FREE ELECTRONIC LIBRARY - Online materials, documents

Pages:   || 2 |

«SSL M a nag er C e rt if i ca t e V e ri f ic at io n Eng ine We bsense Cont ent G ate way v7. 6.2 Websense Content Gateway SSL Manager Certificate ...»

-- [ Page 1 ] --

SSL M a nag er C e rt if i ca t e V e ri f ic at io n Eng ine

We bsense Cont ent G ate way

v7. 6.2

Websense Content Gateway SSL Manager Certificate Verification Engine

February, 2012


Copyright © 1996-2012 Yahoo, Inc., and Websense, Inc. All rights reserved.

This document contains proprietary and confidential information of Yahoo, Inc and Websense, Inc. The contents of this document may not be

disclosed to third parties, copied, or duplicated in any form, in whole or in part, without prior written permission of Websense, Inc.

Websense, the Websense Logo, ThreatSeeker and the YES! Logo are registered trademarks of Websense, Inc. in the United States and/or other countries. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.

Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., and Yahoo, Inc. make no warranties with respect to this documentation and disclaim any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.

Traffic Server is a trademark or registered trademark of Yahoo! Inc. in the United States and other countries.

Red Hat is a registered trademark of Red Hat Software, Inc.

Linux is a registered trademark of Linus Torvalds.

Microsoft, Windows, Windows NT, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Mozilla and Firefox are registered trademarks of the Mozilla Foundation.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and in other countries.

UNIX is a registered trademark of AT&T.

All other trademarks are property of their respective owners.


Use, duplication, or disclosure of the technical data contained in this document by the Government is subject to restrictions as set forth in subdivision (c) (1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 52.227-7013 and/or in similar or successor clauses in the FAR, or in the DOD or NASA FAR Supplement. Unpublished rights reserved under the Copyright Laws of the United States. Contractor/manufacturer is Websense, Inc, 10240 Sorrento Valley Parkway, San Diego, CA 92121.

Portions of Websense Content Gateway include third-party technology used under license. Notices and attribution are included elsewhere in this manual.

1 SSL Manager Certificate Verification Engine v7.6.2 The Websense® Web Security Gateway proxy component – Content Gateway – includes a feature called SSL Manager. SSL Manager oversees SSL and TLS (HTTPS) connections, decryption, analysis of content, and re-encryption.

This article describes the most effective use of the Certificate Verification Engine, a sub-component of SSL Manager. The Certificate Verification Engine ensures that only those connections that comply with your organization’s IT security requirements for certificate verification are allowed.

This guide includes:

Overview SSL Manager Certificate Verification Engine (CVE) CVE Best Practices Certificate Verification Failures and Remediation Options Troubleshooting Certificate Verification Failures Frequently Asked Questions Known Issues Additional Resources Glossary For general information on SSL Manager, see Working with Encrypted Data in the Websense Technical Library. (Several articles follow in a sequence. Use the rightpointing navigation button at the top and bottom of each article.)

–  –  –

Overview The SSL and TLS protocols used by HTTPS Web traffic are the standard for establishing secure connections and transmission of secure data on the Internet.

Although SSL and TLS are considered strong security protocols, if mismanaged HTTPS can be compromised in ways that leave it vulnerable to many of the same security problems found in standard HTTP traffic.

An essential feature of SSL/TLS is the connection handshake, including digital certificate exchange between the client and server that verifies that each agent is who it says it is.

Verification checks are performed and configurable in Content Gateway.

In the following list, quoted field names (“ ”) are those used by Internet Explorer Version 8 (IE8).

Common verification checks include:

1. The certificate must be issued by a trusted Certificate Authority (CA).

2. The fully qualified hostname in the HTTPS request URL and the certificate owner (“Issued to” name) must match. Exceptions are explained in the SSL Manager Certificate Verification Engine (CVE) section.

3. The certificate must be current (within its “Valid from...to...” date range).

4. The certificate must not be on a revocation list (either CRL or OCSP).

5. Checks 1-4 are recursively applied to every certificate in the trust chain.

Below is a certificate as it appears in IE8. The numbers in red correspond to checks in the preceding list.

