finjan NG-8000 User manual
Version 9.2
Integrated SSL Scanning
SSL Enhancements
Page ii
© Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries (“Finjan”).
All rights reserved.
All text and figures included in this publication are the exclusive property of Finjan and
are for your personal and non-commercial use. You may not modify, copy, distribute,
transmit, display, perform, reproduce, publish, license, create derivative works from,
transfer, use or sell any part of its content in any way without the express permission
in writing from Finjan. Information in this document is subject to change without notice
and does not present a commitment or representation on the part of Finjan.
The Finjan technology and/or products and/or software described and/or referenced to
in this material are protected by registered and/or pending patents including European
Patent EP 0 965 094 B1 and U.S. Patents No. 6092194, 6154844, 6167520,
6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662,
6965968, 7058822, 7076469, 7155743, 7155744, 7185358, 7418731 and may be
protected by other U.S. Patents, foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability
are trademarks or registered trademarks of Finjan. Sophos is a registered trademark
of Sophos plc. McAfee is a registered trademark of McAfee Inc. Kaspersky is a
registered trademark of Kaspersky Lab. Websense® is a registered trademark of
Websense, Inc. IBM® Proventia® Web Filter is a registered trademark of IBM
Corporation. Microsoft and Microsoft Office are registered trademarks of Microsoft
Corporation. All other trademarks are the trademarks of their respective owners.
For additional information, please visit www.finjan.com or contact one of our regional
offices:
USA: San Jose
2025 Gateway Place Suite 180 San Jose,
CA 95110, USA
Toll Free: 1 888 FINJAN 8
Tel: +1 408 452 9700 Fax: +1 408 452 9701
Europe: UK
4th Floor, Westmead House, Westmead,
Farnborough, GU14 7LP, UK
Tel: +44 (0)1252 511118
Fax: +44 (0)1252 510888
salesuk@finjan.com
Israel/Asia Pacific
Hamachshev St. 1,
New Industrial Area Netanya, Israel 42504
Tel: +972 (0)9 864 8200
Fax: +972 (0)9 865 9441
salesint@finjan.com
Europe: Germany
Alte Landstrasse 27, 85521
Ottobrun, Germany
Tel: +49 (0)89 673 5970
Fax: +49 (0)89 673 597 50
salesce@finjan.com
General Information
Email: [email protected]
Internet: www.finjan.com
Europe: Netherlands
Printerweg 56
3821 AD Amersfoort, Netherlands
Tel: +31 334 543 555
Fax: +31 334 543 550
Catalog name: Integrated SSL Scanning 9.2
SSL Enhancements
Page iii
Table of Contents
1.Introduction 1
2.HTTPS Scanning 1
2.1On the Fly Certificate Generation 1
2.2Certificate Validation 2
2.3Certificate Management [new for 9.2] 6
2.4Authority Information Access [new in 9.2] 7
2.5SSL Certificate Errors 8
3.HTTPS Policies 13
4.Configuring HTTPS Support 13
4.1HTTPS Configurable Parameters 14
5.Transparent HTTPS 16
5.1Transparent HTTPS Scanning and Finjan’s Certificate 17
Integrated SSL Scanning
Page 1 Finjan proprietary and confidential
1. Introduction
The purpose of the Secure Socket Layer (SSL) is to provide security for
the transmission of data over the Internet. Security includes confidentiality,
message integrity, and authentication. SSL achieves these elements of
security through the use of cryptography, digital signatures, and
certificates.
The Finjan Vital Security series is an enterprise solution that protects
users and organizations from Web attacks, including attacks concealed in
encrypted HTTPS communication. The HTTPS functionality is integrated
into the Vital Security NG appliance, providing unified setup, management,
authentication and identification, and the ability for system administrators
to set HTTPS policies.
The HTTPS scanning solution protects enterprise networks by decrypting
HTTPS traffic and inspecting it for viruses, worms, and malicious code. It
also provides encrypted Web attack protection, certificate validation, and
content filtering.
