1. technology and computing
2. networking
3. vpn and remote access

Decrypt Outbound SSL
Traffic for Passive Security
Device
SSL Visibility Appliance First Steps Guide
Third Party Copyright Notices
© 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS
APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the
Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue
Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of
a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners.
This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA
REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN
OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND
REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,
PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER
IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
4/28/2015
Decrypt Outbound SSL Traffic for Passive Security Device
Table of Contents
Table of Contents
3
Decrypt Outbound SSL Traffic for Passive Security Device
4
Passive-Inline Deployment Mode
4
Install SSL Visibility Appliance with Passive Security Device
5
Create a Resigning Certificate
7
Create a Self-Signed Certificate
7
Using CA-Signed Certificates
9
Create Rule to Test Installation
11
Create a Segment for Passive-Inline Mode
12
Add a Segment
12
Activate a Segment
12
Verify Installation
14
Create Rule to Test Decryption
15
Verify Decryption
16
3
Decrypt Outbound SSL Traffic for Passive Security Device
Decrypt Outbound SSL Traffic for Passive Security Device
Follow the steps below to set up the SSL Visibility Appliance to decrypt outbound SSL traffic, and send it, and all other
traffic, to an attached passive security device.
Passive-Inline Deployment Mode
1. Install the SSL Visibility Appliance into the network. See "Install SSL Visibility Appliance with Passive Security
Device" on the next page.
2. Create a self-signed or CA-signed resigning certificate. See "Create a Resigning Certificate" on page 7.
3. Create a ruleset with a catch all action of cut through, and add a rule to cut through traffic to unsupported sites. See
"Create Rule to Test Installation" on page 11.
4. Create a segment for Passive-Inline mode. See "Create a Segment for Passive-Inline Mode" on page 12.
5. Test/verify that the SSL Visibility Appliance is not blocking traffic. Show the results via SSL Session log. See
"Verify Installation" on page 14.
6. Create a rule to decrypt everything from a specific source IP (your laptop). "Create Rule to Test Decryption" on
page 15.
7. Use the SSL Session log to verify that the SSL Visibility Appliance is decrypting properly . See "Verify Decryption"
on page 16.
8. Delete the decryption testing rule, and create your own policies to define what traffic you want to decrypt, reject, or
drop.
4
Decrypt Outbound SSL Traffic for Passive Security Device
Install SSL Visibility Appliance with Passive Security Device
To install the SSL Visibility Appliance with a passive security device in your network, follow the steps below.
Network diagram before SSL Visibility Appliance
Network diagram after installing SSL Visibility Appliance
Tip: For details about initial configuration and licensing of the SSL Visibility Appliance, refer to the Quick Start Guide
that came with your appliance.
1. Connect the Management port on the SSL Visibility Appliance to your management network.
2. Connect port 1 on the SSL Visibility Appliance to your LAN switch.
3. Connect port 2 to the firewall or router.
4. Connect the security device to port 3 on the SSL Visibility Appliance.
5
Decrypt Outbound SSL Traffic for Passive Security Device
Next Step: "Create a Resigning Certificate" on the next page
6
Decrypt Outbound SSL Traffic for Passive Security Device
Create a Resigning Certificate
When an SSL Visibility Appliance is installed inline and is inspecting Outbound SSL traffic, you can have the appliance
resign the SSL certificate. The client must trust the Certificate Authority (CA) used to resign the server certificate; otherwise
it will generate warnings indicating that the SSL session should not be trusted. In order to ensure that the client does trust
the CA used by the SSL Visibility Appliance, use one of the following approaches:
Self-Signed Certificate The SSL Visibility Appliance can generate a CA certificate and keys internally and use these to
resign server certificates. The CA certificate that includes the CA public key can be exported from the SSL Visibility Appliance, and then imported into the trusted CA store on each client; you only have to do this once.
CA-Signed Certificate If the SSL Visibility Appliance is deployed in a network that already has a private public key infrastructure (PKI), this can be used to issue an intermediate CA certificate and keys that can be loaded into the SSL Visibility
Appliance. As the intermediate CA is issued by the enterprise root CA it, will automatically be trusted by all clients in the
enterprise as will all server certificates that are signed by the intermediate CA.
Next Step: "Create a Self-Signed Certificate" below or "Using CA-Signed Certificates" on
page 9
Create a Self-Signed Certificate
The SSL Visibility Appliance can generate a CA certificate and keys internally and use these to resign server certificates.
The CA certificate that includes the CA public key can be exported from the SSL Visibility Appliance, and then imported into
the trusted CA store on each client; you only have to do this once.
Generate the Certificate
1. Select PKI > Resigning Certificate Authorities.
2. In the Local Resigning Certificate Authorities panel, click the Generate Certificate
bringing up the Generate Certificate window.