–  –  –

SSL Manager Certificate Verification Engine (CVE) Prior to establishing an HTTPS connection, it is the job of the Certificate Verification Engine to verify that the Certificate Authority (CA) certificates offered by destination HTTPS servers are legitimate and meet the configured set of verification conditions.

To turn on the CVE:

Enable the certificate verification engine

Verification options:

Deny Certificates where the common name does not match the URL Allow wildcard certificates No expired or not yet valid certificates (default option) Verify entire certificate chain (default option) Check certification revocation by CRL (default option) Check certification revocation by OCSP Preferred method for revocation check Block certificates with no CRL or with unknown OCSP state CVE options For Help system documentation on the CVE, see Validating certificates.

Configuration options are set in Content Gateway Manager on the Configure SSL Validation General page. The illustration below shows the page with the default settings.

–  –  –

If you plan to use the CVE, be sure to acquaint yourself with these topics:

Troubleshooting certificate verification failures Certificate Verification Failures and Remediation Options SSL transaction logging CVE configurations This section describes a phased approach to deploying certificate verification.

It is recommended that in addition to the production environment, Content Gateway be installed in a controlled test environment in which phased configuration can be tested and monitored, and problems remediated and tested again. When the test environment is functioning as desired, the configuration can be rolled out to the production environment with continued monitoring and testing.

The starting point assumes that Content Gateway is stable and SSL Manager is off.

The phases of SSL Manager and CVE deployment include:

1. Enabling SSL Manager.

2. Enabling the CVE with only the certificate revocation (CRL) check enabled.

3. Adding CVE checks to the configuration as needed.

Enabling SSL Manager

Before enabling SSL Manager, verify that Content Gateway:

Is installed in a supported environment that includes a network test segment Is passing explicit or transparent traffic as expected Is integrated with Web Security, including Scanning options set and policy applied as expected Is handling HTTP traffic as expected

Is stable:

The performance monitoring graphs show a predictable ramp up in traffic with no unexplained traffic spikes All mission critical Web sites and Web-hosted applications have been validated to work properly through the proxy

When the above conditions are met:

Enable SSL Manager.

Confirm that HTTPS traffic is passing through Content Gateway.

Verify that clients are not receiving certificate errors in the browser. If they are, see these instructions on installing the Internal Root CA.

Test by accessing several sites that are commonly used in your organization.

–  –  –

Check certification revocation by OCSP Preferred method for revocation check In version 7.6.0 and 7.6.2, this option has no effect. The CRL check is always performed first.

Block certificates with no CRL or with unknown OCSP state Because many certificates have missing or blank CRL or OCSP information, this option can produce a large number of “Unknown revocation state” errors. For this reason, use of this option is not recommended in versions up to and including 7.6.2. The CVE logic for this option will change in a future release.

CVE with Verification Bypass enabled An additional option includes use of SSL Manager Verification Bypass (Configure SSL Validation Verification Bypass). This option has the effect that when certificate verification fails, a dialog box warns the user of the failure and gives the user the option to go to the site anyway.

Advantages include:

Certificate verification is performed and incidents are logged, but users aren’t blocked. Users are allowed to make the decision about whether a site is safe.

Administrators can see how the CVE affects the network before allowing it to impact users or require an administrator response.

By monitoring the Incident List, administrators can put remediation actions in place before enforcing certificate verification and impacting users.

Verification bypass provides a response to users that is much like the warning dialogs used by common browsers.

Disadvantages include:

Security is compromised because the choice to drop the connection is given to the user.

In cases where the HTTPS request is for an object embedded in the page or in another page, and its certificate verification fails, the bypass page may not render.

Best practices summary After Content Gateway is deployed, quickly identify and resolve Web applications that have problems transiting the proxy.

Work in a test environment.

Turn on SSL Manager, monitor, test, and stabilize.

Turn on CVE checks one at a time, test, monitor, remediate, and retest.

Roll out the configuration to a subset of users.

To reduce administrative overhead, do not enable checks that aren’t required by your IT security policy.

–  –  –

The primary remediation options include:

1. Correcting the certificate problem. See Troubleshooting certificate verification failures and the SSL Manager trusted certificate store.

2. Bypassing certificate verification via SSL Decryption bypass, the SSL Manager Incident List, or another bypass option. See Bypass options.

3. Enabling or disabling CVE options.

4. Using the CVE Verification Bypass option to give users the ability to proceed to a site after certificate verification fails.

