8
When the SSL forward proxy is used to intercept HTTPS traffic, it can also:
Optionally cache HTTPS content.>-
Apply HTTP-based authentication mechanisms.>-
Initiate ICAP actions for DLP (data loss prevention) checks or malware detection, never exposing data to a live network. (Secure->-
ICAP is recommended for content analysis between locations).
URL filter based on the full URL and even obscured URLs, plus deep content inspection for translation services, image and cached >-
search engine content searches, and proxy avoidance.
Apply granular policies such as validating apparent data type, magic byte, container mismatch, mime type, or filename extension.>-
Blue Coat ProxySG’s SSL forward proxy intercept functionality terminates SSL traffic. It can exert policy control at the initiation
of the SSL session (i.e., on client connect, and on server response) and throughout the session – because there are two
separate connections: one between the client and the proxy, and another between the proxy and the server – see Figure 7,
below. This enables all of the proxy controls, but also some SSL-specific controls.
Tunnel Established Tunnel Established
Server-Proxy Connection
Algorithms I support.
Connection request.
Verify certificate
and extract server’s
public key.
Use this algorithm.
Server’s digital
certificate.
Complete
Authentication.
Complete
Authentication.
Complete
Authentication.
Complete
Authentication.
Verify certificate
and extract (proxy’s)
public key.
Algorithms I support.
Connection request.
Let’s use
this algorithm.
Emulated certificate.
Client-Proxy Connection
Client Proxy Server
Figure 7 – Blue Coat ProxySG provides critical check points during SSL sessions: Policy checks on external Web content,
SSL certificate checks, and ensuring inbound/outbound information does not compromise security or compliance policies.
First, Blue Coat ProxySG can make gateway trust decisions – meaning that organizations can decide whether or not they
accept secure connections from servers with a questionable certificate (i.e., the certificate is out of date, or issued by an
untrusted party, or doesn’t match the server name), instead of trusting their users to make that determination. This has
tremendous anti-phishing benefits – most of the servers used in phishing and pharming attacks depend on users blithely
clicking “yes” to certificate warnings. Also proxy avoidance toolkits can be blocked by requiring valid server certificates.
Second, the ProxySG’s SSL forward proxy can apply full proxy functionality to HTTPS traffic and manage traffic tunneling
through SSL (typically rogue applications like Skype, peer-to-peer, or IM) differently – deciding whether or not to pass that
traffic – which has significant benefits for security groups trying to manage vulnerability-prone consumer applications.
Technology Primer: Secure Sockets Layer (SSL)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentários a estes Manuais