Inspection of Encrypted HTTPS Traffic

Similar documents
The Benefits of SSL Content Inspection ABSTRACT

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Automatic Hotspot Logon

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Networking for Caribbean Development

INSTANT MESSAGING SECURITY

Achieving PCI Compliance Using F5 Products

Remote Firewall Deployment

Whitepaper. StoneGate Multi-Link. Ensuring Always-on Connectivity with Significant Savings

StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Cisco IPS Tuning Overview

Intro to Firewalls. Summary

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Section 12 MUST BE COMPLETED BY: 4/22

Firewall Testing Methodology W H I T E P A P E R

Guideline on Auditing and Log Management

74% 96 Action Items. Compliance

Building A Secure Microsoft Exchange Continuity Appliance

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Protecting Your Organisation from Targeted Cyber Intrusion

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Table of Contents. Page 2/13

Covert Operations: Kill Chain Actions using Security Analytics

Introduction to Endpoint Security

Integrated SSL Scanning

Using a VPN with Niagara Systems. v0.3 6, July 2013

Windows Remote Access

Release Notes for Version

Critical Security Controls

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Using a VPN with CentraLine AX Systems

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Considerations for DirectAccess Deployments. Whitepaper

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

FileCloud Security FAQ

IBX Business Network Platform Information Security Controls Document Classification [Public]

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Sygate Secure Enterprise and Alcatel

B database Security - A Case Study

Ensuring the security of your mobile business intelligence

Topics in Network Security

8 Steps for Network Security Protection

Effective Methods to Detect Current Security Threats

8 Steps For Network Security Protection

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

HTTPS Inspection with Cisco CWS

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Network Security Policy

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

How To Secure An Rsa Authentication Agent

Whitepaper. ISP Redundancy. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

10 Things Every Web Application Firewall Should Provide Share this ebook

Host-based Protection for ATM's

How To Protect A Web Application From Attack From A Trusted Environment

Jort Kollerie SonicWALL

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Computer Networks. Secure Systems

Using Microsoft Active Directory Server and IAS Authentication

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

Controlling SSL Decryption. Overview. SSL Variability. Tech Note

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

White Paper. BD Assurity Linc Software Security. Overview

Best Practices for Secure Remote Access. Aventail Technical White Paper

VPN CLIENT ADMINISTRATOR S GUIDE

Web Security School Final Exam

Owner of the content within this article is Written by Marc Grote

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

U06 IT Infrastructure Policy

SCADA SYSTEMS AND SECURITY WHITEPAPER

Chapter 9 Firewalls and Intrusion Prevention Systems

Gateway Security at Stateful Inspection/Application Proxy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NEFSIS DEDICATED SERVER

13 Ways Through A Firewall

INTRUSION PREVENTION (IPS) Features SECURITY OF INFORMATION TECHNOLOGIES

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Securing an IP SAN. Application Brief

Transcription:

Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1

Table of Contents Overview... 3 Why HTTPS Inspection is Needed... 3 Network-based Security Enforcement... 3 Risks in HTTP Traffic... 4 Browser Attacks... 4 Filtering Malicious Content... 5 Technical Description... 6 What Can Be Inspected... 6 Transparency of the Inspection... 6 What Information is Included in the Logs... 6 Administration of StoneGate Firewall and IPS... 7 T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 2

Inspection of Encrypted HTTPS Traffic Overview StoneGate Firewall version 5.0 and StoneGate IPS version 5.0 can open encrypted HTTPS traffic for security inspection. This gives network security administrators the ability to monitor the traffic inside the encrypted TLS/SSL tunnel, and to detect and react if there is any unwanted content. The benefit of the feature is that administrators can ensure that no attacks, viruses, or other unwanted content can enter the organization s network by disguising themselves inside the encryption cloak. Why HTTPS Inspection is Needed Before listing the benefits of HTTPS inspection, let us first discuss why the appropriate security enforcement cannot be done solely on the workstation end. Network-based Security Enforcement In many organizations, information technology security is enforced in numerous different locations. Some security enforcement may be done on the workstations and the servers, whereas other enforcement must be done in the network. The reasons for network-based security devices include, among other things, cost-effectiveness, and the ability to monitor workstations that lack host-based security. With the increase of virtual hosts within workstation computers, the need for network-based security grows even further. The encryption used by HTTPS traffic means that under the normal circumstances, the traffic inside of the encrypted tunnel cannot be read or modified. The purpose of the encryption is to ensure the integrity and confidentiality of the data while in transit over the network. The encryption, however, also conceals the encrypted data from the supervision of networkbased security devices. As the organization s security relies heavily on enforcement in the network, the encrypted HTTPS channel acts as a means to bypass the security functions. A controlled way to open the encryption in the network and to submit the encrypted traffic for the same inspection as clear-text HTTP data eliminates the blind spot in the network protection. T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 3

Risks in HTTP Traffic There are many reasons why HTTP traffic inspection increases the organization s security. All these reasons apply to HTTPS traffic as well. Browser Attacks Attacks against the vulnerable browsers have been on the rise for many years. A typical attack scenario is to send an email that contains a link to a malicious web page to the target user. By clicking the link, the user instructs the browser to connect the web server on the Internet. The server may then attack the browser and even compromise the host if the browser is vulnerable to the attack. Compromised web sites are another potential source of attacks. Consider this example: an employee visits a familiar web site that uses HTTPS. The employee assumes the web site is secure because it uses encryption. However, the web site has been hacked, and now the hacker can use the web site to attack the employee's browser and exploit a known vulnerability. Once the browser has been compromised, the web site installs malware on the system, which can then "call home". Now the employee's computer can be used, for example, as a part of a botnet, or the malware can be used to disclose confidential company information. Traditional network security protection systems could not do anything to stop this, as all the traffic between the employee's computer and the web site was encrypted. The HTTPS inspection feature in StoneGate 5.0 eliminates the problem and stops attacks hiding inside encrypted traffic. Similarly, HTTPS inspection allows administrators to prevent old and vulnerable browsers from connecting to the Internet, decreasing the risk even further. T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 4