Integrated HTTPS scanning is a license-based feature that enables the
scanning server to be configured to support HTTPS. HTTPS configuration
can be carried out system-wide or per Scanning Server.
In addition to the scanning solution for HTTP traffic, Finjan also provides
certificate validation functionality. This ensures that corporate policies
regarding certificates are enforced by automatically validating each
certificate and ensuring that the chain returns to the trusted authority. In
this way, corporate policies are maintained, while users are provided with
the benefit of being able to access SSL traffic.
2. HTTPS Scanning
When HTTPS scanning is enabled, Vital Security Scanning Server serves
as an intermediary, acting both as an HTTPS server replying to the end-
user requests, and as an HTTPS client requesting the original HTTPS
server for the content on behalf of the end-user. When the end-user
requests the server’s certificate from the Scanning Server, the Scanning
Server retrieves the certificate from the original Web server. The Scanning
Server then validates the certificate and, according to the security policy,
sends it to the user or blocks it. This transaction includes two sessions,
one between the client and the Scanning Server, and another between the
Scanning Server and the original Web server.
2.1 On-the-Fly Certificate Generation
When HTTPS Scanning is enabled, there are two HTTPS connections for
each session:
Integrated SSL Scanning
Page 2 Finjan proprietary and confidential
•Between the end-user and the Scanning Server
•Between the Scanning Server and the HTTPS server
When the end-user initially sends the request to the Scanning Server, the
Scanning Server does not have the certificate of the original Web server,
so it must retrieve the certificate before establishing the connection. The
Scanning Server retrieves the certificate from the HTTPS server and then
generates a new certificate on-the-fly, which includes the same
information as the original certificate. The Scanning Server signs the new
certificate with its own private key and sends it to the end-user.
2.2 Certificate Validation
Vital Security HTTPS ensures that corporate policies for certificates are
enforced, thereby removing the decision from the end-users by
automatically validating each certificate and ensuring that the chain
returns to the trusted authority. Policies regarding certificates are enforced
by checking individual certificate names, expiry dates, trusted authority
chains, and revocation lists.
A list of trusted certificate authorities is supplied with the system and is
used for digital signature analysis and for HTTPS certificate validation.
Digital certificate lists are updated via Finjan security updates. These lists
include the required trusted certificate authorities and Certificate
Revocation Lists (CRLs).
Certificate validation is based on the action taken according to policy type
(Bypass/Inspect Content/User Approval). When Bypass is selected, the
original server certificate is obtained, and certificate validation is not
performed by the system (no security or HTTPS validation is carried out
on traffic). If Inspect Content or User Approval is selected, the server
certificates are analyzed and replaced by a certificate containing the same
mismatches as the original. The resulting mismatches are compared
against SSL certificate conditions.
To view the certificate validation rules, navigate in the Management
Console to Policies ÆCondition Settings ÆHTTPS Certificate
Validation ÆDefault Certificate Validation Profile.
NOTE: The Default Profile can also be duplicated and adjusted
to an organization’s needs.
The Default Certificate Validation Profile comprises the
certificate error events.
Integrated SSL Scanning
Page 3 Finjan proprietary and confidential
Figure 1: Certificate Validation Profile
2.2.1 Certificate Revoked (CRLs)
The following table describes each option in the HTTPS certificate
validation profile:
Field Description
Unable to get certificate CRL The CRL of a certificate could
not be found.
Unable to decrypt CRL's signature The actual signature value could
not be determined (as opposed
to not matching the expected
value).
CRL signature failure The signature of the certificate
is invalid.
Certificate is not yet valid The notBefore date is after the
current time.
Certificate has expired The notAfter date is before the
current time.
Format error in CRL's lastUpdate field The CRL lastUpdate field
contains an invalid time.
Format error in CRL's nextUpdate field The CRL nextUpdate field
contains an invalid time.
Certificate revoked The certificate has been
revoked.
Integrated SSL Scanning
Page 4 Finjan proprietary and confidential
2.2.2 Host Cannot be Trusted
Field Description
Hostname does not match certificate name The host name does not match
the name in the certificate.
