Symantec recommends that all SGOS-based appliances are installed with the strongest security policy possible. In an ideal world, denying all traffic from HTTPS sources that offer invalid HTTPS certificates would be a good first step. Unfortunately, that type of policy can result in blocking your users from accessing legitimate resources, as not all HTTPS certificates are properly maintained.
This article provides steps to configure policy for the purposes of monitoring HTTPS traffic, and recording invalid certificates in the SSL access log. You can use your preferred log analysis tool, (such as Blue Coat Reporter, or Splunk) to analyze this data and report on the sites your users access most that happen to present invalid HTTPS certificates. With this data in hand, you can plan further changes to your SSL security policy to whitelist trusted sites that don’t offer good HTTPS certificates, and prevent users from accessing unknown sites that do the same.
This article applies to forward proxy deployments of SGOS appliances: ProxySG, Advanced Secure Gateway, and SWG VA.
In following this solution, you will create a new access log with a custom format to track SSL errors, a policy to use the new log, and tweak the default Online Certificate Status Protocol (OCSP) settings to prevent the appliance from rejecting this traffic during your analysis phase.
en
) and configuration terminal mode (conf t
). (config)# access-log
(config access-log)# create format bcreporterssl_v2
(config access-log)# edit format bcreporterssl_v2
(config access-log bcreporterssl_v2)# type elff "date time c-ip x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk"
(config access-log bcreporterssl_v2)# exit
(config access-log)# create log sslvalidation
(config access-log)# edit log sslvalidation
(config access-log sslvalidation)# format-name bcreporterssl_v2
exit
<ssl>
server.certificate.validate(no)
<ssl-intercept>
ssl.forward_proxy(no)
<proxy> client.protocol=ssl
url.domain=websecurity.symantec.com access_log.sslvalidation(yes)
url.domain=badssl.com access_log.sslvalidation(yes)
** replace the above objects with an any any rule in this layer-guarded layer, that uses the access_log.sslvalidation(yes) object to test all HTTPS traffic over a specific monitoring period.
en
) and configuration terminal mode (conf t
).ocsp
create OCSP_check1
edit OCSP_check1
issuer-ccl browser-trusted
exit
Monitor for OCSP Revocation:
If SSL server certificate validation is activated and a OCSP is configured, revoked certificates can be monitored as well.
x-rs-certificate-observed-errors = revoked-by-ocsp
2017-02-21 12:28:55 192.0.200.5 - OBSERVED "Technology/Internet" 0 FAILED unknown - ssl revoked.websecurity.symantec.com 443 - 192.168.1.211 0 0 - revoked-by-ocsp - none high *.websecurity.symantec.com "Technology/Internet" 1 1
2017-02-21 12:30:51 192.0.200.41 - OBSERVED "Technology/Internet" 0 FAILED unknown - ssl revoked.badssl.com 443 - 192.0.200.211 0 0 - revoked-by-ocsp - none high revoked.badssl.com "Technology/Internet" 4 4
2017-02-21 12:06:50 192.0.200.41 - OBSERVED "Technology/Internet" 0 TUNNELED unknown - ssl wronghost.websecurity.symantec.com 443 - 192.0.200.211 0 126 - none - - high cryptoreport.symantec.com "Technology/Internet" 1 1
2017-02-21 12:07:18 192.0.200.41 - OBSERVED "Technology/Internet" 0 TUNNELED unknown - ssl wrong.host.badssl.com 443 - 192.0.200.211 0 126 - none - - high *.badssl.com "Technology/Internet" 4 4