How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper



Similar documents
Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Filter Avoidance and Anonymous Proxy Guard

The Benefits of SSL Content Inspection ABSTRACT

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

C YMPH O N IX NET W O R K C OMPO SER. Reveal. Optimize. Protect.

HTTPS Inspection with Cisco CWS

Integrated SSL Scanning

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Intro to Firewalls. Summary

Direct or Transparent Proxy?

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

1110 Cool Things Your Firewall Should Do. Extending beyond blocking network threats to protect, manage and control application traffic

Secure Networks for Process Control

Integrated SSL Scanning

INSTANT MESSAGING SECURITY

How to Gain Visibility and Control of Encrypted SSL Web Sessions >

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Proxies. Chapter 4. Network & Security Gildas Avoine

Deploying F5 to Replace Microsoft TMG or ISA Server

Best Practices for Controlling Skype within the Enterprise > White Paper

Controlling SSL Decryption. Overview. SSL Variability. Tech Note

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

Cisco Cloud Web Security Key Functionality [NOTE: Place caption above figure.]

Inspection of Encrypted HTTPS Traffic

GoToMyPC Corporate Advanced Firewall Support Features

Chapter 8 Router and Network Management

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

McAfee Web Gateway 7.4.1

CMPT 471 Networking II

Barracuda Web Filter Demo Guide Version 3.3 GETTING STARTED

Test Case 3 Active Directory Integration

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief


Installation and configuration guide

How To Choose A Network Firewall

Automatic Hotspot Logon

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Internet Privacy Options

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

REPORT & ENFORCE POLICY

Installation and configuration guide

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Reverse Proxy with SSL - ProxySG Technical Brief

Still Using Proxies for URL Filtering? There s a Better Way

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Chapter 6 Virtual Private Networking Using SSL Connections

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

User Guide. You will be presented with a login screen which will ask you for your username and password.

efolder White Paper: Three Network Security Tools to Block Dropbox in the Workplace

Setting Up SSL on IIS6 for MEGA Advisor

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

FAQs for Oracle iplanet Proxy Server 4.0

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

SSL Decryption: Benefits, Configuration and Best Practices

Pre-Installation Instructions

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

WebMarshal User Guide

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

FileCloud Security FAQ

Palo Alto Networks Gets Top Marks for Solving Bandwidth and Security Issues for School District

ISA Server Plugins Setup Guide

How to Optimize MS Outlook Exchange Traffic Over SSL

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Secure Traffic Inspection

Proxy Services: Good Practice Guidelines

Chapter 4 Firewall Protection and Content Filtering

Guidance Regarding Skype and Other P2P VoIP Solutions

McAfee Web Reporter Turning volumes of data into actionable intelligence

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLĂ„RNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Protecting the Infrastructure: Symantec Web Gateway

Web Application Firewall

SSL EXPLAINED SSL EXPLAINED

Next-Generation Firewalls: Critical to SMB Network Security

How To Configure SSL VPN in Cyberoam

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Secure Web Appliance. Reverse Proxy

Websense Web Security Gateway: What to do when a Web site does not load as expected

Networking for Caribbean Development

Blue Coat Security First Steps Solution for Controlling HTTPS

AccessEnforcer. HTTPS web filter overview

Enterprise Toolbar User s Guide. Revised March 2015

Transcription:

