Difference between revisions of "Setup HTTPS Inspection"

From Secure Web Gateway
m
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:


= Overview =
== Overview ==


Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards [https://en.wikipedia.org/wiki/HTTPS HTTPS], to deliver secure services to users. “The main motivation for HTTPS is [https://en.wikipedia.org/wiki/Authentication authentication] of the visited [https://en.wikipedia.org/wiki/Website website] and protection of the [https://en.wikipedia.org/wiki/Information_privacy privacy] and [https://en.wikipedia.org/wiki/Data_integrity integrity] of the exchanged data”.  The authentication happens based on public key of website verified by client browser using trusted certificate authority. So, the users know, they are talking to right websites and their data is safe.
Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards [https://en.wikipedia.org/wiki/HTTPS HTTPS], to deliver secure services to users. “The main motivation for HTTPS is [https://en.wikipedia.org/wiki/Authentication authentication] of the visited [https://en.wikipedia.org/wiki/Website website] and protection of the [https://en.wikipedia.org/wiki/Information_privacy privacy] and [https://en.wikipedia.org/wiki/Data_integrity integrity] of the exchanged data”.  The authentication happens based on public key of website verified by client browser using trusted certificate authority. So, the users know, they are talking to right websites and their data is safe.
Line 16: Line 16:
 
 


= Client Scenario =
== Client Scenario ==


The director of network security in a financial organization wants to protect the enterprise network from any external threats coming from the web in the form of malware. To accomplish this, the director appoints Network administrator to make sure the computer network is upto date and operating as intended. The Network administrator needs to gain visibility into these sites otherwise bypass encrypted traffic and control access to malicious websites. The Network administrator should do the following:
The director of network security in a financial organization wants to protect the enterprise network from any external threats coming from the web in the form of malware. To accomplish this, the director appoints Network administrator to make sure the computer network is upto date and operating as intended. The Network administrator needs to gain visibility into these sites otherwise bypass encrypted traffic and control access to malicious websites. The Network administrator should do the following:
Line 25: Line 25:
*Identify end users (employees) in the enterprise who are accessing malicious websites and block internet access for these users or block the harmful URLs.  
*Identify end users (employees) in the enterprise who are accessing malicious websites and block internet access for these users or block the harmful URLs.  


= Solution =
== Solution ==


To achieve all of the above, the Network administrator should set up a SafeSquid Secure Web Gateway (SWG) in the organization. The proxy server checks all the encrypted and unencrypted traffic passing through the enterprise network. It prompts for user authentication, and associates the traffic with a user. URL categories can be specified to block access to Illegal/Harmful, Adult, Malware and SPAM websites.
To achieve all of the above, the Network administrator should set up a SafeSquid Secure Web Gateway (SWG) in the organization. The proxy server checks all the encrypted and unencrypted traffic passing through the enterprise network. It prompts for user authentication, and associates the traffic with a user. URL categories can be specified to block access to Illegal/Harmful, Adult, Malware and SPAM websites.
Line 31: Line 31:
 
 


= Benefits of HTTPS inspection =
== Benefits of HTTPS inspection ==
<ul style="list-style-type:circle;">
<ul style="list-style-type:circle;">
<li>You can forbid use of personal google account for any google application like Gmail, YouTube, etc.</li>
<li>You can forbid use of personal google account for any google application like Gmail, YouTube, etc.</li>
Line 43: Line 43:
&nbsp;
&nbsp;


= Configure the HTTPS inspection&nbsp; =
== Configure the HTTPS inspection&nbsp; ==


== Generate SSL&nbsp;(Self-Signed) certificates from self service portal ==
[[File:Https inspection flow.PNG|center|Setup HTTPS inspection|link=|alt=Setup HTTPS inspection]]
 
=== Generate SSL&nbsp;(Self-Signed) certificates from self service portal ===


You have to generate SSL certificate&nbsp;from self-service portal&nbsp;before configuring HTTPS inspection.&nbsp;
You have to generate SSL certificate&nbsp;from self-service portal&nbsp;before configuring HTTPS inspection.&nbsp;
Line 52: Line 54:
*[[Download_SSL_Certificate_From_Interface|Download ]][[Download_SSL_Certificate_From_Interface|SSL ]][[Setting_up_SSL_certificates_from_Self_Service_Portal|(Self Signed)]][[Download_SSL_Certificate_From_Interface|Certificate from SafeSquid User Interface]]  
*[[Download_SSL_Certificate_From_Interface|Download ]][[Download_SSL_Certificate_From_Interface|SSL ]][[Setting_up_SSL_certificates_from_Self_Service_Portal|(Self Signed)]][[Download_SSL_Certificate_From_Interface|Certificate from SafeSquid User Interface]]  


