How to Configure for High Availability

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

enicq 5 System Administrator s Guide

VPNC Interoperability Profile

Threat Containment for Facebook

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

Web Application Firewall

FTP Server Configuration

RSA Security Analytics Netflow Collection Configuration Guide

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

NEFSIS DEDICATED SERVER

ProxySG ICAP Integration

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3

Application Notes for Configuring a SonicWALL Continuous Data Protection (CDP) backup solution with Avaya Voic Pro - Issue 1.

Barracuda Link Balancer Administrator s Guide

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

MDM Mass Configuration Tool User s Manual

Dell Statistica Statistica Enterprise Installation Instructions

ManageEngine Desktop Central. Mobile Device Management User Guide

Security Analytics Engine 1.0. Help Desk User Guide

Document Exchange Server 2.5

Palo Alto Networks User-ID Services. Unified Visitor Management

Virtual Appliance Setup Guide

Downloading and Configuring WebFilter

Implementing Exception Pages

The Bomgar Appliance in the Network

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

How to Create a Basic VPN Connection in Panda GateDefender eseries

SNMP Monitoring with Cacti

McAfee Firewall Enterprise 8.2.1

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

F-Secure Messaging Security Gateway. Deployment Guide

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Configuring Multiple ACE Management Servers VMware ACE 2.0

What is the Barracuda SSL VPN Server Agent?

CRESTRON-APP-ANDROID Control App for Android

Reverse Proxy with SSL - ProxySG Technical Brief

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

Transcription:

Decrypt Inbound SSL Traffic for Passive Security Device (D-H) SSL Visibility Appliance First Steps Guide

Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland 6/9/2015

Table of Contents Table of Contents 3 Decrypt Inbound SSL Traffic for Passive Security Device (D-H) 4 Passive-Inline Deployment Mode 4 Install SSL Visibility Appliance with Passive Security Device 5 Import Known Server Keys and Certificates 7 Export the Certificate and Private Key from the Internal SSL Server 7 Upload the Key and Certificate to the SSL Visibility Appliance 7 Create Rule to Test Installation 8 Create a Segment for Passive-Inline Mode 9 Add a Segment 9 Activate a Segment 9 Verify Installation (Inbound) 11 Create Rule to Test Decryption (Inbound) 12 Verify Decryption 13 3

Decrypt Inbound SSL Traffic for Passive Security Device (D-H) Follow the steps below to set up the SSL Visibility Appliance to decrypt inbound SSL traffic, and send it, and all other traffic, to an attached passive security device. SSL servers are located inside the enterprise network, and their server keys and certificates can be uploaded to the SSL Visibility Appliance. The network uses the Diffie-Helman (D-H) key exchange method. Passive-Inline Deployment Mode 1. Install the SSL Visibility Appliance into the network. See "Install SSL Visibility Appliance with Passive Security Device" on the next page. 2. Download the known server keys and certificates from internal servers and upload them to the SSL Visibility Appliance. See "Import Known Server Keys and Certificates" on page 7. 3. Create a ruleset with a catch all action of cut through. See "Create Rule to Test Installation" on page 8. 4. Create a segment for Passive-Inline mode. See "Create a Segment for Passive-Inline Mode" on page 9. 5. Test/verify that the SSL Visibility Appliance is not blocking traffic. Show the results via SSL Session log. See "Verify Installation (Inbound)" on page 11. 6. Create a rule to decrypt everything from a specific source IP (your laptop). "Create Rule to Test Decryption (Inbound)" on page 12. 7. Use the SSL Session Log to verify that the SSL Visibility Appliance is decrypting properly. See "Verify Decryption" on page 13. 8. Delete the decryption testing rule, and create your own policies to define what traffic you want to decrypt, reject, or drop. 4

Install SSL Visibility Appliance with Passive Security Device To install the SSL Visibility Appliance with a passive security device in your network, follow the steps below. Network diagram before SSL Visibility Appliance Network diagram after installing SSL Visibility Appliance Tip: For details about initial configuration and licensing of the SSL Visibility Appliance, refer to the Quick Start Guide that came with your appliance. 1. Connect the Management port on the SSL Visibility Appliance to your management network. 2. Connect port 1 on the SSL Visibility Appliance to your LAN switch. 3. Connect port 2 to the firewall or router. 4. Connect the security device to port 3 on the SSL Visibility Appliance. 5

Next Step: "Import Known Server Keys and Certificates" on the next page 6

Import Known Server Keys and Certificates To inspect inbound traffic to an internal SSL server, you export a copy of the server's SSL certificate and private key and upload them to the SSL Visibility Appliance. You import known server certificates and keys into the all-known-certificateswith-keys list. Export the Certificate and Private Key from the Internal SSL Server On your internal SSL server, you need to export the certificate and its private key in one of the following supported formats: PEM, PKCS#8, DER, PKCS#12. Make sure to use a strong password to ensure that the private key is well protected. Caution: You must export the private key along with your certificate for it to be valid on the SSL Visibility Appliance. Upload the Key and Certificate to the SSL Visibility Appliance Make sure the exported certificate and key files are in a location the SSL Visibility Appliance can access. 1. Select PKI > Known Certificates and Keys. 2. In the Known Certificates with Keys Lists panel, click the all-knowncertificates-with-keys entry. 3. In the panel below, Known Certificates with Keys, click Add. The Add Known Certificate with Key window displays. 4. Specify the files to import and enter the password you created when exporting the certificate. 5. Click Add. Note: If you have a single file (such as a.pfx file) that contains both the certificate and private key, you only need to import the certificate file. The SSL Visibility Appliance will recognize that the private key is included and will not require you to import it separately. If the key and certificate are valid, you will see a message confirming that the certificate has been added. The key displays as a row in the Known Certificates with Keys panel. 6. Apply the PKI Changes. Next Step: "Create Rule to Test Installation" on the next page 7

