Secure Traffic Inspection



Similar documents
HTTPS Inspection with Cisco CWS

Using a custom certificate for SSL inspection

Audits. Alerts. Procedure

Websense Content Gateway HTTPS Configuration

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Secure Web Appliance. SSL Intercept

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Certificate technology on Pulse Secure Access

Certificate technology on Junos Pulse Secure Access

Chapter 7 Managing Users, Authentication, and Certificates

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Integrated SSL Scanning

User's Guide. Product Version: Publication Date: 7/25/2011

Clearswift Information Governance

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

SonicWALL SSL VPN 3.5: Virtual Assist

Installing and Configuring vcloud Connector

SSL Decryption: Benefits, Configuration and Best Practices

Configuration Guide BES12. Version 12.3

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

SSL Insight Certificate Installation Guide

WildFire Cloud File Analysis

Setting Up SSL on IIS6 for MEGA Advisor

Sophos Mobile Control SaaS startup guide. Product version: 6

Policy Based Encryption Z. Administrator Guide

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Configuration Guide BES12. Version 12.2

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Generating and Installing SSL Certificates on the Cisco ISA500

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

SSL Decryption Certificates

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

Configuration Guide BES12. Version 12.1

Integrated SSL Scanning

Security certificate management

Cisco SSL Encryption Utility

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

Copyright 2013 Trend Micro Incorporated. All rights reserved.

Configuration Guide. BES12 Cloud

Secure IIS Web Server with SSL

Group Management Server User Guide

Using the Content Distribution Manager GUI

Zscaler. How to enable SSL scanning. on your school s. Zscaler web filter

APNS Certificate generating and installation

Access Control Rules: URL Filtering

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

WebMarshal User Guide

Configure Web Conference Parameters Through The Web Conference Administration User Interface.

WildFire Cloud File Analysis

How to configure SSL proxying in Zorp 3 F5

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Content Filtering Client Policy & Reporting Administrator s Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Introduction to Mobile Access Gateway Installation

vcenter Support Assistant User's Guide

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Portal Administration. Administrator Guide

Installing and Configuring vcenter Support Assistant

Setting up Microsoft Office 365

This section includes troubleshooting topics about certificates.

Blue Coat Security First Steps Solution for Controlling HTTPS

Installing and Configuring vcloud Connector

Certificate Management

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

User Management Guide

Deploying the BIG-IP System with Oracle E-Business Suite 11i

HP IMC Firewall Manager

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

How To Configure SSL VPN in Cyberoam

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Administrator's Guide

F-Secure Messaging Security Gateway. Deployment Guide

SSL Guide. (Secure Socket Layer)

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

CumuLogic Load Balancer Overview Guide. March CumuLogic Load Balancer Overview Guide 1

Preventing credit card numbers from escaping your network

WHITE PAPER Citrix Secure Gateway Startup Guide

Introduction to Google Apps for Business Integration

Strategic Asset Tracking System User Guide

Introduction to Directory Services

Configuration Information

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

Web Security Firewall Setup. Administrator Guide

Managing Identities and Admin Access

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

Deployment Guide Microsoft IIS 7.0

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

EMC Data Protection Search

Deploying F5 to Replace Microsoft TMG or ISA Server

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Introduction to the EIS Guide

Best Practices. Understanding BeyondTrust Patch Management

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Transcription:

Overview, page 1 Legal Disclaimer, page 2 Secure Sockets Layer Certificates, page 3 Filters, page 4 Policy, page 5 Overview When a user connects to a website via HTTPS, the session is encrypted with a digital certificate. When secure traffic inspection is enabled, Cisco Cloud Web Security forwards all self-signed, expired, invalid, and revoked certificates. Secure traffic inspection decrypts and scans the HTTPS traffic passing through Cisco Cloud Web Security for threats and carries out actions based on your policy settings. If the traffic is deemed safe it is re-encrypted and passed back to your organization with a new SSL certificate. All users must have an SSL certificate deployed to their browser. You can generate a certificate in Cisco ScanCenter with Cisco as the Certificate Authority (CA), or alternatively you can download a Certificate Signing Request (CSR) and use it with a tool such as Microsoft Certificate Services or OpenSSL to generate and upload your own certificate where your organization is the CA. The certificate is then associated with your secure traffic inspection policy. When using a CSR, the following fields must be present in the certificate: X509v3 Basic Constraints: CA:TRUE With OpenSSL, the command openssl x509 -extfile v3_ca.txt -req -days 365 -in scancenter.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out scancenter.crt will perform this function, where v3_ca.txt contains the following: subjectkeyidentifier=hash authoritykeyidentifier=keyid:always,issuer:always basicconstraints = CA:true Two changes are required on the client: 1 Proxy settings for SSL traffic must be configured in the client browser, or on your organization s firewall or gateway device. OL-22629-06 1