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter A Cymphonix White Paper

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter Introduction Internet connectivity is an essential resource for all types of organizations. Utilization of the Internet for research, communications and other mission-critical activity for transacting business, increases daily. Unfortunately, utilization of the Internet for noncritical and detrimental activities outpaces critical activity substantially1. This increase of both types of traffic creates a significant challenge for Network Managers; how to limit non-critical and detrimental traffic to ensure mission-critical traffic has the resources it needs. To complicate the matter, the various traffic types are created by both web browsing activity and application activity. While there are many solutions that address controlling browsing activity, and a few that address application activity, there are very few that handle both well. Finally, in addition to sorting out mission critical and non-critical traffic generated by both applications and browsing activity, Network Administrators must control the impact of secured browsing traffic. Critical applications are moving to the Internet. Organizations manage contacts with online CRM tools, bank, purchase equipment and perform a myriad of other activities online. Because of the sensitive nature of the data, this type of traffic is often secured. Although encryption provides a tremendous benefit to organizations that want to keep data traveling over the Internet secure, it also adds to the challenge of prioritizing resources for mission critical activity. Because the traffic is encrypted, Network Administrators have no way to determine if the data being transmitted is critical, non-critical or even malicious creating a virtual blind spot in security protection, risk mitigation and Internet usage policy enforcement. Implications Resource Management Network Administrators are held responsible for timely application delivery, whether the application is local, hosted remotely or being served from the Internet. Although bandwidth continues to drop in price and is more readily available, Administrators continue to face overloaded circuits. This occurs most often due to cluttered and un-prioritized Internet data streams meaning, all users and applications compete for the same resources with little or no prioritization whatsoever. For example, user abuse of encrypted traffic for inappropriate browsing sessions or proxy anonymizing applications can eat up resources that should be used for mission critical activity. Risk Mitigation Traffic passing through secured browsing sessions goes unchecked. While this works well for keeping data private, it can be abused by users and sites attempting to infiltrate the network. users that download information over a secured connection prevent spyware and virus scans from verifying the safety of the content. When content is downloaded without these safety precautions, Administrators find their data and overall safety of the network at risk. Internet Usage Policy Enforcement In addition to preventing spyware and virus scans, users that download content over secure connections can easily bypass traditional content filtering controls. While all organizations face tremendous risk of litigation for not maintaining safe access to the Internet, lack of filtering controls is specifically problematic for educational institutions. Schools must maintain CIPA compliance to qualify for funding and to limit the liability of potentially exposing children to inappropriate material. When gaps result from such at tremendous lack of control, compliance and user safety are lost. Approaches Due to the tremendous risks associated with encrypted Internet content, organizations must implement a solution that provides full visibility and control over secure traffic. The new Secure Web traffic visibility feature from Cymphonix allows Network Managers the same visibility and control for secure web traffic as they have for unsecured web traffic. Implementing a solution that addresses both application traffic and secured/unsecured browsing traffic will make it possible for Administrators to maintain Internet usage guidelines across all web traffic. Secure Web Traffic The most prevalent form of encryption used is Secure Socket Layer (SSL). SSL allows for a secure tunnel to be established between the user (client) and the web site (server). Secure web traffic is referred to in many ways with the most common being HTTPS and SSL web traffic. HTTPS utilizes SSL encryption to create a secure tunnel between the client and server to transmit website content through the tunnel. Cymphonix Corporation, Cymphonix, Network Composer, Cross-Layer Intelligence, Li and the Cymphonix Logo are trademarks of Cymphonix. All other trademarks are property of their respective owners. All rights reserved.

SSL CGI Proxy This type of proxy has the user enter the URL they want to browse into a web form. The CGI script processes the request and fetches the page on behalf of the user. The CGI script changes the links and image references in the web page to point to the URL of the CGI script. All the web requests are going to and from the CGI script so that in most cases URL database categorization cannot be accurately done. All the web requests go to the host of the CGI proxy even if in the original HTML went to many different servers. Tradiditional Content Filtering solutions are blind to the content inside the SSL tunnel Why does Secure Web Traffic cause problems? The benefits of SSL are what cause the problems for traditional content filtering solutions. With an HTTPS web connection the contents of the web traffic are contained within the SSL tunnel and are not visible to the external filtering devices that would normally enforce Internet usage policies. Traditional web filters are designed to filter based on being able to read URL data. Because HTTPS requests contain only a very limited amount of data (which may be spoofed or inaccurate if provided by an anonymous proxy) relating to the destination and the contents of the request, filters cannot identify the content and are unable to filter. Client URL Content Filter Internet SSL Tunnel Web traffic is transmitted within the SSL tunnel SSL provide protection against data theft SSL Anonymous Proxies Because it works so well, filter avoidance solutions commonly leverage SSL to allow users to bypass content filters. They do this primarily with three methods; SSL CGI Proxy, SSL Full Proxy and Application-Based networks across SSL like the Tor Network and Socks 4&5. Web Server Some solutions rely on their maintenance of a database of URL s and IP addresses of these sites to prevent filter subversion. Due to the simplicity of setting up sites to bypass filters in this manner, it is very difficult to keep up with the number of IP addresses and URL s as they can change hourly. Anyone on the Internet with a public IP address can easily setup a proxy like this. There are even Windows versions that can be easily installed on a student s home machine for example allowing them to use their home computer to bypass the school s content filter while using the school s network. Users can also sign up for mailing lists to receive hundreds of available IP s daily to get around content filters. Because URL database maintenance works so poorly in this case, the only way to effectively stop this type of inappropriate use is to perform full content analysis. Network Composer s SSL Full Content Filtering allows it to analyze the content of the web site so if an IP or URL is accessed that does not get filtered by the database, it will be filtered by content analysis. Then, if a URL or IP address is not presently found in the Network Composer database, it is sent to Cymphonix automatically to be categorized and added to the URL database. This approach ensures content is filtered regardless of URL or SSL encryption. SSL Full Proxy This method requires the user to modify their browser settings to use a proxy server. Since this method requires the user to change their browser settings it is less popular, but nonetheless is a very effective way to bypass content filters. Often, these proxy server sites use non-standard, unchecked port numbers to bypass content filtering. Traditional filters cannot even see the traffic and therefore are unable to filter it. Because Network Composer identifies application traffic regardless of port or protocol, it can identify web browsing activity and ensures HTTP, HTTPS and Cymphonix Corporation, Cymphonix, Network Composer, Cross-Layer Intelligence, Li and the Cymphonix Logo are trademarks of Cymphonix. All other trademarks are property of their respective owners. All rights reserved.