Websense Content Gateway 11SSL Manager Certificate Verification Engine v7.6.2

SSL Manager trusted certificate store When version 7.6 of Content Gateway is installed, all Certificate Authorities trusted by Internet Explorer 7 are included in the SSL Manager trusted certificate store.

The list is accessed in Content Gateway Manager on the Configure SSL Certificates Certificate Authorities tab.

Destination servers (the target of outbound traffic from SSL Manager) can trust Web servers with these certificates. Note that lowercase “i” appears before the name of some certificates validated via CRL (certificate revocation lists) or OCSP (online certification status protocol). These certificates provide URLs where their revocation status can be verified. See Keeping revocation information up to date.

You can manually add, delete, or change the status of a certificate.

SSL Manager checks the revocation status of a certificate for both inbound and outbound traffic.

Help system information on SSL Manager certificate management starts here.

SSL transaction logging SSL Transaction logging is described here.

–  –  –

Bypass options Bypass is the term used to describe several methods of specifically allowing a request to circumvent (bypass) all or select features of Content Gateway. Full proxy bypass is often called tunneling.

In this discussion take note of when bypass affects:

Only certificate verification Certificate verification and SSL decryption Complete bypass of Content Gateway

These are the primary bypass methods:

TRITON – Web Security SSL decryption bypass (category and destination hostname/IP address) The Content Gateway SSL Manager Incident List Content Gateway ARM bypass (transparent proxy) Explicit proxy PAC file bypass Transparent proxy routing device ACL bypass Allow users to continue after failure (Configure SSL Validation Verification Bypass) TRITON – Web Security SSL Decryption Category bypass and Hostname/IP address bypass In TRITON – Web Security you can specify categories, or hostnames, or IP addresses of Web sites for which SSL decryption and inspection are not performed.

See SSL Decryption Bypass.

If Content Gateway is set up as an explicit proxy, certificate verification is bypassed, leaving certificate verification subject to the settings of the client browser. This is the best practice for bypass in explicit proxy deployments.

Pages:   || 2 |

Similar works:

«Value Stocks and Accounting Screens: Has a Good Rule Gone Bad? Melissa K. Woodley Samford University Steven T. Jones Samford University James P. Reburn Samford University We find that the financial statement variables identified by Piotriski (2000) no longer distinguish future winners from future losers among those stocks with high book-to-market ratios. While we confirm Piotroski’s findings for the 1976-1996 window used for his study, over the ensuing 12 years the results are actually...»

«Journal of Insect Behavior, Vol. 14, No. 5, September 2001 ( C 2001) Discrimination of Unrewarding Flowers by Bees; Direct Detection of Rewards and Use of Repellent Scent Marks Dave Goulson,1,2 Jason W. Chapman,1 and William O. H. Hughes1 Accepted May 8, 2001; revised June 5, 2001 Bumblebees and honeybees deposit short-lived scent marks on flowers that they visit when foraging. Conspecifics use these marks to distinguish those flowers that have recently been emptied and, so, avoid them. The...»

«IMAGEM FILMES e TELECINE apresentam: Uma produção LAGOA CULTURAL E MAGA FILMES Lançamento nacional 14 de Outubro de 2011 Uma distribuição IMAGEM FILMES Site oficial do filme: www.capitaesdaareia.com.br APRESENTAÇÃO As aventuras de Pedro Bala e seu bando povoam o imaginário popular desde 1937 quando Jorge Amado lançou o livro “Capitães da Areia”. Desde então, o romance se tornou um “best-seller”, foram mais de 5 milhões de exemplares vendidos, sendo 600 mil só nos últimos...»

«T.C. Memo. 2012-212 UNITED STATES TAX COURT BERNARD R. SHEPHERD AND DESIREE SHEPHERD, Petitioners v. COMMISSIONER OF INTERNAL REVENUE, Respondent Docket No. 26910-10. Filed July 24, 2012. Bernard R. Shepherd and Desiree Shepherd, pro sese. Kristina L. Rico, for respondent. MEMORANDUM FINDINGS OF FACT AND OPINION RUWE, Judge: Respondent determined a $1,613 deficiency in petitioners’ 2008 Federal income tax. The issue for decision is whether petitioners are entitled -2to exclude from gross...»

