Documente Academic
Documente Profesional
Documente Cultură
Security
For more information regarding configuration and operation of AppWall and Authentication, see the
AppWall for Alteon NG User Guide.
SSL Inspection
Most web applications used for private, commercial, or business purposes encrypt the transactions
based on the SSL/HTTPS protocol to ensure the privacy of data transfer between the user and
server.
SSL solves the privacy problem and secures the communication of sensitive information in and out
of the enterprise, but it created a new blind spot in the visibility of traffic that goes in and out of the
enterprise. SSL has also become a vehicle to carry malicious programs into the enterprise IT
infrastructure and allows sensitive information to leak out of the enterprise unnoticed. Even private
emails or innocent collaboration tools have become a security hazard as malicious programs can
cross through the enterprise's anti-virus solution unchecked, hidden in the SSL connection
established between the two ends.
Organizations subjected to industry and government regulations have strict rules on accessing
sensitive information and require all traffic in the datacenter to be visible. This requirement
contradicts the inherent need to keep data transmission encrypted to ensure privacy.
Alteon offers one unified solution that uniquely addresses all challenges and requirements.
Alteon can be implemented as a bump in the wire, overseeing all traffic to and from the Internet.
Based on its advanced Layer 4 to Layer 7 classification capabilities, Alteon seamlessly intercepts and
terminates SSL sessions as if it was a server, and opens a new SSL session on its other side, on
behalf of the end-user, towards the original destination server. In between, Alteon's advanced
transparent traffic steering capabilities forwards the decrypted traffic to deep packet inspection
(DPI) security solutions, such as firewalls, anti-malware, and data leakage protection, providing full
visibility into the content of both SSL encrypted and clear text sessions.
As illustrated, the traffic flow for the SSL Inspection solution is as follows:
1. A client initiates an HTTPS request (SSL Hello) to a secured Web site.
2. Alteon intercepts the request and initiates an SSL connection to the destination server. During
the SSL handshake, the server passes its certificate to Alteon.
3. Alteon quickly generates a server certificate identical to the remote server's certificate, signs it
with the configured CA certificate and passes it to the client This solves the problem of
performing registry changes on the client's PC and also presents the exact server certificate's
details to the client. The new certificate includes all the relevant information from the original
certificate including the common fields:
— Serial number
— Valid from
— Valid to
— Subject
— Subject alternative name extension (if exists)
— Issuer alternative name extension (if exists)
The original Issuer field is passed in a Netscape comment extension in the new certificate, as it
is not part of the new certificate when validated by the browser. The new certificate is created
with a new Issuer field, which is changed to the common name of the CA certificate imported/
created on Alteon for this purpose.
4. After completing the SSL handshake with the client, Alteon decrypts the client's request and
sends the HTTP request to the security device (antivirus, DLP, etc.) to be inspected.
5. The security device scans the HTTP traffic and if the result is OK, sends the traffic to the
Internet.
Note: The same traffic can be inspected by multiple security devices, in a serial manner.
6. Alteon intercepts the request sent by the security device (the last in line in case of multiple
devices) and initiates an encrypted request to the remote site as per the destination address
requested by the client in the original request. The source IP address of the request is either the
client's or its own, depending on the configuration.
7. The returning traffic follows the same flow but in the opposite direction.
During the SSL handshake with the remote server, Alteon authenticates the server and verifies that
the server's public certificate is signed by a known and recognized CA authority. For this, a list of
trusted CA certificates must be imported into Alteon. Alteon also verifies the certificate's expiration
date and validity.
During the SSL handshake, Alteon presents a newly created certificate to the client in place of the
original server. This means that, in effect, the client receives a certificate that has been issued by
Alteon, as opposed to the original issuer. Because of this, a security warning pop-up message
displays to the client. The message usually states the following:
An authentication problem occurred while trying to connect to the remote Web site. The problem is
one of the following:
• The security certificate was issued by a company you have not chosen to trust.
• The security certificate date is not valid
• The common name on the security certificate is invalid or does not match the name of the site.
Note: In VX mode SSL Limit must be defined on the vADC on which you want to activate SSL
Inspection.
Notes
• Currently, a single pair of front-end and back-end SSL policies can be configured for SSL
Inspection.
• To perform Layer 7 decisions on the decrypted traffic you must use AppShape++.
b. In the Filters table, click to add an entry. The relevant Add tab opens.
c. Select Enable Filter.
d. In the Filter ID field, type an identifier for the filter. The valid range is 1 to 2048.
e. In the Action field, select Redirect from the drop-down list.
f. In the Group ID field, select the appropriate group ID from the drop-down list, or click
to add a new group.
In this example, we use the following values:
Filter ID Action
10 Redirect
• In the Application Port/Range Start field, type 443 in the Destination column.
In this example, we use the following values:
Delayed Bind Real Server Port Return to Last Hop Reverse Session
Forceproxy 80 Enable Enable
b. In the Filters table, click to add an entry. The relevant Add tab opens.
c. Select Enable Filter.
d. In the Filter ID field, type an identifier for the filter. The valid range is 1 to 2048.
e. In the Action field, select Redirect from the drop-down list.
f. In the Group ID field, select the appropriate group ID from the drop-down list, or click
to add a new group.
In this example, we use the following values:
Filter ID Action
20 Redirect
Delayed Bind Real Server Port Return to Last Hop Reverse Session
Forceproxy 80 Enable Enable
j. Click Submit.
3. Configure port processing to use the configured filters.
a. Select Configuration > Application Delivery > Port Processing.
b. In the Port Processing table, select an entry and click , or double-click the entry you want
to edit. The relevant Edit tab displays.
c. Select Filter/Outbound LLB.
d. Select the rule ID and use the arrows to move the rule ID between the Available and
Selected lists.
e. Click Submit.
f. Repeat until all filters are configured for each port.
In this example, we use the following values: