3 Replies Latest reply on Sep 9, 2013 12:55 PM by Jon Scholten

    Exceptions to SSL Scanning




      in MWG version 6.x there was an easy setting to exempt certain URL categories from SSL scanning. Categories specified here would simply be tunneled.


      I want to do something similar in MWG 7.x, but I am wondering how to define the rule and where to place it. I am using the default SSL-Scanner ruleset. In there I can see two different "whitelists", one if for tunneling hosts (happens inside the "Handle CONNECT call" ruleset and stops the complete cycle for matching hosts) and the other is a whitelist found in the SSL-Scanner -> Content Inspection ruleset, which stops content inspection for matching hosts but still does certificate verifications. I could modify both rules to include a custom URL category list, but I am not sure which of the two rules would be better.


      I know the technical difference between the two whitelists (the first completely bypasses the SSL scanner engine and stops the request cylce, so no further checks are done), the second would at least do some certificate checks but omit content scanning.


      I am thinking about categories like Finance, Online Banking, for which our users in Germany are very sensitive in terms of data protection.


      Any thoughts on this? What's best pratice here?



        • 1. Re: Exceptions to SSL Scanning



          there are a couple of anvantages for each I think.


          If you leave certificate verification in place MWG will verify that the certificate is OK, not expired, not self-signed, not signed by a bad certificate authority, etc. This is generally a check you want for security reasons, even for banking sites it may be beneficial to have an additional layer of security and a "second opinion" on the certificate.


          If the certificate is "suspicious" the access will be denied and the user has no chance at all to overcome this block. If you completely whitelist SSL Scanner the user will notice a warning that something is wrong with the certificate, but it is up to him to decide whether the certificate is trustworthy or not.


          Another fact to keep in mind is that enabline certificate verification will prevent users from accessing a website if MWG does not now the certificate authority. This may happen for CAs that are not known, but CAs are updated frequently and in case you find a CA the subscribed list is updated in a short period of time.


          For me this is a question of how "skilled" your users are. I know that we have customers with users that are technically expertised and/or trained - they would become nervous when they notice that the browser shows a warning about an expired certificate and won't continue their doings. But I also know we have customers with users who would continue doing online banking, even if  the certificate is suspicous.


          So the question is: Do you want to leave this decision to your users?


          In my opinion I would leave Certificate Verification in place. It won't hurt as long as all is good with the certificates and usually Banks are very sensitive in regards to their certificates. If a banking web site uses a certificate that MWG would block, there might be a reason for it. I definitely would stop my users from going there and have a look by myself or some IT helpdesk before letting them proceed.


          Privacy is not an issue as long as you keep content inspection disabled due to whitelisting. The original certificate will be used to encrypt the connection, there is no way for MWG to look inside.




          • 2. Re: Exceptions to SSL Scanning

            Thanks Andre for your detailed response. Especially the fact that there is no privacy issue when doing certificate checks while disabling content inspection is the key information I was looking for.


            So in that scenario, could I describe it as "Connection is being tunneled, not decrypted, but certificate are checked"?



            • 3. Re: Exceptions to SSL Scanning
              Jon Scholten

              Hi cc,


              That is an accurate description. Only if content inspection is used will the connection be decrypted.