Create Rule to Test Installation To make sure your SSL Visibility Appliance is connected and configured properly, you should create a basic ruleset that tests that traffic isn't getting blocked. To perform this test, create a ruleset with a Catch All Action of Cut Through. 1. Select Policies > Rulesets. 2. In the Rulesets panel, click the Add icon. 3. In the Add Ruleset window, enter a name for the ruleset and click OK. 4. In the Ruleset Options panel, click the Edit icon. show screen... 5. Confirm that the Catch All Action is Cut Through. 6. Apply the Policy Changes. Next Step: "Create a Segment for Passive-Inline Mode" on the next page 8

Create a Segment for Passive-Inline Mode Note: Before you create the segment, make sure you have determined your deployment mode and created a ruleset for the segment. There are two steps to creating a segment: adding and activating. Add a Segment 1. Select Policies > Segments. 2. Click the Add icon. 3. Click Edit to select the Mode of Operation. 4. For Mode of Operation, choose Passive Inline: 5. Click OK. 6. Select the Ruleset you previously created. 7. Choose the desired Session Log Mode. 8. Enter a brief description of the segment in the Comments box. 9. Click OK. The new segment appears in the Segments panel. 10. Apply the Policy Changes. Activate a Segment 1. Select Policies > Segments. 2. In the Segments panel, select the segment to activate. 3. Click the Activate icon. The Segment Activation window displays. 9

During segment activation, a series of screens appear that allow you to select the ports to be used for the segment, and to select any copy ports and the modes in which the copy ports will operate. Connect any copy ports to your passive security devices (for example, Security Analytics or an IDS). More on copy ports... 1 4. Follow the prompts. Once the segment is active, the system dashboard displays a green background for the segment, and there are entries under Main Interfaces and Copy Interfaces (if applicable to your deployment). 5. Apply the Policy Changes. Next Step: "Verify Installation (Inbound)" on the next page 1 You may need more than one physical port to feed your passive device, depending on the amount of network traffic. For example, if you have 1GB of traffic in each direction, you will need to connect two copy ports to the security device, and decide whether you want to load balance or send all inbound traffic through one port and all outbound traffic through another. Note that you can connect up to two passive devices to the SSL Visibility Appliance and each device can connect to one or two copy ports. 10

Verify Installation (Inbound) To test and verify that the SSL Visibility Appliance is not blocking traffic, you can view the on-box SSL Session Log. 1. Access the inside SSL servers you imported certificates for. 2. Is all traffic being blocked? If so, your SSL Visibility Appliance may not be connected properly to the network. Review the steps for your deployment mode. 3. To see a list of recent SSL sessions, select Monitor > SSL Session Log. 4. Look for the domains of the servers you accessed, and observe the value in the Action column. Since the initial rule you created cuts through all traffic, the Action should say Cut Through for all sessions. Next Step: "Create Rule to Test Decryption (Inbound)" on the next page 11

Create Rule to Test Decryption (Inbound) To test that the SSL Visibility Appliance is decrypting SSL traffic, add a rule that decrypts everything from a specific source IP (your laptop). 1. Select Policies > Rulesets. 2. In the Rulesets panel, select the ruleset you previously created. 3. In the Rules panel, click the Insert icon to add a new rule. The Insert Rule dialog displays. 4. For Action, select Decrypt (Certificate and Key Known). 5. Select one of the following: If you imported just one certificate, select Known Certificate with Key and choose the certificate you imported. or If you imported multiple certificates, select Known Certificates with Keys and All Known Certificates with Keys 6. For Source IP, enter the IP address of your computer. 7. Click OK. 8. Apply the Policy Changes. Next Step: "Verify Decryption" on the next page 12

Verify Decryption To test and verify that the SSL Visibility Appliance is decrypting traffic according to the rules you created, you can view the SSL Session Log. 1. Access a variety of websites or internal SSL servers. If you have created policies for specific host categories, domains, IP addresses, and so forth, make sure to go to websites that test these policies. 2. To see a list of recent SSL sessions, select Monitor > SSL Session Log. 3. Look for the domains of the websites/servers you visited, and observe the value in the Action column. Is the value you expected listed? For example, if you wanted the SSL Visibility Applianceno to decrypt a particular type of traffic, does the Action say Cut Through? For sessions you wanted to be decrypted, does the Action say Decrypt? If you see unexpected values, review your policies. Note: When a session is decrypted, the Action column will show either Resign Certificate (if the deployment is using the certificate resigning method) or Certificate and Key Known (if you have imported known certificates and keys). Final Step: Delete the decryption testing rule, and create your own policies to define what traffic you want to decrypt, reject, or drop. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information