Server Protection Server protection is needed to protect company servers from being compromised, which in turn may lead to other implications, such as loss of confidential data. In addition to direct financial implications, the loss of valuable data may have indirect consequences, such as the loss of credibility in the eyes of the customers. Additionally, fulfilling regulatory compliance or a contractual obligation may require the ability to inspect encrypted traffic. For example, the Payment Card Industry Data Security Standard sets clear requirements for protecting the card holder data. To meet these requirements, companies may need to be able to look inside the encrypted traffic. StoneGate Firewall/VPN and IPS products offer protection against attempts to exploit vulnerabilities in the Web server software on HTTP and inside TLS/SSL encrypted HTTPS. Known vulnerabilities in major Web server software, such as the Microsoft Internet Information Server and the Apache software are covered. The exploit protection is based on known vulnerabilities, which means that a new exploit variant against an old vulnerability is also detected and blocked by the StoneGate network security device. Filtering Malicious Content In addition to attacks, HTTPS inspection allows administrators to control what kind of content is transferred over the network. The organization s security policy may prohibit certain file types, files containing viruses, scripts, active-x or other possibly unwanted content. Without HTTPS inspection, content filtering covers only clear-text HTTP traffic. HTTPS inspection adds the coverage for encrypted HTTPS traffic as well. T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 5

Technical Description HTTPS inspection can be implemented in an organization by deploying the StoneGate Firewall or IPS in the organization s network and by enabling the HTTPS inspection feature. The Firewall or IPS comes with a new Certificate Authority (CA) certificate that should be installed in the browsers of all workstations in the organization. Administrators configure what network traffic is subject to the inspection, the list of the unwanted content the firewall or IPS monitors, and finally the level of logging the system provides. What Can Be Inspected With the default configuration, the StoneGate Firewall or IPS devices monitor only for clear text attacks, viruses, or similar abuse. HTTPS connections that do not trigger any signature do not provide any logs of the inspection process. The administrator can optionally configure the system to monitor for other events as well. For example, the administrator may decide that vulnerable browser versions are prohibited from connecting to the Internet, certain file types may not be downloaded, or some other administrator-defined content is terminated. Transparency of the Inspection HTTPS inspection creates two separate secure connections: one from the client web browser to the Firewall or IPS engine, and one from the engine to the HTTPS server. Browsers within the organization that contain the new CA certificate of the StoneGate Firewall or IPS do not warn users even though the Firewall or IPS breaks the end-to-end encryption of the HTTPS traffic. A user who knows where to look may study the details of the certificate in the web browser and learn whether a particular connection is being inspected. However, the user cannot confirm how the traffic is being inspected if inspection is enabled. What Information is Included in the Logs StoneGate Firewall and IPS provide logs in two levels. Access logs contain information about the connection, such as the IP addresses, ports, and the time when the connection happened. Inspection logs are provided only if the content of the traffic matches any of the signatures that are looked for in the traffic. Inspection logs contain information about the event that has been detected in the traffic. For example, an inspection log could show that a certain type of attack was detected from the web server to the browser, but was terminated by the Firewall or IPS. Inspection logs in the default configuration contain IP addresses, the event name and description, the URL that triggered the event, and the time when the event occurred. The administrator may also configure the system to provide more detailed information about the traffic in the logs. T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 6

Administration of StoneGate Firewall and IPS StoneGate Firewall and IPS products are professional tools that can be used to significantly reduce the risk level in the organization s computer networks. The same products, however, in the wrong hands may also be used to violate other people s privacy or to cause harm otherwise. Therefore the administrative functions are secured against unauthorized use. StoneGate Firewalls and IPS devices contain very sophisticated methods to ensure that only the authorized administrators may change the configuration or read the provided logs. These administrative security features include strong authentication for administrators (RADIUS support), encrypted and two-way authenticated connections between the StoneGate components, role-based access control for administrators, detailed audit logs of administrator actions, and dedicated log servers to better enable the securing of the log data. Note Traffic that uses HTTPS may be protected by laws related to the privacy of communications. Decrypting and inspecting this traffic may be illegal in some jurisdictions. T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 7

About Stonesoft Stonesoft Corporation (NASDAQ OMX: SFT1V) is an innovative provider of integrated network security solutions to secure the information flow of distributed organizations. Stonesoft customers include enterprises with growing business needs requiring advanced network security and always-on business connectivity. StoneGate Secure Connectivity Solution unifies firewall, VPN, IPS and SSL VPN blending network security, end-to-end availability and award-winning load balancing into a unified and centrally managed system. The key benefits of StoneGate the solution include low TCO, excellent price-performance ratio and high ROI. The StoneGate Virtual Security Solutions protect the network and ensure business continuity in both virtual and physical network environments. StoneGate Management Center provides unified management for StoneGate Firewall with VPN, IPS and SSL VPN. StoneGate Firewall and IPS work together to provide intelligent defense all over the enterprise network while StoneGate SSL VPN provides enhanced security for mobile and remote use. Founded in 1990, Stonesoft Corporation is a global company with corporate headquarters in Helsinki, Finland and Americas headquarters in Atlanta, Georgia. For more information, visit www.stonesoft.com. Copyright July 09 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information