7
icon to generate a CA,
Decrypt Outbound SSL Traffic for Passive Security Device
3. Enter the basic data required in a CA, including the key size and validity period.
4. Choose Generate self-signed CA.
5. Click OK.
The CA is generated and added to the set of resigning certificate authorities in the system
Export the Certificate
As this CA is self-signed, it will not be trusted by client systems until it has been exported and added to the list of trusted
CAs on the client system.
1. In the Local Resigning Certificate Authorities panel, make sure the certificate you generated is selected.
2. Click the Export Certificate/CSR
icon. A .pem file is created and saved to your Downloads folder.
3. Go to your Downloads folder and verify the .pem file is there (for example, internal_ca.2015-3-9.9-46-22.pem).
Import the Certificate in Each Client
Propagate the certificate to all supported client browsers. One way to do this is to send out the link to the certificate location and instruct users how to install it. Select the following links for browser-specific installation instructions.
n
n
n
n
Microsoft Internet Explorer; see Install SSL Certificate for Microsoft Internet Explorer Browsers
Google Chrome; see Install SSL Certificate for Chrome Browsers
Mozilla Firefox; see Install SSL Certificate for Mozilla Firefox Browsers
Apple Safari; see Install SSL Certificate for Safari Browsers
Next Step: "Create Rule to Test Installation" on page 11
8
Decrypt Outbound SSL Traffic for Passive Security Device
Using CA-Signed Certificates
If the SSL Visibility Appliance is deployed in a network that already has a private public key infrastructure (PKI), you can
generate a Certificate Signing Request (CSR) and send the request to the Certificate Authority (CA) who will send you a
signed certificate that can be loaded into the SSL Visibility Appliance. As the intermediate CA is issued by the enterprise
root CA it, will automatically be trusted by all clients in the enterprise as will all server certificates that are signed by the intermediate CA.
Generate a Certificate Signing Request
The SSL Visibility Appliance can generate a CSR which you can then send on to the CA for signing.
1. Select PKI > Resigning Certificate Authorities.
2. In the Local Resigning Certificate Authorities panel, click the Generate Certificate
Generate Certificate window.
icon, bringing up the
3. Enter the basic data required in a CA, including the key size and validity period.
4. Choose Generate certificate signing request to have the certificate of the SSL Visibility Appliance signed by the
root CA of the enterprise. The CSR PEM appears in the Certificate Signing Request window.
5. Copy the CSR to the clipboard (including the BEGIN and END lines, as shown above), and then paste it into a text
file.
Caution: Make sure to include all the text, but no extra space at the end. If you don't copy the text as shown,
the certificate will not match the CSR.
6. Click OK. The certificate entry appears in the Local Resigning Certificate Authorities panel and True appears in the
9
Decrypt Outbound SSL Traffic for Passive Security Device
CSR Only column.
7. Apply the PKI Changes.
8. Send the text file containing the CSR to the Certificate Authority that is going to sign the certificate.
At this point the certificate is not installed in the system, as the signed resigning CA has not been received back from the
CA.
Import the CA-Signed Certificate
Once the CA sends you the signed certificate, you can import the file into the SSL Visibility Appliance.
1. Place the signed certificate file (either PEM or DER format) in a network location that the SSL Visibility Appliance
can access.
2. Select PKI > Resigning Certificate Authorities.
3. In the Local Resigning Certificate Authorities panel, select the certificate for which you generated the CSR.
4. Click the Install Certificate
icon. The Install Local Resigning Certificate Authority window displays.
5. In the Upload File tab, click Choose File and select the certificate file you received from the CA.
6. Click Add. If the system was able to match the CSR with the certificate, an Upload Successful window displays.
Caution: If you see Upload Error: mismatch between CSR and signed certificate, you may not have copied
the CSR content correctly. Make sure to copy all the text in the CSR and do not copy any extra space at the
end.
7. Apply the PKI Changes.
Caution: If you don't click Apply, your certificate will not be saved. Without a certificate, segment activation
will fail and the System Log will show an Invalid PKI Object.
Next Step: "Create Rule to Test Installation" on the next page
10
Decrypt Outbound SSL Traffic for Passive Security Device
Create Rule to Test Installation
To make sure your SSL Visibility Appliance is connected and configured properly, you should create a basic ruleset that
tests that traffic isn't getting blocked. To perform this test, create a ruleset with a Catch All Action of Cut Through. Then,
add a rule with a Cut Through Action and Subject/Domain Name List of sslng-unsupported-sites. This list cuts through
traffic to any destinations that are in this list. Trying to inspect traffic to these sites will cause the application to break so the
cut through rule is needed to prevent this. This list is updated with every SSL Visibility Appliance software release.
1. Select Policies > Rulesets.
2. In the Rulesets panel, click the Add
icon.
