As the use of secure websites increases with Twitter, Google, Facebook and soon Yahoo all moving to HTTPS, Secure Sockets Layer (SSL) scanning is becoming a vital part of every company’s defence against malware. It can be used to decrypt encrypted Internet traffic and inspect applications and web sites for hidden threats. At the same time, SSL scanning can also be used to monitor Internet usage and ensure that corporate policies are adhered to. In this article, Redscan describes its comprehensive SSL scanning solution and provides recommendations based on industry best practices.
Why and How
In a normal SSL session, the client device requests a secure connection, and the server responds, confirming that it can make a secure connection. The client (usually a web browser) replies, detailing the kind of SSL it uses. Both the client and the server then compare certificates and cryptographic keys until they are confident they can trust each other and set up a secure session. Redscan’s integrated technology solution implements a transparent proxy to allow the secure firewall to inspect the SSL traffic that passes through it. To do this, it terminates the initial SSL session to gain access to the unencrypted data stream for inspection and then initiates a new outbound SSL connection to the target site. The proxy dynamically generates a certificate and signs it with the private key of a CA (certificate authority) certificate that the client must trust (and this is usually accomplished by making the CA certificate part of the standard operating environment so that users have it by default). The client sees this as a secure and trusted connection while the firewall is able to inspect the traffic. Within the network, the proxy intercepts all data travelling over port 443 and any other ports known to carry SSL traffic.
The breaking of encryption can raise concerns about privacy, and it is important that companies deploying this technology notify their users. There will be sites that should not be intercepted, like banking, where a user might be sending private, personal data that the company does not want to know. It might also be the case, where shopping is allowed, that shopping sites should not be intercepted as credit card details may be exchanged between the user and the site being used. Another privacy issue is where a company needs to monitor what is being said by their users over social network accounts belonging to the company. This is possible with the use of data leak prevention software that is tightly integrated into the application control software which can be used to block or alert on posts containing certain words or phrases or to just monitor those accounts that are seen as corporate. Employees need to be informed of company policy in this case.
Procera Networks is a provider of intelligent policy enforcement solutions based on Deep Packet Inspection (DPI) technology enabling telcos and organisations to optimise visibility and control of their private networks. Redscan’s solution uses Procera’s Network Application Visibility Library (NAVL) which features industry-leading application classification at speeds of more than 40Gbps with minimal on-board resource consumption. The innovative lock-free, multi-threaded support provides linear scalability with increased core density, delivering performance beyond 40Gbps . Obviously, minimising the amount of resources required for integrated DPI and application classification is critical. The fewer resources needed, in terms of processor power and memory, the better. Maintaining a small footprint with high performance helps contain costs for customers’ network infrastructure. Procera’s NAVL is the industry’s least resource-intensive DPI and application classification technology. However, there is an impact on any solution given the requirement for decryption and encryption, and customers should discuss this with their support team to understand what the implications might be.
One important feature that SSL scanning has is that it enables companies to have a policy towards SSL certificates that can be enforced. It is common knowledge that users will, in general, ignore all the warnings that are presented to them about a certificate from a site. This in part is due to users not understanding the messages generated about the certificate but also the number of certificates that are either privately issued or whose CA is not recognised by the browser being used. As a result of these ‘false positives’, users do not stop to inspect why a warning is being generated, they just push on. With Redscan’s implementation of SSL scanning, it is possible for companies to provide a greater level of protection by specifying which warnings they are going to enforce. So for instance, it might be company policy to prevent all access to sites whose certificate has been revoked, but allow those whose CA is not recognised, or enforce security by preventing access to sites with any issues with the certificate.
Any site that is permitted is decrypted before scanning. It is then scanned using Redscan’s three specialist partners: • Kaspersky • Commtouch • ClamAV The traffic is then encrypted again for onward transmission having ensured the site is safe for the end user to visit.
Redscan integrates Procera’s technology into its Application Inspection next generation firewall feature, enabling it to detect a list of more than 1,200 (and growing) web based and SSL protected applications. Procera’s NAVL provides real-time application classification and metadata extraction on network traffic that helps us gauge an application’s security risk and productivity impact with a straight-forward rating system. The configuration can of course be customised to suit an organisation’s particular needs. With new app categorisations being added weekly to the database, organisations do not have to worry about emerging apps sneaking under the radar, as they will automatically be categorised and rated. Furthermore, customers with their own bespoke requirements can ask for new applications to be added to provide the right protection for their security and productivity profile. As part of the application control service that is offered, Redscan’s engineers can add new applications – so if a customer has a bespoke application and wants to control it, it can ask for it to be added to the list. Some example app categorisations are shown below. The Productivity Index is rated from 1 (Primary use is for recreation) to 5 (Primary use is for business). And the Risk Index is rated from 1 (No risk) through to 5 (Very High – Evades Detection/Evades Firewalls).
Based on best practice approaches, Redscan recommends the following actions: 1. Once the company policy is ready to be implemented, notify end users to ensure they know about and understand the new policy. 2. Decide which sites are to be scanned and which will be allowed to pass through. As discussed it may be best that financial sites, like personal banking, are allowed to pass through. 3. Decide on the certificate policy; if sites are allowed to be passed through it may be best that full certificate checking is carried out to ensure they are valid and registered with a known CA. Sites that are to be scanned by the anti-malware solutions may have slacker rules applied. 4. Decide on the main purpose of SSL scanning – is it sufficient to scan the traffic for malware or does the company want to implement application control. 5. If application control is to be implemented, identify which applications need to be controlled. Popular applications are related to social networking like Facebook and Twitter. 6. Decide if any DLP is required and if so which phrases and words are to be used. 7. Publish a date when the new policy is to go live so all users are aware.