4
Security Empowers Business SOLUTION BRIEF The use of SSL encryption for all enterprise Internet traffic is growing steadily. Applications that make use of SSL – such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps – are commonplace. Even email applications like Gmail, Yahoo, and Zimbra are being used in workplace environments as hosted email or BYOD apps. It’s clear that organizations now need complete visibility into the SSL traffic coming across the WAN. They need the ability to preserve complete network and web histories from encrypted network and web traffic for compliance, regulatory and logging requirements. Blue Coat has solutions today to address the SSL dilemma. Risks Associated With SSL For end users, SSL has long been a means to secure web-based transactions that enable e-commerce and online banking. Over time, the simplicity of SSL has made it the perfect vehicle for migrating new online services to web-based models, including applications for viewing medical records, ordering prescriptions, and filing tax returns. Surveys show that over 50 percent of enterprise applications now use SSL – SharePoint, Exchange, WebEx, Salesforce.com and Google Apps are examples. Many social networking and consumer applications such as Facebook and Gmail already default to full-time use of SSL by their end users. The use of SSL in enterprise traffic and across the Internet has grown steadily, with a 52 percent CAGR in SSL-based WAN traffic. It’s clear that there are legitimate needs for encrypted data within, to and from the enterprise. But as many IT managers are aware, its privacy benefits can be overshadowed by its risks. While encrypting web sessions protects end-user data from being viewed in transit over the Internet, it creates a blind spot for IT administrators: they typically have no visibility into SSL-encrypted traffic. For that reason, SSL has quickly become one of the most popular ways to mask malicious code such as Trojan horses and viruses. Incoming threats can hide in SSL to bypass security architectures, and the same threats are now a growing problem for outbound enterprise traffic. This is becoming a hot button for security applications that tackle data loss prevention (DLP), compliance reporting and lawful intercept – solutions that could, at one time, see what was outgoing, but are suddenly in the dark because of the growth of SSL traffic. This lack of visibility into SSL can make it difficult or impossible for network administrators to enforce corporate acceptable use policies and to ensure that threats like viruses, spam and malware are stopped before they reach individual users. The inability to examine the contents of SSL communications also makes it possible for information to be accidentally leaked out of the enterprise – or worse, stolen. Regulatory compliance requirements, including the identification of accidental or intentional leakage of confidential information, are also virtually impossible to meet because of SSL encryption. In many instances, enterprises face conflicting requirements to encrypt and examine data. In typical installations, these seemingly incompatible requirements cannot be met with acceptable performance. This SSL conundrum has wreaked havoc on organizations subject to industry and government compliance mandates, such as HIPAA and Sarbanes- Oxley (SOX), which require that only authorized individuals have access to hardware and software resources within the network infrastructure. Other compliance mandates require organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity – which requires that all traffic be unencrypted. SSL Control Approaches Network operators already deploy an array of network and security appliances to protect their enterprises, enforce internal acceptable-use policies and satisfy government regulations. These devices provide solutions for detecting rogue applications, controlling unrestricted BLUE COAT SSL VISIBILITY

BlueCoat Sb SSL Visibility en v1c

  • Upload
    zhogue

  • View
    19

  • Download
    0

Embed Size (px)

DESCRIPTION

BlueCoat SSL Visibility

Citation preview

  • Security Empowers Business

    SO

    LU

    TIO

    N B

    RIE

    F

    The use of SSL encryption for all enterprise Internet traffic is growing steadily. Applications that make use of SSL such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps are commonplace. Even email applications like Gmail, Yahoo, and Zimbra are being used in workplace environments as hosted email or BYOD apps.

    Its clear that organizations now need complete visibility into the SSL traffic coming across the WAN. They need the ability to preserve complete network and web histories from encrypted network and web traffic for compliance, regulatory and logging requirements. Blue Coat has solutions today to address the SSL dilemma.

    Risks Associated With SSL

    For end users, SSL has long been a means to secure web-based transactions that enable e-commerce and online banking. Over time, the simplicity of SSL has made it the perfect vehicle for migrating new online services to web-based models, including applications for viewing medical records, ordering prescriptions, and filing tax returns.