Cannot verify Hostname The host name is unavailable
and therefore cannot be verified
against the certificate.
2.2.3 Bad Certificate Usage
Field Description
Unsupported certificate purpose The supplied certificate cannot
be used for the specified
purpose.
Path length constraint exceeded The basic constraints path
length parameter has been
exceeded.
2.2.4 Invalid Security Structure
Field Description
Certificate signature cannot be decrypted The certificate signature could
not be decrypted (meaningful for
RSA keys).
Cannot decode issuer public key The public key in the certificate
SubjectPublicKeyInfo could not
be read.
2.2.5 Certificate Cannot be Trusted
Field Description
Issuer certificate could not be found This occurs if the issuer
certificate of an untrusted
certificate cannot be found.
Certificate signature failure The signature of the certificate
is invalid.
Certificate is self signed The certificate is self-signed and
cannot be found in the list of
trusted certificates.
Root certificate could not be found locally The certificate chain could be
built using the untrusted
certificates, but the root could
not be found locally.
Integrated SSL Scanning
Page 5 Finjan proprietary and confidential
Field Description
Unable to get local issuer certificate The issuer certificate of a locally
looked-up certificate could not
be found. This normally means
the list of trusted certificates is
not complete.
Unable to verify the first certificate No signatures could be verified
because the chain contains only
one certificate, and it is not self-
signed.
Certificate chain too long The certificate chain length is
greater than the supplied
maximum depth.
Invalid CA certificate Either the certificate is not a CA
or its extensions are not
consistent with the supplied
purpose.
Certificate not trusted The root CA is not marked as
trusted for the specified
purpose.
Certificate rejected The root CA is marked to reject
the specified purpose.
Subject issuer mismatch The current candidate issuer
certificate was rejected because
its subject name did not match
the issuer name of the current
certificate.
Authority and subject key identifier mismatch The current candidate issuer
certificate was rejected because
its subject key identifier was
present and did not match the
authority key identifier of the
current certificate.
Authority and issuer serial number mismatch The current candidate issuer
certificate was rejected because
its issuer name and serial
number was present and did not
match the authority key identifier
of the current certificate.
Key usage does not include certificate
signing The current candidate issuer
certificate was rejected because
its keyUsage extension did not
permit certificate signing.
Integrated SSL Scanning
Page 6 Finjan proprietary and confidential
2.2.6 Certificate is Not Currently Valid
Field Description
Certificate is not yet valid The notBefore date is after the
current time.
Certificate has expired The notAfter date is before the
current time.
2.3 Certificate Management
During the installation and setup of Vital Security, a private key is created
by the system, followed by the creation of a self-signed certificate. By
default, Vital Security signs the on-the-fly certificates using the self-
generated private key, and the end-user sees the self-signed certificated.
Certificate Management includes the following:
2.3.1 Certificate Export
System administrators have the option to export the SSL certificate from
the system to install it later on end-user machines as a trusted CA.
Installing Vital Security certificates on end-user machines will prevent the
security validation error messages for the end-users.
Figure 2: Generate Certificate Signing Request
2.3.2 Generating Certificate Signing Request
For large organizations, which employ their own CA that is already trusted
by end-users, there is the option to generate a Certificate Signing Request
(CSR). After the generation of the CSR, the system administrator can
export the request (which is signed by the private key of Vital Security)
and send it to the Certificate Authority. The CA will then generate a
Integrated SSL Scanning
Page 7 Finjan proprietary and confidential
certificate, which will be imported into Vital Security. This procedure
makes the process of exporting the certificate to end-users unnecessary.
2.3.3 Import Certificate
Vital Security system supports two types of certificate import.
•Importing a signed certificate signed by the CA after a CSR was
created by Vital Security.
•System administrators import the certificate into the system
together with the private key.
The format of the imported certificatd should be the PEM format.
