The SSL Scanner - Some rule examples

Version 5

     

    Document Disclaimer - Please Read

    This document is meant to be used in conjuction with the SNS - Web Gateway SSL Scanning Capabilities (September, 2013), which can be found here: 

     

    https://community.mcafee.com/docs/DOC-5276

     

    Please closely read through that article first, before considering the rule examples below.  If you have questions, please 'ask' them on the SNS article above, or feel free to contact technical support.

     

     

     

     

    --------------------

     

    Where should the SSL Scanner be 'located' in the rule sets?

     

    Typically, it is recommended that the SSL Scanner be placed near the top of the rule set list.  We usually recommend placing it just below your 'Global Whitelist' (if you've chosen to use it), and just above the Global Blocklist (allowing proper block pages to display if needed).  See below:

     

    where-to-place-SSLscanner-ruleset.png

     

    How do I limit the SSL scanner to a particular client IP, or a particular category?

     

    You can limit who/what the SSL scanner is applied to by adding some rule set criteria.   Below (as an example), you can limit the SSL Scanner to apply to just the particular client IP, or a particular category.

     

    limiting_SSLscanner.png

     

    NOTE: In general, you will NOT be able to limit the SSL Scanner to a particular username or usergroup.  The reason is that the SSL Scanner rule set occurs above where authentication occurs (which is expected/recommended).  At the time the SSL Scanner ruleset is called, we do not yet have the username.  You would need to move portions of the SSL Scanner 'after' authentication in order to limit to user or group.  If you have a need, it is strongly recommended you work with support for assistance.

     

     

    How do I enable the Handle CONNECT Call step, but not do Certificate Verification or Content Inspection?

     

    1. Starting with the default SSL Scanner rule set, you can select to disable the Certificate Verification rule set, the Content Inspection rule set, and the 'Verify Common Name (Transparent Setup) rule set. 

    2. Next, within the 'Handle CONNECT Call' rule set, click to disable the rule 'Enable Certificate Verification.

     

    HandleCONNECT-no-CertVerify-or-ContInspect.png

     

     

    How do I enable Certificate Verification, but NOT Content inspection? 

     

    Explicit proxy:

     

    1. Within the 'Handle CONNECT Call rule set, enable the 'Enable Certificate Verification' rule.

    2. Click to 'enable' the 'Certificate Verification' rule set.  Here, you can determine a variety of elements you may to filter.

    3. The 'Verify Common Name (Proxy Setup)' rule set should also be enabled.

     

    certVerify-explicit-proxy.png

     

    Transparent proxy:

     

    1. Within the 'Handle CONNECT Call rule set, enable the 'Enable Certificate Verification' rule.

    2. Click to 'enable' the 'Certificate Verification' rule set.

    3. The 'Verify Common Name (Proxy Setup)' rule set should also be disabled.

    4. The 'Verify Common Name (Transparent Setup) rule set should be enabled.

     

    certVerify-transparent.png

    How do I enable Content Inspection without Certificate Verification? - (Illustration ONLY - not recommended)

    **NOTE: This is for illustrative purposes only.  In a production environment, it is NOT recommended that Content Inspection be performed if Certificate Verification is not also performed.  This could potentionally leave your environment vulnerable to phishing of senstive data.

    Option 1

     

    1. Within the 'Handle CONNECT Call rule set, disable the 'Enable Certificate Verification' rule.

    2. Disable the 'Certificate Verification', 'Content Inspection', and 'Verify Common Name (Transparent Setup)' rule sets.

    3. Within the 'Content Inspection' rule set (which is now disabled, click to select the 'Enable Content Insepection' rule, and click 'Copy'.

    4. Paste that rule within the 'Handle CONNECT Call', just below the disabled 'Enable Certificate Verification' rule.

     

    content-inspection_NO-certVerify-option1.png

     

    Option 2

     

    1. Within the 'Handle CONNECT Call rule set, disable the 'Enable Certificate Verification' rule.

    2. Disable the 'Certificate Verification' rule set, and the 'Verify Common Name (Transparent Setup) rule set. 

    3. The 'Content Inspection' rule set should be enabled.

    4. Update the 'Content Inspection' rule set criteria to be "Command.Name equals CONNECT"

     

    content-inspection_NO-certVerify-option2.png