Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Monday, August 30, 2010

SSL Proxy And Anti-Malware Go Hand In Hand

At first glance you may think that an SSL proxy and anti-malware have nothing to do with each other. While each serves its own purpose in a Secure Web Gatway architecture and deployment, they are actually crucial to each other's success in protecting an organization's network from web based threats, malware, and cybercrime.

Let's start with the SSL proxy. Having a web proxy without an SSL proxy used to be quite common, as few pages other than financial services had encryption protection. There was a time when a web proxy that handled pages in the clear covered almost all the web pages of interest for an organization's policy compliance. Today, webmail offerings routinely use SSL encrypted logins and even maintain SSL sessions for email sessions. SSL is also used today wherever personal credentials are entered, whether it's a social networking site, shopping or other entertainment site. Because of the widespread use of encryption on website, making sure you use an SSL proxy (basically a proxy that can inspect and enforce policy around the contents within an SSL session) is more important than ever.

At one time SSL proxy and inspection was important mostly for DLP (Data Leakage Protection). Organizations used it to make sure confidential data wasn't leaving the organization through secure encrypted sessions. Today it's important to make sure web threats don't enter through secure encrypted connections.

The key to providing security with SSL inspection is an anti-malware or anti-virus scanner. Traditional methods of content inspection like URL databases, and real time rating in the cloud are hampered by the user credentials usually associated with SSL. URL databases rely on generally available URLs and not the custom URL generated after a user credential is verified. Real time rating systems suffer from the same problem, as they rate pages they can reach, and secure web gateways generally don't send users credentials across the internet to a real time rating system to get the full contents of the URL, as this would generally be considered a security risk or even a security breach.

This leaves the only way to ensure the content within an SSL encrypted page is safe, is to use an anti-malware or anti-virus scanner locally at the proxy to inspect the data the SSL proxy is receiving as it's coming in from the Internet. If the anti-malware program detects any threats, the proxy can block the downloads and infected web pages. Without SSL proxy and anti-malware, threats buried in encrypted pages would pass into the organization's network.

A company using an SSL proxy should of course follow prudent guidelines around privacy concerns with regard to content found in SSL sessions. A common approach is to set up the SSL proxy to bypass visits to financial sites, so as not invade a typical end-user's privacy.

Any organization concerned with web threats, needs to implement an SSL proxy if they haven't done so already, and tied to that implementation needs to be a plan to get anti-malware scanning to be a standard part of the web gateway.

2 comments:

Anonymous said...

This is very true at the website implementation level as well. At VeriSign we're now offering malware scanning along with some of our SSL cert packages for this very reason - SSL protects the exchange of data with your users, but one still needs to be sure that nothing infected is coming in. It was originally only offered with the VeriSign Trust Seal, which is an authentication-based security mark for sites that don't need encryption, but obviously it's still essential for sites that do need ssl. Protection online needs to be a multi-pronged strategy no matter how you look at it.

Unknown said...

Timothy

Found this blog relating to SSL Proxies and am now following. This is directly in line with what I am doing in our business. We have a "Transparent SSL Proxy" product called the SSL Inspection Appliance that acts as a "bump in the wire" capable of inspecting inbound and outbound SSL traffic.

More information can be found at www.ssl-inspector.com. If you want more detail reach out.

Regards

Darrin

darrin.coulson@netronome.com