cancel
Showing results for 
Search instead for 
Did you mean: 
DBO
Level 9

SSL Inspect : To do or not to do

I have a fight with the security dept and Management about activating SSL inspect...  Just to make sure I have my facts straight, I need a list of what cannot be done if it's not active:

  • no way to detect user build tunnel
  • no way to inspect the data with the AV for any SSL site
  • no way to allow only some Facebook and Youtube page / Channel

What else?

0 Kudos
14 Replies
apellepa
Level 8

Re: SSL Inspect : To do or not to do

Not only FaceBook/YouTube (no way to allow only some Facebook and Youtube page / Channel) - this touch any site

no way to check validity of certificates of the site (user can access bad site with invalid certificate)

0 Kudos
McAfee Employee

Re: SSL Inspect : To do or not to do

You can authenticate users for SSL, you can also still perform URL filtering for SSL traffic, you can still perform certificate verification (although it does have its caveats -- no content inspection).

You cannot use AV without SSL scanning. You would not be able to allow a specific facebook page (assuming its HTTPS).

Best,

Jon

0 Kudos
asabban
Level 17

Re: SSL Inspect : To do or not to do

Hello,

please note that for "URL Filter" you will only be able to filter the "URL" Part... when MWG does not look into the tunnel it does not have access to the URL Path. Our URL classification also respects paths and parameters, so for HTTPS you will limit the URL filter capabilities. This may also lead to different categorizations for URLs in HTTP and HTTPS.

Best,

Andre

0 Kudos
DBO
Level 9

Re: SSL Inspect : To do or not to do

Just finish reading McAfee SNS Journal - Focus on Web Gateway SSL Scanner (Sep 2013) that focus on the same subject and one point missing in there (and here) is how secure is the data once Web Gateway open the SSL tunnel to do the content inspection. 

Can an admin having full access to the appliance can access the now un encrypted data?  Can I run a pcap trace of this data now?

0 Kudos
ITWebSec
Level 8

Re: SSL Inspect : To do or not to do

The data does not appear in the clear on the wire in any way, so a pcap would not provide anything.

However, precaustions do have to be taken to ensure the administrator can be trusted.

Any product that does MITM can has the opportunity to expose data. I can capture all your facebook passwords with a squid proxy using SslBump.

The interception should be done at the user's consent. In most US enterprises,any usage of corporate resources are owned by the company andcan be inspected for whatever reason.

It's no different than a mail administrator reading your messages.

0 Kudos
DBO
Level 9

Re: SSL Inspect : To do or not to do

Yes, I understand this but let me rephrase the question:  Is it possible to have access to the un-encrypted data within SecureWeb ?  This is what management is really concern about...  even if, as an admin,  i could do much worse on the PC side, mail side, etc...

0 Kudos
Regis
Level 12

Re: SSL Inspect : To do or not to do

In short, yes.  Someone who has admin on a web gateway, in an environment with SSL inspection turned on in policy,  and certificates distributed to all endpoints to facilitate this transparent-to-the-user-by-and-large interception,   debug modes are available in web gateway to get access to that traffic unencrypted.   At least I'm led  strongly to believe they are as support's had to ask for such a few times when debugging some very squirrelly legitimate issues.

A compromise of a web gateway or a rogue web gatweay administrator would be a Very Bad Thing.    As would a compromise of or malicious admin of the email server.  Or a compromise of malicious insider on a domain controller.    At some point you have to trust somebody for any of this stuff to work.

The next question:   how to alert someone when such modes are invoked?    Good question.  I don't know. 

Your response to management should also include the peril of not intercepting SSL on a web gateway.  Namely an attacker could quietly exfiltrate untold amounts of company data out a simple https://  connection and you'd have no way to know it if not for middling the SSL connection with this or another appliance as part of a wider data leakage prevention/detection program.   Or, the fact that you wont' be doing any scanning of payloads inside https:// connections for malware or heuristic issues, and it'll be up to the endpoint to sort all that out.  And (*gasp*) perhaps users making rational decisions.

on 9/12/13 4:58:46 PM CDT
0 Kudos
Regis
Level 12

Re: SSL Inspect : To do or not to do

DBO wrote:

Yes, I understand this but let me rephrase the question:  Is it possible to have access to the un-encrypted data within SecureWeb ?  This is what management is really concern about...  even if, as an admin,  i could do much worse on the PC side, mail side, etc...

What do you mean by "within SecureWeb"?    Do you mean within the http GUI interface to the Secure Web Gatgeways? 

No, not directly as in "click here to see Zeke's unencrypted SSL traffic to his bank!"  That functionality is available in network DLP gear though.   (if you're inspecting that category on the web gateway and sending it over to DLP gear that is).         I'm not actually sure myself what the "take a peek at things" recipe would be for an environment that doesn't already have network DLP installed, and even for them, typically only POSTed info gets sent decrypted, sent over ICAP to the DLP gear.   But I'm reasonably sure an administrator (or any manufacturer's ssl inspecting web appliance)  could cobble it together, because at the end of the day, if that capability isn't there somewhere, somehow, there are problems that one simply couldn't debug any other way if such hooks weren't available.

on 9/12/13 5:26:05 PM CDT
0 Kudos
DBO
Level 9

Re: SSL Inspect : To do or not to do

Within the appliance itself,  either with the GUI or CLI but without adding any package/tool to the appliance... 

Basically, I want to be able to go to a manager and tell him it's easy, difficult or really difficult.  If it cannot be done from the GUI, further restriction to CLI access can be use to control it.

PS: I personnaly don't care about this risk since I could do it other ways but, it's a «SSL is sacred, you cannot touch it» thing...

0 Kudos