SSL traffic are filtered according to policy. Application-based Networks across SSL Tor Network is on example of an SSL based network built to allow users to anonymize their web browsing and bypass content filters. Tor normally uses non standard port numbers to avoid detection, encrypts traffic via SSL connections and can be run from an external memory device such as a UBS thumb drive. This combination of filter avoidance tactics makes it, and applications like it, a very effective way to get around content filters. Even on PCs with application installation controls in place, users can easily run the application from an external device, connect via SSL and browse without controls. Network Composer is one of the only solutions that can block and control traffic from these types of applications. Because Network Composer includes deep-packet scanning and layer 7 identification capabilities, it can identify these applications and apply policy to prevent the risks associated with them. SSL Filtering Methods: SSL Certificate Filtering This is the most common form of SSL filtering offered by content filtering appliances. This method attempts to validate the host name or CN from the server certificate. Once the host name is obtained it is categorized by a URL database. Advantages A CA certificate does not need to be installed on the client web browser Basic filtering works if the host name is known in the URL database Disadvantages The user cannot be presented with a denied access page. Typically the user will see the Page could not be displayed browser error. The user has no way of knowing if his page request was blocked by a content filter or because of network connectivity problems Only a URL database check can be done. Since the content of an allowed connection is encrypted, the HTTP data cannot be used for categorization. This is specifically problematic with new websites that have not yet been categorized. Downloads cannot be scanned for viruses Spyware MD5 sum checks cannot be performed Spyware Class ID checks cannot be performed Streaming media traffic cannot be properly identified and controlled MIME and file types cannot be logged or specifically blocked SSL anonymous proxies can be used if the IP or URL is not in the database. SSL Full Content Filtering This method is the most robust and complete of the three discussed methods. With this method there is a secure connection between the Network Composer and the user, and a separate secure connection between Network Composer and the server. The Network Composer is acting as an SSL proxy. Because Network Composer can terminate the SSL connection, data can be fully inspected. The Network Composer generates and sends the browser a CA-signed certificate for the host name that was requested. This certificate is installed on the client s browser via a download URL or optionally distributed via Active Directory. And finally, the customer provides the data for the CA certificate to make know who is inspecting and filtering the encrypted data. With SSL Full Content Filtering strict checking of the certificate from the server can be performed. The certificate is validated by checking the issuer against a list of trusted CA s and verifying that the certificate is not expired. If the certificate cannot be validated then the network administrator can block this request. This is especially effective against SSL anonymous proxies that use self generated and signed certificates. Advantages Content analysis can be done on the content of the web site Virus scanning can be completed Spyware MD5 sum matching can be completed Spyware Class ID matching can be completed Streaming media is properly identified and can be bandwidth-controlled File and MIME type extraction and filtering can be completed SSL anonymous proxies that are not caught by the database are filtered by content analysis for categorization and logging Cymphonix Corporation, Cymphonix, Network Composer, Cross-Layer Intelligence, Li and the Cymphonix Logo are trademarks of Cymphonix. All other trademarks are property of their respective owners. All rights reserved.

Reverse DNS lookups are done for IP address URL s It is very difficult to circumvent filtering using anonymous proxies Moves the SSL security decisions out of the hands of the user and to the network administrator Disadvantages A CA certificate needs to be installed in the browser to prevent an SSL warning The not all of the original certificate issuer information is viewable by the user High performance cost SSL Filtering Method Feature Matrix Cymphonix solution Both of the above methods are available in Network Composer version 8.0. SSL Full Content Filtering is the recommended method to use to prevent possible circumvention of the filtering. Feature URL Database C ategorization Spyw are URL Database URL Keyw ord Search Denied Access Page More vulnerable to SSL proxies Virus Scanning Spyw are M D5 Sum Spyw are Class ID lookup Reverse DNS Lookup Content Analysis File Type Filtering M IM E Type Filtering Streaming M edia Control View original certificate CA C ertificate install needed CA C ertificate Verification SSL Certificate Filtering SSL Certificate Filtering with Denied Access Page SSL Full Content Filtering Conclusion With the increase in Secure Web Traffic (HTTPS) and growing number of 3rd party sites that allow users to bypass current content filtering solutions the ability to have FULL visibility and control over HTTPS traffic is paramount. Any organizations, especially highlyregulated organizations (e.g., education, government, and healthcare) owe it to their users to provide the most robust technology available to ensure ALL web traffic is being filtered and controlled. The Version 8.0 release from Cymphonix provides complete visibility into HTTPS traffic. References: 1. SSL Traffic Clogs WANS, PC World, 03/07/2007, http://www.pcworld.com/article/id,129648/article.html This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Cymphonix Corporation, Cymphonix, Network Composer, Cross-Layer Intelligence, Li and the Cymphonix Logo are trademarks of Cymphonix. All other trademarks are property of their respective owners. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information