Secure Computing SSL Scanner Manual do Utilizador descarregar pdf (Página 11)

and signed logs off to a secure server to ensure audit-ability. Without these robust policy features, combined with automatic

website categorization with URL and content ﬁltering, organizations would struggle to comply with both their internal privacy

policy and the myriad regulations globally for handling sensitive information.

Balancing User Performance and User Privacy

Using an SSL proxy to manage encrypted trafﬁc can remove a signiﬁcant network blind spot. Yet by inspecting the trafﬁc, the

explicit trust model of SSL comes into question; SSL is, after all, deployed to ensure that the trafﬁc is private during transit.

Certain situations require more care and consideration. For example, employees may be allowed to connect to secure web

brokerages to manage their corporate compensation plans, or to health insurance sites to schedule conﬁdential doctors

visits. Partners and other invited guests connecting back to their own ofﬁces may access conﬁdential materials under the

expectation of secrecy. Depending on your jurisdiction, respecting the privacy of such communication may be more than a

policy – it may be the law. Therefore, when deploying an SSL proxy organizations have three options with respect to balancing

optimization needs and privacy requirements:

Do not decrypt and proxy SSL-tunneled trafﬁc. This is a short term solution that bypasses any regulatory or perception issues >-

associated with intercepting SSL connections. Generally, however, this is only an option when SSL trafﬁc is minimal or can

be otherwise restricted, optimization of other protocols frees up sufﬁcient bandwidth on the WAN, and latency of existing SSL

applications is not a concern. This solution offers no protection.

Proxy selected SSL connections, respecting user conﬁdentiality where appropriate. The choice to intercept could be based either >-

on a white list of known business applications that require acceleration, or an exclude list of known private sites that users are

allowed to browse without the proxy opening their communication. For highly regulated organizations that need to testify to the ﬂow

of information for compliance purposes, this type of partial proxy deployment allows them the ﬂexibility to inspect and audit trafﬁc

selectively.

Open, inspect and accelerate all SSL trafﬁc. Clearly, this would allow the proxy maximum control over bandwidth and unauthorized >-

communication. Implicitly, it also facilitates and encourages additional use of SSL by removing network performance considerations,

aiding compliance objectives. Though ideal from an application performance and bandwidth management perspective, any full

SSL proxy must be able to notify users and log their consent to a use policy. That requires the use of a pop-up or splash screen to

collect the consent, inline authentication to know who is consenting, logging functions to aggregate it, and a reporting mechanism to

produce audit-proof documentation.

WAN Optimization – MACH 5 SSL Proxy

In the WAN optimization scenario Blue Coat ProxySG offers many of the same beneﬁts to the organization as the SSL forward

proxy example. Blue Coat ProxySG appliances with MACH 5 technology can seamlessly open all SSL applications, regardless

of whether they are internal or external. This allows you to deliver the same performance and great user experience you can

provide through WAN optimization to your most important trafﬁc as well. All ﬁve MACH5 technologies (bandwidth management,

object caching, byte caching, protocol optimization, and compression) can be used with SSL applications, without the need to

break security best-practices by removing private keys from your servers. Just as importantly, Blue Coat user management

tools, including alerts and coaching pages, user authentication, and centralized reporting, allow you not only to be selective in

the SSL you intercept, but also to produce auditable logs of user consent. Figure 10 illustrates the Blue Coat ProxySG SSL WAN

Optimization solution.

Technology Primer: Secure Sockets Layer (SSL)

1 2 ... 6 7 8 9 10 11 12 13 14 15 16 ... 21 22

Sem comentários

Secure Computing SSL Scanner Manual do Utilizador Página 11