    Surveys show that over 50 percent of enterprise applications now use SSL SharePoint, Exchange, WebEx, Salesforce.com and Google Apps are examples. Many social networking and consumer applications such as Facebook and Gmail already default to full-time use of SSL by their end users. The use of SSL in enterprise traffic and across the Internet has grown steadily, with a 52 percent CAGR in SSL-based WAN traffic. Its clear that there are legitimate needs for encrypted data within, to and from the enterprise. But as many IT managers are aware, its privacy benefits can be overshadowed by its risks.

    While encrypting web sessions protects end-user data from being viewed in transit over the Internet, it creates a blind spot for IT administrators: they typically have no visibility into SSL-encrypted traffic. For that reason, SSL has quickly become one of the most popular ways to mask malicious code such as Trojan horses and viruses. Incoming threats can hide in SSL to bypass security architectures, and the same threats are now a growing problem for outbound enterprise traffic. This is becoming a hot button for security applications that tackle data loss prevention (DLP), compliance reporting and lawful intercept solutions that could, at one time, see what was outgoing, but are suddenly in the dark because of the growth of SSL traffic.

    This lack of visibility into SSL can make it difficult or impossible for network administrators to enforce corporate acceptable use policies and to ensure that threats like viruses, spam and malware are stopped before they reach individual users. The inability to examine the contents of SSL communications also makes it possible for information to be accidentally leaked out of the enterprise or worse, stolen.

    Regulatory compliance requirements, including the identification of accidental or intentional leakage of confidential information, are also virtually impossible to meet because of SSL encryption. In many instances, enterprises face conflicting requirements to encrypt and examine data. In typical installations, these seemingly incompatible requirements cannot be met with acceptable performance. This SSL conundrum has wreaked havoc on organizations subject to industry and government compliance mandates, such as HIPAA and Sarbanes-Oxley (SOX), which require that only authorized individuals have access to hardware and software resources within the network infrastructure. Other compliance mandates require organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity which requires that all traffic be unencrypted.

    SSL Control Approaches

    Network operators already deploy an array of network and security appliances to protect their enterprises, enforce internal acceptable-use policies and satisfy government regulations. These devices provide solutions for detecting rogue applications, controlling unrestricted

    BLUE COAT SSL VISIBILITY

  • Security Empowers Business

    SO

    LU

    TIO

    N B

    RIE

    F

    web surfing, firewalling traffic, providing VPNs, and providing network access control (NAC), intrusion detection (IDS), intrusion prevention (IPS), unified threat management (UTM), regulatory compliance, virus protection, spam control, and other security measures. These appliances work almost entirely by providing deep packet inspection and flow analysis, looking for known patterns of mischievous activity and blocking or recording it. Unfortunately, these network and security appliances, in many instances, can only inspect plaintext traffic and are unable to inspect SSL-encrypted communications for attack signatures. They are therefore becoming less and less effective as the volume of encrypted SSL traffic continues to grow.

    Network operators have had to choose between two extremes in confronting these issues. They can take a draconian approach by blocking SSL communications entirely, or allow SSL communications transparently, without inspection, by leaving port 443 open on their security infrastructure. This approach greatly reduces the effectiveness of networks and of security appliances, which cant examine encrypted flows. Neither choice is a viable option for enterprise networks.

    Other approaches have been used. They all provide plaintext inspection of SSL-encrypted flows, enabling the dropping of content that doesnt meet acceptable-use policies, or the logging of suspected attacks to a management station. Just as importantly, they identify and permit SSL in legitimate use cases. In many instances, these methods are successful at examining encrypted SSL, but they typically suffer other major problems that limit their effectiveness.

    Blue Coat SSL Visibility Solutions

    Blue Coat can give enterprises visibility into encrypted traffic with the SSL Visibility Appliance and Encrypted TAP for ProxySG. The SSL Visibility Appliance provides high performance and multiple streams of decrypted content for use in IDS, IPS, compliance, logging, threat analysis and other measures across all network ports. For organizations considering the use of SSL proxy and interception in their ProxySG deployment, Encrypted TAP offers complete visibility of encrypted web traffic for use in logging, forensics, and analysis. Its available as an add-on option to ProxySG Secure Web Gateway appliances.