2.4 Authority Information Access
Authority Information Access (AIA) is an SSL extension that indicates to
the browser how it should get information about the Certificate Authority of
the issuer of the SSL certificate. One method of Web servers is to send
the end-user the full certificate chain, after which the end-user’s browser
validates the server’s certificate and the issuer’s certificate. With AIA, the
Web server sends only the end-user’s own SSL certificate, which includes
a link to the issuers of the certificate. The end-user’s browser then follows
that link and validates the issuers of the SSL certificate.
AIA support includes two components:
Integrated SSL Scanning
Page 8 Finjan proprietary and confidential
2.4.1 Validating the HTTPS Server’s Certificate
When the Vital Security Scanning Server acts as an HTTPS client and
retrieves the secured content from the HTTPS server, the first thing it does
is validate the SSL certificate. If the certificate includes the AIA extension,
Vital Security will follow the link and will validate the certificate of the
issuer of the certificate.
2.4.2 Replying to the User with AIA Extension
When the Integrated SSL Scanning module acts as the SSL server, it can
also reply to the end-users with the AIA extension. In organizations which
employ their own root CA server, it is possible to create a root CA
certificate with AIA already inside. During the handshake with the client,
Vital Security sends the end-user the server’s certificate and a chain,
which includes (in addition to the certificate) the root CA certificate with the
AIA field present.
This way the browser analyzes the server’s certificate first and the signing
certificate second, where it will find the AIA extension which allows it to
continue the verification with the signing certificate of the organization.
2.5 SSL Certificate Errors
When the end-user opens the HTTPS session, the Scanning Server must
encrypt and decrypt the data between the end-user and the Scanning
Server. The Scanning Server uses the certificate it already generated (as
described above). As the certificate is self-signed by Finjan, and is not
trusted by the end-user’s browser, the user will receive a warning
message:
Figure 3: Internet Explorer Warning Message
Integrated SSL Scanning
Page 9 Finjan proprietary and confidential
Figure 4: Certificate Details
To prevent the end-users from receiving this warning message, system
administrators can do one of the following:
♦Install Finjan’s certificate on the end-user’s browser as a trusted root
certificate authority.
♦Install a certificate on all the Scanning Servers, issued by the
organization’s CA root certificate, which is already trusted by all users.
NOTE: Using a certificate from a trusted CA (such as VeriSign)
will not prevent the certificate validation check, as it
does not contain the remote HTTPS server’s host name.
2.5.1 Install Finjan Certificate on End-user Browser
ÖTo create a self-signed certificate:
1. On the management Console, navigate to Administration Æsystem
Settings ÆFinjan Devices ÆIP Address of the Scanning Server.
2. Right-click HTTPS and select Generate Certificate.
Integrated SSL Scanning
Page 10 Finjan proprietary and confidential
3. In the Generate Certificate screen, select certificate Type (self
signed or CSR) from the menu.
4. Select the relevant country from the (mandatory) Country Name field.
5. Enter all relevant information such as State or Province, and
Organization name in the provided fields.
6. Enter the appropriate address for the intended recipient in the Email
field. The Email address field is also mandatory and cannot remain
empty.
7. Click OK. Otherwise, Cancel.
8. In the left pane of the console, right-click HTTPS and select Export
Certificate.
9. A new window will appear with the certificate. Copy and paste the
certificate into any text editor. For example, Notepad.
10.Save the file with a .CER extension.
ÖAdd the certificate to Internet Explorer browser:
a. Save the .CER file to your desktop.
b. Double-click on the file.
c. The Certificate Information window is displayed.
d. Click Install Certificate.
e. The Certificate Import Wizard opens.
f. Follow the wizard to completion.
The Finjan certificate is now added to the browser’s trusted sites
list.
g. To confirm that the certificate has been added navigate in your
browser to Tools ÆInternet Options ÆContent ÆCertificates
ÆTrusted Root Certification Authorities.
ÖAdd the certificate to Firefox 3 browser :
a. Save the .CER file to your desktop.
b. Navigate in your Firefox 3 browser to Tools ÆOptions.
c. Click the Advanced option (top right).
d. Click the Encryption tab.
e. Click View Certificates.
f. Click the Authorities tab.
g. Click Import and browse to the CER file.
h. In the Downloading Certificate window, select Trust this CA to
identify web site.
i. Click OK (twice).
Integrated SSL Scanning
Page 11 Finjan proprietary and confidential
2.5.2 Installing Root Certificate on the Scanning Server
If the organization has a trusted root CA, a root certificate can be
generated and imported into the Scanning Server. In this case, the users
are already configured to trust the organization’s root CA, and there is no
need to configure anything for the users.
ÖTo install the root certificate on the Scanning Server:
1. Connect to the Management Console via the Web browser.
2. Navigate to Administration ÆSystem Settings ÆFinjan Devices.
3. Click the IP address.
4. Click to expand Scanning Server, right-click HTTPS, and select
Import Root Certificate.
The following window is displayed:
Figure 5 - Import Root Certificate
Integrated SSL Scanning
Page 12 Finjan proprietary and confidential
Figure 6 - Importing CSR Certificate
5. In the Import Root Certificate screen, select the Certificate Type (CSR
or Root CA).
6. Paste the Certificate and Private Key information in the relevant fields,
and type the Password.
7. Click OK. Otherwise, Cancel.
NOTE: For multiple Scanning Servers, the Device General
Settings option can be used instead of repeating the
procedure on each Scanning Server.
Integrated SSL Scanning
Page 13 Finjan proprietary and confidential
3. HTTPS Policies
HTTPS policies provide the option to define which HTTPS sites are
scanned or blocked and which have content bypassing. The blocking
mechanism is based on white lists, URL categorization, and validation of
certificates for errors.
Finjan provides two preconfigured HTTPS policies:
♦Default HTTPS Policy: This policy contains only one rule, which is
designed to block any sites that contain faulty certificates. Please refer
to the Security Policies In-Depth manual for further information.
♦Default Emergency HTTPS Policy: This was designed for emergency
situations and contains two rules. The first rule allows only white list
URLs, and the second rule blocks the rest of the HTTP traffic. This can
be globally enabled via Policies ÆDefault Policy Settings ÆEnable
Emergency Policy checkbox.
In addition to these two policies, the user can configure supplemental
policies and rules. The security policies apply only to the Scanning
Server’s handling of certificate validation, either bypassing scanning or
blocking HTTPS traffic. Once traffic is decrypted, the Scanning Server
scans the traffic based on the regular security policies assigned to the
users.
4. Configuring HTTPS Support
HTTPS scanning is a license-based feature. HTTPS scanning enables
decrypting HTTPS traffic and inspecting it for malicious code. It then re-
encrypts the communication and sends it through to the end-user,
ensuring clean content. Administrators can also set Bypass, Inspect
Content, and User Approval policies for encrypted traffic to remove the
decision making from end-users.
The Certificate Validation functionality ensures that corporate policies for
certificates are enforced by automatically validating each certificate and
ensuring that the chain returns to the trusted authority.
To configure HTTPS scanning, navigate in the Management Console to
Administration ÆSystem Settings ÆFinjan Devices ÆHTTPS.
Integrated SSL Scanning
Page 14 Finjan proprietary and confidential
Figure 7 - HTTPS Configuration
4.1 HTTPS Configurable Parameters
System administrators can configure the following HTTPS-related
parameters:
4.1.1 HTTP Service
HTTP Service Description
Listening IP For better system security, it is recommended to
configure the IP address as the IP address of the
corresponding physical interface.
Listening Port When working in explicit mode (proxy mode), this is
the port number for the HTTPS scanning service.
4.1.2 Advanced
HTTP Service Description
Allow SSLv2 Enables support for SSLv2 protocol. This option is
disabled by default. This protocol is non-secure and
should not be used unless there are compatibility
problems.
Allow SSLv3 Enables support for SSLv3 protocol. This option is
enabled by default.
Allow TLSv1 Enables support for SSLv1 protocol. This option is
enabled by default.
Use Diffie-Hellman Enables the use of Diffie-Hellman as the key
exchange mechanism between the client and the
proxy. This is enabled by default.
Allow Weak Cipher Suites Allows the choice of weak (non-secure) cipher suites
when performing an SSL handshake between Vital
Security and the HTTPS server. This option is
disabled by default.
Integrated SSL Scanning
Page 15 Finjan proprietary and confidential
HTTP Service Description
Allow Certificate Wildcards Allows support for Certificate Wildcards. The
Certificate Wildcard works in conjunction with an
existing Certificate Validation rule. This means that
only if there is a policy with a Certificate validation rule
will the wildcard support be relevant.
SSL Handshake Timeout Defines the amount of time (in seconds) after which
the SSL Handshake is timed out if there is no
response.
Max HTTPS Transactions Backlog: defines the maximum number
of outstanding connection requests to be served by
the system. After this number is reached, the system
is timed out. The default value is 36.
HTTPS Timeout Defines (in seconds) the amount of time after which
an idle connection is timed out.
Figure 8 - HTTPS Advanced Settings
4.1.3 Allowed Server Ports
System administrators can configure which port numbers are allowed for
HTTPS traffic. If the remote HTTPS server does not listen on the default
TCP port number 443, other port numbers can be added.
Integrated SSL Scanning
Page 16 Finjan proprietary and confidential
Figure 9 - Allowed Server Ports Settings
5. Transparent HTTPS
Transparent HTTPS Scanning allows system administrators to
transparently redirect users to the Scanning Server, without the need to
configure proxy settings for the users. This can be done by using one of
the following methods:
♦Layer 4 Switch: By using a third-party layer 4 switch, it is possible to
redirect all traffic destined for port 443 (or any other port) to the
Scanning Server.
♦WCCP: By using a WCCP-enabled router or switch, it is possible to
redirect all traffic destined for port 443 (or any other port) to the
Scanning Server.
♦Firewall Redirection: Some firewall vendors support the ability to
transparently redirect traffic to third-party vendors. In this case, a
firewall policy can redirect all HTTPS traffic to the Scanning Server.
NOTE: User authentication is not supported in conjunction with
Transparent HTTPS. User identification is based on
source IP address only.
Due to the nature of the HTTPS protocol, when the End-User sends
HTTPS traffic in transparent mode, Finjan’s Vital Security Scanning Server
doesn’t not see the requested host (it sees only the destination IP
address) and policies, related to the URL (such as bypass scanning or
URL categorization) do not work.
Integrated SSL Scanning
Page 17 Finjan proprietary and confidential
5.1 Transparent HTTPS Scanning and Finjan’s
Certificate
Although HTTPS scanning is transparent to the end-user, it is still
mandatory to install the SSL certificate of the Scanning Server on the end-
user’s PC to prevent security warnings. When the end-user browses an
HTTPS site, the Scanning Server generates an on-the-fly certificate, signs
the certificate, and sends it to the end-user. If the user does not have the
Scanning Server’s certificate among the trusted CAs, a warning message
will be displayed.
Other manuals for NG-8000
2
This manual suits for next models
2
Table of contents
Other finjan Network Hardware manuals
Popular Network Hardware manuals by other brands
Paradyne
Paradyne Jetstream CPX-1000 reference guide
Intel
Intel Intel 8x930Ax Converting instructions
HP
HP A5920AF-24XG Bk(pwr)-Frt(prt) Product End-of-Life Disassembly Instructions
Frontier
Frontier airi Air 4920 Quick install guide
Divio
Divio NRM 301 user manual
FibroLAN
FibroLAN Falcon-MX/G/428/A Technical notes
Fantec
Fantec MR-35DUF user manual
exacqVision
exacqVision A series quick start guide
PRECISION DIGITAL
PRECISION DIGITAL PDW30 instruction manual
Wenglor
Wenglor EtherCAT ZAI02CN0x operating instructions
Austin Hughes
Austin Hughes Infra Cool CMS-03-S user manual
Motorola
Motorola Canopy Powerline MU user guide