cancel
Showing results for 
Search instead for 
Did you mean: 
scottl
Level 7

User concerns around SSL Interception

Hello,

Hoping some of the McAfee staff could lay out the truth behind SSL interception?  As I'm introducting this product there's quite a bit of hesitation around letting it become a subordinate CA to our AD Enterprise CA, as well as the actual decrypting and encrypting of HTTP traffic.

From past experience with other proxies it was not possible to see the unecrypted SSL with a sniff or log reader because that all happens either at the NIC level (after decryption and then re-encryption happens or the logs don't show deep enough into layer 7.  Therotecially could someone get at the unencrypted info, say through a memory dump?

Basically am I right in telling the users that their SSL is safe from an abusive admin?  And on top of that does McAfee recommend disabling SSL for categories like banking and webmail?

Thanks

0 Kudos
5 Replies
eelsasser
Level 15

Re: User concerns around SSL Interception

Coincidently enough, I had this same conversation with a large bank today. Some of the topics discussed included these, and some of this is my editorialization, of course.

By default with MWG, decrypted traffic is never put back on the wire. Decrypted content is not stored on the disks. Logs can optionally be encrypted on-box, so even the IP, Usernames and URLs are never written in the clear. It makes reporting a pain, but possible.

As a general rule most users will bypass decryption on Banking/Finance, Health, Stocks and a handful of whitelisted sites. But I don't recommend bypassing decryption on webmail. It is a primary vector of infection/leakage.

Typically, there should be an acceptable use policy that spells out the terms of using your network. Create the understanding that you can be watched. Big warning pages when you go to an SSL site with an 'Agree' button to consent to monitoring can be used. I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer. They let the users go to Social Networking sites, but they have informed consent. Is there really privacy on the internet? If there is something you don't want discovered, don't do it. I told my kids when they were 10 & 12 not to expect anything you do on the internet to be considered private, because somewhere, somehow it can be seen by someone. Then I showed them Ethereal (at the time) traces of their AIM messages with their friends to prove it. It's 10+ years later and they still remember that lesson.

The problem of an abusive admin is a carbon-based problem, not a silicon-based one. Separation of functional duties, configuration auditing and strict change control policies help reduce the potential of abuse. Most organizations have these mitigating controls in place to watch the watchers.

It's clearly up to your policy if you want to do it or not. Weigh the risk and benefits. And trust but verify what the admins are doing.

...Just my humble opinion.

Message was edited by: Erik Elsasser on 9/23/10 9:59:05 PM CDT
wissinit
Level 7

Re: User concerns around SSL Interception

Hi Erik,

regarding your statement:

"I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer."

Could You please give me a hint on how to accomplish such task, I would really appreciate.

Thanks,

Andrea

0 Kudos
eelsasser
Level 15

Re: User concerns around SSL Interception

First create your own image to insert at the top of the page. A JPG, GIF or PNG should suffice. Upload it to the img/ directory where the block pages are. In this example, my image name is monitor.jpg.

Then you have rules that open the HTML tags and insert the <img> tag right after the <body> tag.

You should probably restrict this rule set to only a few categories that you want to warn against, not everything you are proxying. If you want to warn on everything, you should just have a welcome page display once at the beginning of the day instead.

Rule Sets
Monitoring In Progress
Enabled
Applies to Requests: False / Responses: True / Embedded Objects: True
1: MediaType.EnsuredTypes contains text/html
EnabledRuleActionEventsComments
EnabledEnable HTML Opener
Always
ContinueEnable HTML Opener<HTML Filtering>
EnabledSet the Redirect Image
Always
ContinueSet User-Defined.redirectImage =
     "<img src="" +
     "http" +
     "://" +
     IP.ToString(Proxy.IP) +
     ":" +
     Number.ToString(Proxy.Port) +
     "/files/default/img/monitor.png" +
     "">"
EnabledRemove Header for "Content-Length"
Always
ContinueHeader.RemoveAll("Content-Length")The HTML rules will modify the content length. So we delete this header so that user agents will not complain about getting not that much data as promised.
EnabledFind End of Start Tag
1: HTMLElement.Name equals "body"
ContinueSet User-Defined.endOfStartTag =
     Body.PositionOfPattern(">",0,2000) +
     1
EnabledInject Image right after <body>
1: HTMLElement.Name matches *body*
ContinueBody.Insert(User-Defined.endOfStartTag,User-Defined.redirectImage)

User Defined Properties
NameTypeInitial Value
User-Defined.endOfStartTagNumber0
User-Defined.redirectImageString""

Settings
Enable HTML Opener Engines
HTML Filtering
Enable HTML OpenerValue
List of elements that should be opened
NodeNameInlineList (inlineList)
Node Name Start Tags Only
bodytrue
Only open elements that refer to external sources
OnlyOpenExternalLinks (Boolean)
true

Here is some of the output I tested:

Image2.jpg

Image1.jpg

Image3.jpg

Image4.jpg

Message was edited by: Erik Elsasser on 12/28/10 10:22:54 AM CST
wissinit
Level 7

Re: User concerns around SSL Interception

Thank You very much for the hint, it was very useful.

I really appreciate .

Andrea.

0 Kudos
Troja
Level 14

Re: User concerns around SSL Interception

Hi,

is there also a coaching page possible before a SSL Tunnel is decrypted by MWG?

Best Regards,

Thorsten

0 Kudos