    Blue Coat SSL Visibility Appliance

    The Blue Coat SSL Visibility Appliance

    The Blue Coat SSL Visibility Appliance provides decrypted content of SSL flows to existing security appliances used for intrusion detection and prevention, forensics, compliance and data loss. This enables them to provide their security applications with visibility into both SSL and non-SSL network traffic. End users can add SSL inspection capabilities to their network security architectures immediately to close the security loophole that SSL creates.

    Features and Benefits

    The unique capabilities of the Blue Coat SSL Visibility Appliance help organizations to remove risks arising from lack of visibility into SSL traffic while increasing the performance of security and network appliances. It offers line-rate high-performance throughput, and allows for non-SSL flows to be sent directly to attached security appliances in less than 40 microseconds, minimizing delay for applications such as VoIP. The Appliance is available in three performance-level models. The high-end system, the SV3800, supports decryption of up to 4Gbps of SSL traffic in a WAN link of up to 40Gbps (20 Gbps in each direction) for a variety of SSL versions and cipher suites.

    The SSL Visibility Appliance can support the simultaneous analysis of up to 6,000,000 TCP flows for SSL content. It handles up to 400,000 concurrently active SSL sessions that are being inspected. The setup and teardown rate of up to 11,500 SSL sessions per second is more than 10 times higher than other solutions.

    Deploying the SSL Visibility Appliance is transparent to end systems and to intermediate network elements. It doesnt require network reconfiguration, IP addressing or topology changes, or modification to client and web browser configurations. The Appliance can be deployed inline or through the use of SPAN/TAP or a mirror port to handle inbound and outbound SSL traffic. Deployments that provide decrypted data to active security appliances enable policy and enforcement actions on

    For more information on the technical aspects of SSL, download the Blue Coat SSL Technical Primer here.

  • Security Empowers Business

    SO

    LU

    TIO

    N B

    RIE

    F

    SSL traffic; deployments that feed passive security appliances are better suited for logging and visibility requirements.

    The decrypted content from the SSL Visibility Appliance is designed for application preservation. Intercepted plaintext is delivered to security appliances as a generated TCP stream that contains the packet headers as they were received. This allows applications and appliances used for IDS, IPS, forensics, data loss prevention, and other measures to expand their scope to SSL-encrypted traffic.

    The SSL Visibility Appliance also supports input aggregation and output mirroring. Input aggregation allows aggregation of traffic from multiple network taps onto a single passive-tap segment for inspection. Output mirroring allows the Appliance to feed traffic to one or two attached passive security appliances in addition to the primary active security appliance.

    SSL Visibility Appliances are designed for high availability with integrated fail-to-open hardware and configurable link state monitoring and mirroring for guaranteed network availability and network security.

    For those deployments where security certification is a requirement, Blue Coats SSL Visibility Appliances are in the process of receiving FIPS 140-2 Level 2 certification.

    Encrypted Tap

    Blue Coat Encrypted Tap is a new optional feature for ProxySG appliances that works with the SSL proxy to provide complete visibility into SSL traffic. Encrypted Tap sends a stream of decrypted traffic to third-party logging systems for analysis, archiving, and forensics. By providing this SSL visibility and control, Blue Coat now offers a complete SSL web security solution with its ProxySG family of secure proxy appliances.

    Features and Benefits

    SSL interception and filtering is not a new feature for the Blue Coat ProxySG. SSL Proxy has been an integral part of it for well over five years. It includes the ability to selectively inspect attachments for malware, and content for data leakage prevention, through the use of policy. It also enables third-party integration of anti-malware and DLP offerings over ICAP (Internet Content Adaptation Protocol). SSL Proxy terminates and re-establishes SSL connections and allows the ProxySG to securely send attachments and content for inspection services. Encrypted Tap builds on the SSL Proxy and allows all or selected SSL-encrypted web traffic to be decrypted and its content streamed to a third-party system for additional analysis, archiving, and forensics.