== Importing SafeSquid&nbsp;SSL certificate into your browser ==
=== Importing SafeSquid&nbsp;SSL certificate into your browser ===


When SafeSquid is installed in your network with HTTPS inspection enabled&nbsp;and SSL certificate not installed&nbsp;into the browser, then you will get an error while accessing the HTTPS websites. You have to install SafeSquid SSL certificate&nbsp;into the browsers.
When SafeSquid is installed in your network with HTTPS inspection enabled&nbsp;and SSL certificate not installed&nbsp;into the browser, then you will get an error while accessing the HTTPS websites. You have to install SafeSquid SSL certificate&nbsp;into the browsers.
Line 59: Line 61:
*[[Importing_Your_SSL_Certificate_Into_Internet_Explorer_or_Chrome|Importing into Internet Explorer Or Chrome Browser]]  
*[[Importing_Your_SSL_Certificate_Into_Internet_Explorer_or_Chrome|Importing into Internet Explorer Or Chrome Browser]]  


== [[Enabling_HTTPS_inspection_on_SafeSquid_User_Interface|Enabling HTTPS inspection on SafeSquid User Interface]] ==
=== [[Enabling HTTPS inspection on SafeSquid User Interface]] ===
 
= [[How_does_HTTPS_work?|How does HTTPS work?]] =


= [[How_does_HTTPS_inspection_work_with_SafeSquid?|How does HTTPS inspection work with SafeSquid?]] =
=== [[How does HTTPS work?]] ===


[[File:Https inspection flow.PNG|center|Https inspection flow|link=|alt=HTTPS inspection flow]]
=== [[How does HTTPS inspection work with SafeSquid?]] ===


= Troubleshooting =
== Troubleshooting ==


#[http://2017.swg.safesquid.com/wiki/SSL_certificate_downloaded_with_zero_size_OR_unable_to_download_SSL_certificate SSL certificate&nbsp;downloaded&nbsp;with&nbsp;zero&nbsp;&nbsp;size&nbsp;OR&nbsp;unable&nbsp;to&nbsp;download&nbsp;SSL&nbsp;certificate]  
#[https://docs.safesquid.com/wiki/SSL_certificate_downloaded_with_zero_size_OR_unable_to_download_SSL_certificate SSL certificate&nbsp;downloaded&nbsp;with&nbsp;zero&nbsp;&nbsp;size&nbsp;OR&nbsp;unable&nbsp;to&nbsp;download&nbsp;SSL&nbsp;certificate ]
#[[Application_not_working_with_HTTPS_inspection|Application not working with HTTPS inspection]]  
#[[Application_not_working_with_HTTPS_inspection|Application not working with HTTPS inspection]]  
#[[SSL_certification_errors|SSL certification errors]]  
#[[SSL_certification_errors|SSL certification errors]]  
#[http://2017.swg.safesquid.com/wiki/Certificate_manageability Certificate&nbsp;manageability]  
#[https://docs.safesquid.com/wiki/Certificate_manageability Certificate&nbsp;manageability ]


= See Also =
== See Also ==


#[http://2017.swg.safesquid.com/wiki/How_to_integrate_AD_or_OpenLDAP_with_SafeSquid Integrate AD or OpenLDAP with SafeSquid]  
#[https://docs.safesquid.com/wiki/How_to_integrate_AD_or_OpenLDAP_with_SafeSquid Integrate AD or OpenLDAP with SafeSquid]
#[http://2017.swg.safesquid.com/wiki/How_to_enforce_SafeSearch Enforce Safe Searches]&nbsp;  
#[https://docs.safesquid.com/wiki/How_to_enforce_SafeSearch Enforce Safe Searches]&nbsp;  
#[http://2017.swg.safesquid.com/wiki/How_to_enforce_YouTube_restricted_mode Enforce YouTube Restricted Mode]&nbsp;  
#[https://docs.safesquid.com/wiki/How_to_enforce_YouTube_restricted_mode Enforce YouTube Restricted Mode]&nbsp;  
#[http://2017.swg.safesquid.com/wiki/Defend_Against_Malware_And_External_Attacks Defend Against Malware And External Attacks]  
#[https://docs.safesquid.com/wiki/Defend_Against_Malware_And_External_Attacks Defend Against Malware And External Attacks]


{{Seo|keywords=HTTPS inspection,ssl secure web gateway,monitor ssl traffic|description=Configure HTTPS Inspection on Secure Web Gateway to monitor SSL traffic in your network }}
{{Seo|keywords=HTTPS inspection,ssl secure web gateway,monitor ssl traffic|description=Configure HTTPS Inspection on Secure Web Gateway to monitor SSL traffic in your network }}


[[Category:How To]]
[[Category:How To]]

Latest revision as of 12:31, 15 June 2022

Overview

Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards HTTPS, to deliver secure services to users. “The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data”.  The authentication happens based on public key of website verified by client browser using trusted certificate authority. So, the users know, they are talking to right websites and their data is safe.

