5 Replies Latest reply on Jun 6, 2011 6:48 AM by Troja

    User concerns around SSL Interception

      Hello,

      Hoping some of the McAfee staff could lay out the truth behind SSL interception?  As I'm introducting this product there's quite a bit of hesitation around letting it become a subordinate CA to our AD Enterprise CA, as well as the actual decrypting and encrypting of HTTP traffic.

       

      From past experience with other proxies it was not possible to see the unecrypted SSL with a sniff or log reader because that all happens either at the NIC level (after decryption and then re-encryption happens or the logs don't show deep enough into layer 7.  Therotecially could someone get at the unencrypted info, say through a memory dump?

       

       

      Basically am I right in telling the users that their SSL is safe from an abusive admin?  And on top of that does McAfee recommend disabling SSL for categories like banking and webmail?

       

      Thanks

        • 1. Re: User concerns around SSL Interception

          Coincidently enough, I had this same conversation with a large bank today. Some of the topics discussed included these, and some of this is my editorialization, of course.

           

          By default with MWG, decrypted traffic is never put back on the wire. Decrypted content is not stored on the disks. Logs can optionally be encrypted on-box, so even the IP, Usernames and URLs are never written in the clear. It makes reporting a pain, but possible.

           

          As a general rule most users will bypass decryption on Banking/Finance, Health, Stocks and a handful of whitelisted sites. But I don't recommend bypassing decryption on webmail. It is a primary vector of infection/leakage.

           

          Typically, there should be an acceptable use policy that spells out the terms of using your network. Create the understanding that you can be watched. Big warning pages when you go to an SSL site with an 'Agree' button to consent to monitoring can be used. I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer. They let the users go to Social Networking sites, but they have informed consent. Is there really privacy on the internet? If there is something you don't want discovered, don't do it. I told my kids when they were 10 & 12 not to expect anything you do on the internet to be considered private, because somewhere, somehow it can be seen by someone. Then I showed them Ethereal (at the time) traces of their AIM messages with their friends to prove it. It's 10+ years later and they still remember that lesson.

           

          The problem of an abusive admin is a carbon-based problem, not a silicon-based one. Separation of functional duties, configuration auditing and strict change control policies help reduce the potential of abuse. Most organizations have these mitigating controls in place to watch the watchers.

           

          It's clearly up to your policy if you want to do it or not. Weigh the risk and benefits. And trust but verify what the admins are doing.

           

          ...Just my humble opinion.

           

           

          Message was edited by: Erik Elsasser on 9/23/10 9:59:05 PM CDT
          • 2. Re: User concerns around SSL Interception

            Hi Erik,

            regarding your statement:

             

            "I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer."

             

            Could You please give me a hint on how to accomplish such task, I would really appreciate.

            Thanks,

            Andrea

            • 3. Re: User concerns around SSL Interception

              First create your own image to insert at the top of the page. A JPG, GIF or PNG should suffice. Upload it to the img/ directory where the block pages are. In this example, my image name is monitor.jpg.

               

              Then you have rules that open the HTML tags and insert the <img> tag right after the <body> tag.

              You should probably restrict this rule set to only a few categories that you want to warn against, not everything you are proxying. If you want to warn on everything, you should just have a welcome page display once at the beginning of the day instead.

               

              Rule Sets
              Monitoring In Progress
              Enabled
              Applies to Requests: False / Responses: True / Embedded Objects: True
              1: MediaType.EnsuredTypes contains text/html
              EnabledRuleActionEventsComments
              EnabledEnable HTML Opener
              Always
              ContinueEnable HTML Opener<HTML Filtering>
              EnabledSet the Redirect Image
              Always
              ContinueSet User-Defined.redirectImage =
                   "<img src="" +
                   "http" +
                   "://" +
                   IP.ToString(Proxy.IP) +
                   ":" +
                   Number.ToString(Proxy.Port) +
                   "/files/default/img/monitor.png" +
                   "">"
              EnabledRemove Header for "Content-Length"
              Always
              ContinueHeader.RemoveAll("Content-Length")The HTML rules will modify the content length. So we delete this header so that user agents will not complain about getting not that much data as promised.
              EnabledFind End of Start Tag
              1: HTMLElement.Name equals "body"
              ContinueSet User-Defined.endOfStartTag =
                   Body.PositionOfPattern(">",0,2000) +
                   1
              EnabledInject Image right after <body>
              1: HTMLElement.Name matches *body*
              ContinueBody.Insert(User-Defined.endOfStartTag,User-Defined.redirectImage)

              User Defined Properties
              NameTypeInitial Value
              User-Defined.endOfStartTagNumber0
              User-Defined.redirectImageString""

              Settings
              Enable HTML Opener Engines
              HTML Filtering
              Enable HTML OpenerValue
              List of elements that should be opened
              NodeNameInlineList (inlineList)
              Node Name Start Tags Only
              bodytrue
              Only open elements that refer to external sources
              OnlyOpenExternalLinks (Boolean)
              true

               

               

               

              Here is some of the output I tested:

              Image2.jpg

              Image1.jpg

              Image3.jpg

              Image4.jpg

               

               

              Message was edited by: Erik Elsasser on 12/28/10 10:22:54 AM CST
              • 4. Re: User concerns around SSL Interception

                Thank You very much for the hint, it was very useful.

                I really appreciate .

                 

                Andrea.

                • 5. Re: User concerns around SSL Interception
                  Troja

                  Hi,

                  is there also a coaching page possible before a SSL Tunnel is decrypted by MWG?

                  Best Regards,

                  Thorsten