    Encrypted Tap is available for the SG600, SG900 and SG9000 series Blue Coat ProxySG appliances. These appliances already include SSL hardware assist and SSL licenses, and would need only the additional Encrypted TAP license to deliver SSL visibility.

    The ProxySG with SSL Proxy and Encrypted Tap allows organizations to eliminate the SSL blind spot with visibility and control over SSL-encrypted traffic. They can stop rogue applications from using SSL to subvert enterprise controls and security measures, and they can scan SSL-encrypted traffic for viruses, worms, and Trojans, and stop them at the gateway.

    The solution can also help prevent spyware from installing or communicating over SSL; halt secured phishing and pharming attacks that use SSL to hide from IT controls or to increase the appearance of authenticity; and accelerate approved and safe SSL-encrypted traffic.

    ProxySG also allows administrators to take a granular approach to proxying SSL for applications of different trust levels and privacy concerns pass-through, check/verify then pass-through, or proxy with full visibility and control.

    The policy capabilities of the ProxySG allow for the display of splash screens reminding users of acceptable use, and warning them that monitoring extends to SSL.

    Encrypted Tap on the ProxySG allows for visibility of both internal and external SSL traffic. It does more than enhance security it also provides a better user experience. The Blue Coat solution actually improves overall session performance up to 1,000 percent by leveraging the ProxySGs MACH5 acceleration technologies (caching, compression, and bandwidth prioritization policies).

    SSL VisibilityAppliance

    CN: GmailCA: ProxySG Cert

    Security SolutionProxyAV, DLP, etc.

    Encrypted Traffic

    ProxySG

    Decrypted Traffic

    CERTIFICATE

    CN: GmailCA: ProxySG Cert

    CERTIFICATE

    CN: GmailCA: Verisign

    CERTIFICATE

  • Security Empowers Business

    SO

    LU

    TIO

    N B

    RIE

    F

    2013 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOs, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything., Security Empowers Business, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.SB-SSL-VISIBILITY-EN-v1c-0813

    Blue Coat Systems Inc. www.bluecoat.com

    Corporate Headquarters Sunnyvale, CA

    +1.408.220.2200

    EMEA Headquarters Hampshire, UK

    +44.1252.554600

    APAC Headquarters Singapore

    +65.6826.7000

    About Blue Coat

    Security technology can focus on prevention and prohibition and instill a culture of fear or it can center on possibilities, and help you unleash your full business potential.

    Blue Coat offers more than the industrys most advanced and sophisticated security technology. We offer a whole new outlook on how security technology provides business value. Its called Business Assurance Technology. And its delivered by our Centers, a comprehensive array of technologies, products, services, and capabilities that give you total protection and help you see and exploit new opportunities. With the products, services, and technologies within Resolution Center, you get the intelligence you need to understand all of the traffic on your network even encrypted SSL traffic so you can make informed decisions. Blue Coat offers two options for SSL Visibility, a key component in our Resolution Center.

    Learn more about our Centers at www.bluecoat.com/business-assurance-technology

    All ProxySG appliances are powered by a purpose-built operating system, and can be centrally managed as part of an enterprise-wide solution deployment.

    Requirements for Encrypted Tap

    ProxySG (SG600/SG900/SG9000)

    Collection system (system configured to receive tapped data)

    For complete security, a dedicated ProxySG interface on a private network with the collection system

    Minimum SGOS release: 6.5

    SSL License on the ProxySG

    Encrypted TAP License

    Blue Coat ProxySG Appliance

    Conclusion

    Forecasts point to continued growth in SSL-encrypted traffic. IT network operators are looking for new solutions that satisfy the need for information security for the enterprise and for individual users, as well as requirements for corporate compliance, acceptable-use policies and government regulations for security and privacy. The solution must not impact network performance, because compliance at the expense of throughput is no more acceptable than meeting user and application bandwidth requirements while ignoring security. It has been difficult, if not impossible, to satisfy these competing requirements for security, performance and control. Blue Coat offers a choice of solutions that give any organization visibility into SSL encrypted traffic.