3. In the Add Ruleset window, enter a name for the ruleset and click OK.
4. In the Ruleset Options panel, click the Edit
icon.
5. For the default internal Certificate Authority, select the certificate you generated.
6. Confirm that the Catch All Action is Cut Through.
7. In the Rules panel, click the Insert
icon.
8. Confirm that the Action is Cut Through.
9. Select the Subject/Domain Name List item and choose the sslng-unsupported-sites list.
10. Click OK.
11. Apply the Policy Changes.
Next Step: "Create a Segment for Passive-Inline Mode" on the next page
11
Decrypt Outbound SSL Traffic for Passive Security Device
Create a Segment for Passive-Inline Mode
Note: Before you create the segment, make sure you have determined your deployment mode and created a ruleset
for the segment.
There are two steps to creating a segment: adding and activating.
Add a Segment
1. Select Policies > Segments.
2. Click the Add
icon.
3. Click Edit to select the Mode of Operation.
4. For Mode of Operation, choose Passive Inline:
5. Click OK.
6. Select the Ruleset you previously created.
7. Choose the desired Session Log Mode.
8. Enter a brief description of the segment in the Comments box.
9. Click OK. The new segment appears in the Segments panel.
10. Apply the Policy Changes.
Activate a Segment
1. Select Policies > Segments.
2. In the Segments panel, select the segment to activate.
3. Click the Activate
icon. The Segment Activation window displays.
12
Decrypt Outbound SSL Traffic for Passive Security Device
During segment activation, a series of screens appear that allow you to select the ports to be used for the segment,
and to select any copy ports and the modes in which the copy ports will operate. Connect any copy ports to your
passive security devices (for example, Security Analytics or an IDS). More on copy ports...1
4. Follow the prompts. Once the segment is active, the system dashboard displays a green background for the
segment, and there are entries under Main Interfaces and Copy Interfaces (if applicable to your deployment).
5. Apply the Policy Changes.
Next Step: "Verify Installation" on the next page
1You may need more than one physical port to feed your passive device, depending on the amount of network
traffic. For example, if you have 1GB of traffic in each direction, you will need to connect two copy ports to the
security device, and decide whether you want to load balance or send all inbound traffic through one port and all
outbound traffic through another. Note that you can connect up to two passive devices to the SSL Visibility
Appliance and each device can connect to one or two copy ports.
13
Decrypt Outbound SSL Traffic for Passive Security Device
Verify Installation
To test and verify that the SSL Visibility Appliance is not blocking traffic, you can view the on-box SSL Session Log.
1. Open a web browser and visit a variety of websites.
2. Is all traffic being blocked? If so, your SSL Visibility Appliance may not be connected properly to the network.
Review the steps for your deployment mode.
3. To see a list of recent SSL sessions, select Monitor > SSL Session Log.
4. Look for the domains of the websites you visited, and observe the value in the Action column. Since the initial rule
you created cuts through all traffic, the Action should say Cut Through for all sessions.
Next Step: "Create Rule to Test Decryption" on the next page
14
Decrypt Outbound SSL Traffic for Passive Security Device
Create Rule to Test Decryption
To test that the SSL Visibility Appliance is decrypting SSL traffic, add a rule that decrypts everything from a specific source
IP (your laptap).
1. Select Policies > Rulesets.
2. In the Rulesets panel, select the ruleset you previously created.
3. In the Rules panel, click the Insert
icon to add a new rule. The Insert Rule dialog displays.
4. For Action, select the appropriate decryption action:
Inbound, select Decrypt (Certificate and Key Known)
Outbound, select Decrypt (Resign Certificate)
5. For Source IP, enter the IP address of your computer.
6. Click OK.
7. Apply the Policy Changes.
Next Step: "Verify Decryption" on the next page
15
Decrypt Outbound SSL Traffic for Passive Security Device
Verify Decryption
To test and verify that the SSL Visibility Appliance is decrypting traffic according to the rules you created, you can view the
SSL Session Log.
1. Open a web browser and visit a variety of websites. If you have created policies for specific host categories,
domains, IP addresses, and so forth, make sure to go to websites that test these policies.
2. To see a list of recent SSL sessions, select Monitor > SSL Session Log.
3. Look for the domains of the websites you visited, and observe the value in the Action column. Is the value you
expected listed? For example, if you wanted the SSL Visibility Appliancenot to decrypt a particular type of traffic,
does the Action say Cut Through? For sessions you wanted to be decrypted, does the Action say Decrypt? If you
see unexpected values, review your policies.
Note: When a session is decrypted, the Action column will show either Resign Certificate (if the deployment is
using the certificate resigning method) or Certificate and Key Known (if you have imported known certificates and
keys).
Final Step: Delete the decryption testing rule, and create your own policies to define
what traffic you want to decrypt, reject, or drop.
16