          Until 2010 only 20% websites were using HTTPS protocol and rest of 80% websites were on HTTP. This equation started changing from 2010. For example, Earlier Google services including Google search were running on HTTP, for security reasons Google started services on HTTPS over HTTP. This change in the web, thrown challenges to security vendors and customers, but both are ready for better web & security.  

          HTTP traffic is plain text based message transfer over network, the traffic can be seen and filtered by any device in the middle. Malware detection and data leak prevention performed by security products on HTTP traffic to keep users and organizations safe. But HTTPS traffic is encrypted and traffic cannot be seen, filtered without decrypting traffic and decryption is only possible by trusted parties.

          Decrypting HTTPS traffic for scanning is called HTTPS Inspection. If security products do not scan HTTPS traffic, then some users can upload confidential documents to google drive and share to where ever they want. Also such users can download a malicious file and spread on company network which can completely hit on organizational productivity. There are lots more that can happen, So Security experts always recommend usage of HTTPS inspection enabled products for enhanced security.

          Most of the old security products implemented before 2010 does not have an ability to scan HTTPS traffic including SafeSquid NTLM editions. SafeSquid SWG was implemented in 2012 with HTTPS inspection support and continually improved HTTPS inspection performance with SSL context caching and session resumption techniques.

          To perform HTTPS inspection, SafeSquid should have trusted certificate authority(CA). You can use your enterprise CA as SafeSquid CA or You can generate a self signed CA for organisation using SafeSquid's Self Service Portal.

 

Client Scenario

The director of network security in a financial organization wants to protect the enterprise network from any external threats coming from the web in the form of malware. To accomplish this, the director appoints Network administrator to make sure the computer network is upto date and operating as intended. The Network administrator needs to gain visibility into these sites otherwise bypass encrypted traffic and control access to malicious websites. The Network administrator should do the following:

  • Intercept and examine all the traffic, including SSL/TLS (encrypted traffic), coming in and going out of the enterprise network.
  • Bypass interception of requests to websites containing sensitive information, such as user financial information or emails.
  • Block access to harmful URLs identified as serving harmful or adult content.
  • Identify end users (employees) in the enterprise who are accessing malicious websites and block internet access for these users or block the harmful URLs.

Solution

To achieve all of the above, the Network administrator should set up a SafeSquid Secure Web Gateway (SWG) in the organization. The proxy server checks all the encrypted and unencrypted traffic passing through the enterprise network. It prompts for user authentication, and associates the traffic with a user. URL categories can be specified to block access to Illegal/Harmful, Adult, Malware and SPAM websites.

 

Benefits of HTTPS inspection

  • You can forbid use of personal google account for any google application like Gmail, YouTube, etc.
  • You can permit users with bypass privilege to access Facebook in Read Only mode. Users are not allowed to make posts, shares, or play games, chat with other Facebook Users, or post on their timeline, or Like posts made by others
  • You can enforce SafeSearch for users accessing Google Search, Yahoo Search, Bing Search, YouTube.
  • You can permit use of Google SSO for login to web applications
  • You can use Virus scanning for both HTTP and HTTPS sites.
  • You can forbid users from uploading files to any web site.

 

Configure the HTTPS inspection 

Setup HTTPS inspection

Generate SSL (Self-Signed) certificates from self service portal

You have to generate SSL certificate from self-service portal before configuring HTTPS inspection. 

Importing SafeSquid SSL certificate into your browser

When SafeSquid is installed in your network with HTTPS inspection enabled and SSL certificate not installed into the browser, then you will get an error while accessing the HTTPS websites. You have to install SafeSquid SSL certificate into the browsers.

Enabling HTTPS inspection on SafeSquid User Interface

How does HTTPS work?

How does HTTPS inspection work with SafeSquid?

Troubleshooting

  1. SSL certificate downloaded with zero  size OR unable to download SSL certificate
  2. Application not working with HTTPS inspection
  3. SSL certification errors
  4. Certificate manageability

See Also

  1. Integrate AD or OpenLDAP with SafeSquid
  2. Enforce Safe Searches 
  3. Enforce YouTube Restricted Mode 
  4. Defend Against Malware And External Attacks