    Choosing the right solution

    SSL VISIBILITY APPLIANCES ENCRYPTED TAP FOR PROXYSG

    Multiple streams (up to three attached security devices with decrypted traffic)

    Single stream output

    Copy of decrypted traffic can be sent to: Inline deployment with policy enforcement

    options for active appliances Inline with passive appliances SPAN/Tap/Mirror deployment with passive

    appliances

    Copy of decrypted traffic only

    All ProxySG deployment methodologies supported (see SWG Deployment Methodologies white paper)

    High Performance (multi-gigabit/sec SSL visibility throughput

    Performance based on ProxySG performance

    Policy capability based on IP addresses, and other network parameters

    Full policy (CPL) integration

    Detection of all SSL flows, irrespective of destination port value, using DPI techniques

    Provides the clear text of any SSL flow including HTTPS, POP3, SMTP and other protocols that use TLS.

    SSL Visibility of web traffic

    Standalone appliance Requires existing or new ProxySG


Operation Bluecoat

Operation Bluecoat

Documents
MAPS Elevate External Education V1C - medicalaffairs.org

MAPS Elevate External Education V1C - medicalaffairs.org

Documents
Bluecoat Proxy Hardning

Bluecoat Proxy Hardning

Documents
Bluecoat Reverse Proxy

Bluecoat Reverse Proxy

Documents
MIPT3G v1C

MIPT3G v1C

Documents
Visit the Bluecoat

Visit the Bluecoat

Documents
Bluecoat Services

Bluecoat Services

Documents
Bluecoat Occasions Meetings

Bluecoat Occasions Meetings

Documents
Mikki t kit dsn v1c

Mikki t kit dsn v1c

Small Business & Entrepreneurship
Networking&energía: BlueCoat

Networking&energía: BlueCoat

Business
Bluecoat Ps 1

Bluecoat Ps 1

Documents
Bluecoat Training-24.2.2012 (1)

Bluecoat Training-24.2.2012 (1)

Documents
L9 Fatigue v1c

L9 Fatigue v1c

Documents
11560158 Infographic 2021 Longitude V1c chi

11560158 Infographic 2021 Longitude V1c chi

Documents
MiriMON 3 18 Specification V1C Draft

MiriMON 3 18 Specification V1C Draft

Documents
TIG Bluecoat Alteon v02.02

TIG Bluecoat Alteon v02.02

Documents
BlueCoat ISP

BlueCoat ISP

Documents
BlueCoat Decrypting SSL

BlueCoat Decrypting SSL

Documents
219 Bluecoat-sgos 5.3.x Ssl Proxy Reference Guide

219 Bluecoat-sgos 5.3.x Ssl Proxy Reference Guide

Documents
Osserv Loc Disgrafia Lecco v1c - comprensivobosisio.edu.it · Title: Osserv_Loc_Disgrafia_Lecco v1c Created Date: 2/14/2013 11:48:11 AM

Osserv Loc Disgrafia Lecco v1c - comprensivobosisio.edu.it · Title: Osserv_Loc_Disgrafia_Lecco v1c Created Date: 2/14/2013 11:48:11 AM

Documents
MPC v1c - Newton SalesSheet · Title: MPC v1c - Newton_SalesSheet Created Date: 11/20/2017 1:08:25 PM

MPC v1c - Newton SalesSheet · Title: MPC v1c - Newton_SalesSheet Created Date: 11/20/2017 1:08:25 PM

Documents
Bluecoat security report1_apt

Bluecoat security report1_apt

Technology
Bluecoat Academy Presentation from #frog12

Bluecoat Academy Presentation from #frog12

Education
Bluecoat School Stamford

Bluecoat School Stamford

Documents
BLUECOAT BEECHDALE ACADEMY

BLUECOAT BEECHDALE ACADEMY

Documents
CalBench Brochure v1c

CalBench Brochure v1c

Documents
Apartment 5 Bluecoat House, 2 Bluecoat Rise

Apartment 5 Bluecoat House, 2 Bluecoat Rise

Documents
BlueCoat BCCPA Questions[1].docx

BlueCoat BCCPA Questions[1].docx

Documents
Bluecoat Packeshaper Presentation

Bluecoat Packeshaper Presentation

Technology
Cli Ref Bluecoat

Cli Ref Bluecoat

Documents