«Mapping Customer Needs to Engineering Characteristics: An Aerospace Perspective for Conceptual Design M.H. Eres a, M. Bertoni b, M. Kossmann c, and J.P. Scanlan a a Faculty of Engineering and the Environment, University of Southampton, Southampton, UK b School of Engineering, Blekinge Institute of Technology, Sweden c Airbus, Bristol, UK Mapping Customer Needs to Engineering Characteristics: An Aerospace Perspective for Conceptual Design Designing complex engineering systems, such as an...»

«1 A ricordo del Dott. Guido Marotti e del M° Salvatore Orlando che ho avuto l’onore di avere come guida nel mio percorso pucciniano. Mario Fedrigo Puccini per amico 2 Sommario 2 PREFAZIONE 3 ANTEFATTO 7 LA GIOVINEZZA 10 TORRE DEL LAGO 14 LE BICICLETTE 16 LE AUTOMOBILI 19 LA CACCIA 28 LE DONNE 37 IL MUSICISTA 65 L’UOMO 76 APPENDICE PREFAZIONE Questa è una seconda edizione riveduta, corretta e ampliata, di “Omaggio a Puccini” del 2004: un modesto tributo che, come appassionato di opera...»

«CITY OF ELY COUNCIL COUNCIL CHAMBERS 72 MARKET STREET ELY CB7 4LS Fax: 01353 668933 Tel: 01353 661016 E-mail: info@cityofelycouncil.org.uk _ MINUTES OF A MEETING OF THE CITY OF ELY COUNCIL HELD IN EAST CAMBS DISTRICT COUNCIL CHAMBER, THE GRANGE, NUTHOLT LANE, ELY AT 7.00 PM ON MONDAY 24TH NOVEMBER 2014 PRESENT: The Mayor, Cllr E Every Deputy Mayor, Cllr J Yates Cllr C Phillips Cllr A Arnold Cllr M Rouse Cllr N Clarke Cllr B Ashton Cllr I Lindsay Cllr A Whelan Cllr S Pittock Cllr E Griffin-Singh...»

«Noise from electric vehicles – ‘state-of-the-art’ literature survey Lykke Møller Iversen1, Gerd Marbjerg2, and Hans Bendtsen3 1,2,3 Danish Road Directorate, Guldalderen 12, 2640 Hedehusene, Denmark ABSTRACT As a part of the COMPETT project about electric vehicles and the promotion of the use of these, an international ‘state of the art’ literature survey on noise has been done. It investigated how much is already known about the noise from electric vehicles and discovered where more...»


«THE FORGOTTEN TRIBE: THE IK BY BRETT WILLIAMS SUNDAY, MARCH 14, 2010 TABLE OF CONTENTS FORGOTTEN.. 3 THE IK PEOPLE... 4 SURVEY OF MISSIONS WORK. STRATEGY... 15 FOUND... 22 BIBLIOGRAPHY... 23 FORGOTTEN There is a famous yet forgotten tribe in Northeastern Uganda called the Ik (pronounced „EEK‟). Famous and forgotten seems to be a contradiction of terms, but in the case of the Ik it is a contradiction that acutely describes the state of this people group. Their fame arises from a popular and...»

«Model Verification and Validation Charles M. Macal* Workshop on Threat Anticipation: Social Science Methods and Models The University of Chicago and Argonne National Laboratory April 7-9, 2005 Chicago, IL *Center for Complex Adaptive Agent Systems Simulation (CAS2) Decision & Information Sciences Division, Argonne National Laboratory ARGONNE: OPERATED BY THE UNIVERSITY OF CHICAGO FOR THE UNITED STATES DEPARTMENT OF ENERGY The Need for V&V • Model verification and validation (V&V) are...»

«Agenda Item 13 Meeting / Meeting Board of Directors 27 January 2015 Committee Date Action/Decision Assurance Information This paper is for X X X Title Annual Planning Paper Purpose For review at the Board of Directors to highlight the Trusts obligations for annual planning and to identify the approach for financial annual planning. A high-level draft plan is required by Monitor 27th Feb 2015. Key issues / The detailed operational plan is required by Monitor 10th April 2015. items for The...»

<<  HOME   |    CONTACTS
2017 www.thesis.dislib.info - Online materials, documents

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.