1 2 Previous Next 14 Replies Latest reply on Sep 13, 2013 11:19 AM by DBO

    SSL Inspect : To do or not to do

    DBO

      I have a fight with the security dept and Management about activating SSL inspect...  Just to make sure I have my facts straight, I need a list of what cannot be done if it's not active:

      • no way to detect user build tunnel
      • no way to inspect the data with the AV for any SSL site
      • no way to allow only some Facebook and Youtube page / Channel

       

       

      What else?

        • 1. Re: SSL Inspect : To do or not to do
          apellepa

          Not only FaceBook/YouTube (no way to allow only some Facebook and Youtube page / Channel) - this touch any site

          no way to check validity of certificates of the site (user can access bad site with invalid certificate)

          • 2. Re: SSL Inspect : To do or not to do
            Regis

            The best argument is that you have absolutely 0 visibility if an attacker pops a machine and then tunnels out command and control over https.  0 visibility.   You also have no visibility to what an employee bent on exfiltrating your data out to google drive or some random homegrown cloud service that's not yet in a category you block might be doing.   If you have any future data loss prevention drivers,  you may as well start inspecting SSL now.   If a breach were detected tomorrow somehow,  you would have no way of saying what was lost.    Granted that's also true if you inspect SSL but the attacker exfiltrates data in encrypted form, but with SSL inspection you could at least have a means to set some alerts on that rather than saying, "oops, it's SSL, let it go in a free for all!" 

             

            Granted, there is pain.  There is administrative overhead.  You will have to distribute a CA cert to your workstations (which if you're already an AD environment isn't a big deal).  If you have Firefox users you will have to distribute the addition of that middling cert to that browser too as it doesn't use Windows cert store like IE and Chrome so nicely do.  You'll need procedures for your linux users to do the same.     There are also a lot of sites you will have to exclude from SSL inspection just to get them to work  (eLearning sites and  remote access/gotoassist/webex stuff among them, and it seems dang near antyhing that legitimately requires any sort of java thick client)... but the overhead is worth the visibility, I'd say. 

             

            Attackers know that most places aren't inspecting SSL, and they're leveraging that to remain undetected.

             

            They also know that a lot of places haven't woken up to egress filtering (i.e. forcing at the network level that people use proxies to get to the web) either.     Which is also a painful but necessary step. 

             

            Good luck!   Also recall that less clueful vendors *cough* Bluecoat *cough* make you pay extra for SSL inspection functionality that you're getting with MWG.   In terms of ROI,  management might want to rethink their resistance based on getting value out of the gear they've purchased.

            • 3. Re: SSL Inspect : To do or not to do
              Jon Scholten

              You can authenticate users for SSL, you can also still perform URL filtering for SSL traffic, you can still perform certificate verification (although it does have its caveats -- no content inspection).

               

              You cannot use AV without SSL scanning. You would not be able to allow a specific facebook page (assuming its HTTPS).

               

              Best,

              Jon

              • 4. Re: SSL Inspect : To do or not to do
                asabban

                Hello,

                 

                please note that for "URL Filter" you will only be able to filter the "URL" Part... when MWG does not look into the tunnel it does not have access to the URL Path. Our URL classification also respects paths and parameters, so for HTTPS you will limit the URL filter capabilities. This may also lead to different categorizations for URLs in HTTP and HTTPS.

                 

                Best,

                Andre

                • 5. Re: SSL Inspect : To do or not to do
                  DBO

                   

                  Just finish reading McAfee SNS Journal - Focus on Web Gateway SSL Scanner (Sep 2013) that focus on the same subject and one point missing in there (and here) is how secure is the data once Web Gateway open the SSL tunnel to do the content inspection. 

                   

                  Can an admin having full access to the appliance can access the now un encrypted data?  Can I run a pcap trace of this data now?

                  • 6. Re: SSL Inspect : To do or not to do
                    ITWebSec

                    The data does not appear in the clear on the wire in any way, so a pcap would not provide anything.

                     

                    However, precaustions do have to be taken to ensure the administrator can be trusted.

                    Any product that does MITM can has the opportunity to expose data. I can capture all your facebook passwords with a squid proxy using SslBump.

                     

                    The interception should be done at the user's consent. In most US enterprises,any usage of corporate resources are owned by the company andcan be inspected for whatever reason.

                     

                    It's no different than a mail administrator reading your messages.

                    • 7. Re: SSL Inspect : To do or not to do
                      DBO

                       

                       

                      Yes, I understand this but let me rephrase the question:  Is it possible to have access to the un-encrypted data within SecureWeb ?  This is what management is really concern about...  even if, as an admin,  i could do much worse on the PC side, mail side, etc...

                      • 8. Re: SSL Inspect : To do or not to do
                        Regis

                        In short, yes.  Someone who has admin on a web gateway, in an environment with SSL inspection turned on in policy,  and certificates distributed to all endpoints to facilitate this transparent-to-the-user-by-and-large interception,   debug modes are available in web gateway to get access to that traffic unencrypted.   At least I'm led  strongly to believe they are as support's had to ask for such a few times when debugging some very squirrelly legitimate issues.

                         

                        A compromise of a web gateway or a rogue web gatweay administrator would be a Very Bad Thing.    As would a compromise of or malicious admin of the email server.  Or a compromise of malicious insider on a domain controller.    At some point you have to trust somebody for any of this stuff to work.

                         

                        The next question:   how to alert someone when such modes are invoked?    Good question.  I don't know. 

                         

                        Your response to management should also include the peril of not intercepting SSL on a web gateway.  Namely an attacker could quietly exfiltrate untold amounts of company data out a simple https://  connection and you'd have no way to know it if not for middling the SSL connection with this or another appliance as part of a wider data leakage prevention/detection program.   Or, the fact that you wont' be doing any scanning of payloads inside https:// connections for malware or heuristic issues, and it'll be up to the endpoint to sort all that out.  And (*gasp*) perhaps users making rational decisions.

                         

                         

                         

                        on 9/12/13 4:58:46 PM CDT
                        • 9. Re: SSL Inspect : To do or not to do
                          Regis

                          DBO wrote:

                           

                           

                           

                          Yes, I understand this but let me rephrase the question:  Is it possible to have access to the un-encrypted data within SecureWeb ?  This is what management is really concern about...  even if, as an admin,  i could do much worse on the PC side, mail side, etc...

                          What do you mean by "within SecureWeb"?    Do you mean within the http GUI interface to the Secure Web Gatgeways? 

                           

                          No, not directly as in "click here to see Zeke's unencrypted SSL traffic to his bank!"  That functionality is available in network DLP gear though.   (if you're inspecting that category on the web gateway and sending it over to DLP gear that is).         I'm not actually sure myself what the "take a peek at things" recipe would be for an environment that doesn't already have network DLP installed, and even for them, typically only POSTed info gets sent decrypted, sent over ICAP to the DLP gear.   But I'm reasonably sure an administrator (or any manufacturer's ssl inspecting web appliance)  could cobble it together, because at the end of the day, if that capability isn't there somewhere, somehow, there are problems that one simply couldn't debug any other way if such hooks weren't available.

                           

                          on 9/12/13 5:26:05 PM CDT
                          1 2 Previous Next