cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Exceptions to SSL Scanning

Jump to solution

Hi,

in MWG version 6.x there was an easy setting to exempt certain URL categories from SSL scanning. Categories specified here would simply be tunneled.

I want to do something similar in MWG 7.x, but I am wondering how to define the rule and where to place it. I am using the default SSL-Scanner ruleset. In there I can see two different "whitelists", one if for tunneling hosts (happens inside the "Handle CONNECT call" ruleset and stops the complete cycle for matching hosts) and the other is a whitelist found in the SSL-Scanner -> Content Inspection ruleset, which stops content inspection for matching hosts but still does certificate verifications. I could modify both rules to include a custom URL category list, but I am not sure which of the two rules would be better.

I know the technical difference between the two whitelists (the first completely bypasses the SSL scanner engine and stops the request cylce, so no further checks are done), the second would at least do some certificate checks but omit content scanning.

I am thinking about categories like Finance, Online Banking, for which our users in Germany are very sensitive in terms of data protection.

Any thoughts on this? What's best pratice here?

Thanks

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Exceptions to SSL Scanning

Jump to solution

Hello,

there are a couple of anvantages for each I think.

If you leave certificate verification in place MWG will verify that the certificate is OK, not expired, not self-signed, not signed by a bad certificate authority, etc. This is generally a check you want for security reasons, even for banking sites it may be beneficial to have an additional layer of security and a "second opinion" on the certificate.

If the certificate is "suspicious" the access will be denied and the user has no chance at all to overcome this block. If you completely whitelist SSL Scanner the user will notice a warning that something is wrong with the certificate, but it is up to him to decide whether the certificate is trustworthy or not.

Another fact to keep in mind is that enabline certificate verification will prevent users from accessing a website if MWG does not now the certificate authority. This may happen for CAs that are not known, but CAs are updated frequently and in case you find a CA the subscribed list is updated in a short period of time.

For me this is a question of how "skilled" your users are. I know that we have customers with users that are technically expertised and/or trained - they would become nervous when they notice that the browser shows a warning about an expired certificate and won't continue their doings. But I also know we have customers with users who would continue doing online banking, even if  the certificate is suspicous.

So the question is: Do you want to leave this decision to your users?

In my opinion I would leave Certificate Verification in place. It won't hurt as long as all is good with the certificates and usually Banks are very sensitive in regards to their certificates. If a banking web site uses a certificate that MWG would block, there might be a reason for it. I definitely would stop my users from going there and have a look by myself or some IT helpdesk before letting them proceed.

Privacy is not an issue as long as you keep content inspection disabled due to whitelisting. The original certificate will be used to encrypt the connection, there is no way for MWG to look inside.

Best,

Andre

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Exceptions to SSL Scanning

Jump to solution

Hello,

there are a couple of anvantages for each I think.

If you leave certificate verification in place MWG will verify that the certificate is OK, not expired, not self-signed, not signed by a bad certificate authority, etc. This is generally a check you want for security reasons, even for banking sites it may be beneficial to have an additional layer of security and a "second opinion" on the certificate.

If the certificate is "suspicious" the access will be denied and the user has no chance at all to overcome this block. If you completely whitelist SSL Scanner the user will notice a warning that something is wrong with the certificate, but it is up to him to decide whether the certificate is trustworthy or not.

Another fact to keep in mind is that enabline certificate verification will prevent users from accessing a website if MWG does not now the certificate authority. This may happen for CAs that are not known, but CAs are updated frequently and in case you find a CA the subscribed list is updated in a short period of time.

For me this is a question of how "skilled" your users are. I know that we have customers with users that are technically expertised and/or trained - they would become nervous when they notice that the browser shows a warning about an expired certificate and won't continue their doings. But I also know we have customers with users who would continue doing online banking, even if  the certificate is suspicous.

So the question is: Do you want to leave this decision to your users?

In my opinion I would leave Certificate Verification in place. It won't hurt as long as all is good with the certificates and usually Banks are very sensitive in regards to their certificates. If a banking web site uses a certificate that MWG would block, there might be a reason for it. I definitely would stop my users from going there and have a look by myself or some IT helpdesk before letting them proceed.

Privacy is not an issue as long as you keep content inspection disabled due to whitelisting. The original certificate will be used to encrypt the connection, there is no way for MWG to look inside.

Best,

Andre

View solution in original post

Highlighted

Re: Exceptions to SSL Scanning

Jump to solution

Thanks Andre for your detailed response. Especially the fact that there is no privacy issue when doing certificate checks while disabling content inspection is the key information I was looking for.

So in that scenario, could I describe it as "Connection is being tunneled, not decrypted, but certificate are checked"?

Thanks

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Exceptions to SSL Scanning

Jump to solution

Hi cc,

That is an accurate description. Only if content inspection is used will the connection be decrypted.

Best,

Jon

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community