Hello my name is Eytan Siegel. I'm the
director of VPN products at Check Point
Software Technologies. Encrypted SSL
traffic is critical for user privacy and
to securely conduct business across the
net and indeed we've seen a huge rise in
websites shifting to SSL in recent years.
This is a good thing however, encrypted
traffic can be used to conceal attacks
to prevent threats we need the ability
to look inside encrypted traffic. I'm
going to talk about checkpoints SSL
inspection technology which allows our
advanced security functions to analyze
the content of encrypted network traffic.
With SSL inspection our gateways can
force the same level of security on
encrypted traffic as they do with clear traffic.
We'll start by reviewing how SSL
is used by browsers to establish secure
communication with a web site on the
Internet.
We'll be using Facebook as an example.
Notice the browser is using HTTPS. The s
denotes that the HTTP session is
encrypted with SSL. The first function of
SSL is to establish trust with a site
the browser trusts a web server if the
server has a digital certificate that
was issued by a trusted certificate
authority or CA that is vetting the
site's identity. The SSL handshake starts
off with the web server sending its
certificate to the browser.
Facebook's web server needs a way to
prove it's the rightful owner of the
certificate. For this, Facebook has a file
called a private key which is
cryptographically paired with its
certificate. Without possession of
Facebook's private key
no one can forge its certificate and
impersonate the site on the web. This is
a key part of SSL. Facebook certificate
is signed by a CA named Verisign. our browser searches for Verisign
certificate in its store of trusted CA
certificates. On windows the list of
justed cas is maintained by Microsoft. In
our example the Verisign certificate is
found in a trusted store and so the
browser decides to trust Facebook
certificate now that the SSL
cryptographic validation is done and the
browser trusts the website browsing
commences using SSL encrypted
communication.
Let's visit Facebook again but now we're
going to turn on checkpoint as a cell
inspection. Do this from the HTTPS
inspection page on a smart dashboard. The first step for enabling SSL inspection
is to create a CA certificate to be used
by the Gateway for signing. We provide a
certificate name, validation date, and a password that will protect the private key.
We then enable HTTPS inspection.
You'll notice I skipped step two. We'll
get back to that in a short moment.
Now that our Gateway is performing SSL
inspection let's browse the Facebook
again and see what happens this time.
The Gateway sees the browser's as a sell
request and rather than letting the
request who initiates its own as a self
session with Facebook pretending to be
our browser. Like the browser the Gateway
has its own trusted CA store which it
uses to validate that we trust Facebook
certificate. This validation is critical
in order to preserve the trust
validations to normally carried out by
the browser. Once the connection between
the Gateway and Facebook is established
the Gateway creates an SSL certificate
that is very similar to that of Facebook.
This certificate has its own private key
associated with it the Gateway signs the
copied certificates using the CA
certificate we created for the Gateway.
Now the Gateway completes the SSL
session with our browser pretending to
be Facebook and using that just created
certificate. But wait the certificate
that the Gateway has generated for
Facebook is not signed with the CA that
the browser trusts. It's signed with the
we generated a moment ago. So, the browser
warns the user that the certificate is
not valid. There's one more key step that
must happen before the Gateway can
perform as a SSL inspection without
generating a warning in our browser and
that is that the Gateway CA
certificate must be added to the
browser's trusted store. To accomplish
this we export the Gateway CA
certificate file. That's the second step
we skipped a moment ago and then import
it manually to your PCs trusted CA store.
You can also automatically distribute
the Gateway CA by using Group Policy
objects in Microsoft Active Directory.
From this point on the browser trusts
certificates generated by the Gateway
and will thus just the one that the
Gateway has just created for Facebook at
this point the Gateway has established
SSL connections with both Facebook and
our browser acting as a bridge between
the two this way the Gateway can inspect
the content of the encrypted SSL traffic.
As an example let's see SSL inspection
in action with checkpoints data loss
prevention, DLP. Using my personal gmail
account, which uses SSL, I write an email
to my friend Jim attaching a file
containing confidential customer data.
When I try to send it I immediately get
an on screen message from the Gateway
alerting me to the potential breach.
Before SSL inspection this breach would
have gone unnoticed. We can now also
prevent threats concealed in SSL by
enabling inspection for IPS antivirus
and other software plates. You may decide
to avoid inspecting some encrypted
traffic in order to comply with
regulatory requirements or privacy laws. For example I may want to turn on SSL
inspection to perform URL filtering but
at the same time I'd like to exclude
traffic to online banking and health
sites from being inspected in order to
protect employee privacy. To achieve this
we use the HTTPS inspection policy in
the smart dashboard. We add a rule to the
rule base to get
this done. As you can see SSL inspection
technology enables the suite of advanced
Check Point security applications to scan
encrypted data in order to maximize your
protection and to ensure you are secure
from malicious attacks. To find out more
information about checkpoints advanced
security technologies please visit us at
checkpoint.com