Legal Disclaimer 2 The Cisco root certificate must be imported into the client browser to enable it to trust SSL connections with Cisco Cloud Web Security. Note Browsers may automatically import the certificate to the Intermediate Certificate Authorities store. However, the certificate must be placed in the Trusted Root Certificate store for to function correctly. Legal Disclaimer It is your responsibility to determine if it is legal for you to inspect HTTPS traffic in your jurisdiction. Switching on this functionality will permit Cisco Cloud Web Security to inspect HTTPS traffic. While all such inspection is carried out automatically, rather than by individuals, such decryption may nonetheless be in breach of privacy laws in certain countries. By enabling this functionality, you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions and that you have obtained all necessary consent from your users to do so. In most jurisdictions you are required by law to inform your users that secure traffic is being inspected. It is possible to present an HTML page to the user that states that the session will be decrypted and that gives the user the option to continue or not. However, if you do this, you will not be able be able to use the standard warning page for other purposes. In Web Filtering > Notifications > User Messages, edit the Customized Warn Alert Page to display an HTTPS warning. In the Timeout value drop-down list, click 0. Step 7 Step 8 Step 9 0 Clear the Include standard HTML page template for warning page check box. Note If you also want to display warnings for non-https pages, you can select the check box and add the HTTPS warning to the standard Acceptable Use Policy warning. Click Save to apply your changes. In Web Filtering > Management > Global Settings, select the Enable HTTP/HTTPS split check box and click Save. In Web Filtering > Management > Filters, create HTTPS filters for the websites to block. In Web Filtering > Management > Filters, create an HTTPS filter for all categories called HTTPS warn. In Web Filtering > Management > Policy, create a block rule and add the HTTPS filters for the websites to block. In Web Filtering > Management > Policy, create a warn rule and add the HTTPS warn filter with the anytime schedule. Ensure that the HTTPS warn rule has a lower priority than the HTTPS block rule, and then select the Activate check box for both rules. To comply with privacy laws, notice is given to the user before the SSL connection is established. You can exclude websites from secure traffic inspection, for example banking websites. These sites will bypass secure traffic inspection, and the user will be connected to the site via a direct SSL connection. Caution To comply with privacy laws, no log record is maintained. However, you are responsible for ensuring that the content decryption and encryption takes place in a closed loop and that no content is cached. 2 OL-22629-06

Secure Sockets Layer Certificates Secure Sockets Layer Certificates When you generate an SSL certificate in Cisco ScanCenter, Cisco will be the Certificate Authority (CA). If you want your organization to be the CA, you can generate a Certificate Signing Request (CSR) in Cisco ScanCenter, use that to generate the certificate, and then upload it to Cisco ScanCenter. Click the Admin tab to display the administration menus. In the HTTPS Inspection menu, click Certificates to display the certificates page. Creating a Certificate in Cisco ScanCenter Click Admin, HTTPS Inspection, and Certificates. Click the Create a New Certificate tab. In the Duration drop-down, choose the number of years before the certificate expires. The available options are one year, three years, five years, or seven years. Enter an Identifier. Enter a unique Description. Click Submit to apply your changes. Alternatively, navigate away from the page to abandon your changes. Using an Externally Generated Certificate Before You Begin If you want to generate your own SSL certificates with your organization as the certificate authority (CA), you will need SSL software such as Microsoft Certificate Services (a component of Windows Server operating systems) or OpenSSL (a toolkit included with most UNIX and UNIX-like operating systems). If you are not familiar with SSL software, you should use Cisco ScanCenter to create an SSL certificate instead. OL-22629-06 3

Editing a Certificate Description Step 7 Step 8 Step 9 0 Click Admin, HTTPS Inspection, and Certificates. Click the Create a CSR (Certificate Signing Request) tab. Enter a unique name for the Certificate Signing Request (CSR) in the Identifier box. Enter a Description of the CSR. Click Next. Click Download Your CSR to download the CSR. Generate your SSL certificate using the downloaded CSR with your SSL software. For more details, see your SSL software vendor documentation. You have 30 minutes to create and upload the certificate. Click Next. Click Select File and navigate to the SSL certificate to associate with the CSR. Click Upload. Editing a Certificate Description In the Description column, click the pencil icon next to the certificate. Enter a new Description. Click the check icon to apply your change. Alternatively, click the x icon or navigate away from the page to abandon your change. Removing a Certificate To remove an SSL certificate, click the box next to the certificate and click Remove. You will be prompted to confirm deleting the selected certificate. Filters Filters enable you to set the websites and categories that will be subject to HTTPS inspection. For more information on managing filters, see Managing Filters. The following HTTPS filters are available: Categories Domains Exceptions Applications 4 OL-22629-06

Policy Click the Admin tab to display the administration menus. In the HTTPS Inspection menu, click Filters to display the filters page. Applications that use the HTTPS protocol will not be matched against application filters unless HTTPS inspection is enabled for all traffic, or Application Decryption is enabled. If you have not enabled HTTPS inspection for all traffic and you want to enable application decryption, select the filter, and on the Applications page, select the Enable Application Decryption check box. Policy Policy enables you to set the rules for applying HTTPS filters. Step 7 Step 8 On the Admin > HTTPS Inspection > Policy page, you can set the priority of a rule by clicking the up and down arrow icons and then clicking Save. Click Create HTTPS Rule. Enter a rule Name. In the Certificate pull-down list, select a previously generated certificate. In the Filter pull-down list, select a previously created filter. Select the Active check box to enable the rule action. Alternatively, clear the check box to activate the rule at another time. Search for each group that you want to use this rule by entering the group name and clicking Add Group. If no group is selected, this rule will apply to anyone. Select the Set as Exception check box to exclude this group from the rule. Click Submit to apply your changes. Alternatively, click Cancel or navigate away from the page to abandon your changes. OL-22629-06 5

Policy 6 OL-22629-06

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information