Announcement

Collapse
No announcement yet.

Technical Webcast Live Q&A - SSL Decryption Best Practices (June 28, 2016)

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Technical Webcast Live Q&A - SSL Decryption Best Practices (June 28, 2016)

    Thank you for joining our Technical Webcast today on SSL Decryption Best Practices. We trust you found the material engaging and informative!

    Do you have any follow up questions from today's session? Simply REPLY to this thread and today's presenter, Dennis Pike, will be standing by answer your questions live and in-person, and don't forget one lucky poster will receive a Blue Coat Swag Package just for asking a question!

    Not a member of the forums, click here to register.

    For a complete listing of past Technical Webcast recordings click here.

  • #2
    Dear BlueCoat,

    With ProxySG, Where do I need apply policy for traffic SSL (SSL Access Layer or Web Access Layer) ?

    What is the best pratices for CPU increase ~100% when I open SSL Decrypt in ProxySG ?

    Thank You.

    Comment


    • #3
      Dear,
      on VPM i can configure the SSL access layer, with encrypted tap license, for send on an interface all decrypted traffic.

      How can i send the clear HTTP traffic on the same interface?

      Thanks

      Comment


      • #4
        Hi,

        certificate pinning is becoming a more common industry practice. Any plans to address it on ProxySG similarly as on SSLVA, i.e. to provide a maintained list of "unsupported" websites that can be used in policy by default?

        Thanks!

        Comment


        • #5
          Are there any plans to include functionality in the ProxySG to detect specific non-protocol compliant applications like skype, so we can bypass that traffic in policy without using tunnel on protocol error?

          Comment


          • #6
            What is the most common mistake you see admins make when implementing SSL interception? Is it misunderstanding what the SG can and can't see in explicit versus transparent deployments, or something else?

            Comment


            • #7
              Originally posted by tiendatdtvt View Post
              Dear BlueCoat,

              With ProxySG, Where do I need apply policy for traffic SSL (SSL Access Layer or Web Access Layer) ?

              What is the best pratices for CPU increase ~100% when I open SSL Decrypt in ProxySG ?

              Thank You.

              SSL Intercept is for policy around what to decrypt or not decrypt
              SSL Access is for policy around what to allow or deny based on SSL data (Server Cert, Client Cert etc...)
              Once you decrypt the SSL all the other layers apply to the HTTP inside

              Best practice for CPU increase is assume 10-15% cpu increase is HTTPS is 20% or less of your traffic. if you are more than 20% than CPU will be higher. if you have lots of DHE based traffic or large keys it will be higher. most common, is if you don' have the wildcard cert splash text caching policy in place then you will see higher CPU.

              Comment


              • #8
                Originally posted by Alberto View Post
                Dear,
                on VPM i can configure the SSL access layer, with encrypted tap license, for send on an interface all decrypted traffic.

                How can i send the clear HTTP traffic on the same interface?

                Thanks
                no, just https and stunnel traffic.

                Comment


                • #9
                  Originally posted by skeptic View Post
                  Hi,

                  certificate pinning is becoming a more common industry practice. Any plans to address it on ProxySG similarly as on SSLVA, i.e. to provide a maintained list of "unsupported" websites that can be used in policy by default?

                  Thanks!

                  good question. since pinning is a client side decision it is hard to dynamically bypass on the proxy or sslv. it is also hard to put together a list of unsupported websites since pinning is commonly client / user agent dependent. there is a list on sslv which has pinned sites on it but it doesn't not cover all pinned sites.

                  Comment


                  • #10
                    We have both SG and SSLVA, I know that they are on the roadmap to integrate, but do you have any customers using these in tandem ?
                    i.e. Using SG for http and then using SSLVA for all SSL, Our SGs are transparent and currently we don't intercept SSL.
                    And can SSLVA logs be sent to Reporter like SG logs?
                    Thx Dennis..
                    Last edited by CharlesT; 06-28-2016, 04:49 PM.

                    Comment


                    • #11
                      Originally posted by Christopher_Thayer View Post
                      Are there any plans to include functionality in the ProxySG to detect specific non-protocol compliant applications like skype, so we can bypass that traffic in policy without using tunnel on protocol error?

                      because every customer is different and each type of non-protocol compliant traffic breaks for different reasons it is difficult to put together this type of feature. from a security perspective it is likely good to break non-compliant traffic, evaluate it and bypass selectively although I understand this is cumbersome.

                      Comment


                      • #12
                        Originally posted by paul_techpubs View Post
                        What is the most common mistake you see admins make when implementing SSL interception? Is it misunderstanding what the SG can and can't see in explicit versus transparent deployments, or something else?

                        the most common mistake is not understanding the requirement to have the signing certificates on SG or SSLV be trusted by all impacted end users.

                        Comment


                        • #13
                          Hi,

                          Can Proxy SG copy or forward selectively SSL traffic to different path? Like proxy chaining but base on protocol? Without decryption. THX
                          Last edited by piotr.borkowski@veracomp.pl; 06-28-2016, 05:24 PM. Reason: Clarification

                          Comment


                          • #14
                            Originally posted by CharlesT View Post
                            We have both SG and SSLVA, I know that they are on the roadmap to integrate, but do you have any customers using these in tandem ?
                            i.e. Using SG for http and then using SSLVA for all SSL, Our SGs are transparent and currently we don't intercept SSL.
                            And can SSLVA logs be sent to Reporter like SG logs?
                            Thx Dennis..
                            yes, you can double decrypt which is what I mostly see or only decrypt traffic the other device didn't decrypt. see more details on page 20 of this document:
                            https://bto.bluecoat.com/sites/defau...min_3921_0.pdf

                            sslv logs cannot be sent to reporter / management center today but my understanding is that this is in the works. for details on future features contact your local account team.




                            Comment


                            • #15
                              Originally posted by piotr.borkowski@veracomp.pl View Post
                              Hi,

                              Can Proxy SG copy or forward selectively SSL traffic to different path? Like proxy chaining but base on protocol? Without decryption. THX

                              i believe you can only do this as a server level forward, not a proxy forward. for server level forward you can do a tcp forward on port 443. you would have limited set of policy gestures since you aren't decrypting.

                              Comment

                              Working...
                              X