Jon’s Network

Oliver Braekow, Webwasher product manager for Secure Computing, was the guest of the first Jon’s Network Podcast.

Oliver explains how, using their SSL scanner module, Webwasher prevents malware from using HTTPS to communicate. It will also prevent users from bypassing traditional web content filters using popular CGI proxies. This is important to keep sensitive information from leaving the corporate network. In addition to their SSL scanner, Webwasher offers several modules that can be chosen according to your needs including URL filtering, anti-malware, traditional anti-virus, anti-spam, SSL scanner, content reporter, and IM filtering.

If you listen to the podcast, you’ll learn how malware (and users) takes advantage of SSL to bypass your other controls and how Webwasher solves the problem.

 

 Jon's Network Webwasher Podcast [16:13m]: Play Now | Play in Popup | Download

Sign up for a Webwasher Web Demo Here

What are the problems companies are having with SSL?

Web encryption is indispensable for today’s businesses, but organizations with an open port 443 (HTTPS tunnel) on their firewall are left with a major security hole wide open in their network. Traditional firewalls and gateway anti-virus solutions are unable to scan encrypted traffic, and therefore can provide no control over what content is sent in and out of organization’s networks via HTTPS. This presents risks to organizations that may not realize they cannot rely on their HTTP filters to protect HTTPS encrypted traffic.

Risk also exists with regulatory compliance. Can an organization be compliant if they allow open SSL tunnels that could contain the very confidential information the regulations seek to control? Moreover, hackers and malicious employees alike know that the traffic that goes through HTTPS tunnels is wide open and unprotected, and therefore they use and will continue to exploit the HTTPS protocol to bypass content control mechanisms to circulate potentially malicious content.

Today there are dozens of URL Filtering circumvention proxies that make use of HTTPS connections. Currently none of the established firewalls or Web Gateway Anti-Virus solutions can look into this type of traffic. Moreover we’ve seen popular adware and spyware applications switching from IRC and HTTP over to the HTTPS protocol to bypass the established gateway filters. There was a nice article on this in eWeek called “Zombies Try to Blend in With the Crowd, giving you a pretty good idea what’s coming in this area”.

How does Webwasher solve this problem?

The only viable solution, as we see it, is to temporarily decrypt the SSL traffic, scan it, and then re-encrypt it.

This is different than what one might think popular proxy firewalls are doing. They’re just decrypting (in other words: terminating) the SSL session, apply virus scanning and then forward to the end user or web application. This sort of security measure cannot be used in today’s web environments, because it invalidates end-to-end encryption requirements and confuses browsers.

SSL security proxies like Webwasher function as a “black box”?. SSL encrypted traffic goes in and SSL encrypted traffic come out. Nobody can see the decrypted part or sniff it on the network; it’s all handled in memory. There are a couple of home baked solutions out there that offer SSL decryption on a separate box, forward the decrypted traffic to the scanner box, the scanner box returns it to the SSL solution that in turn re-encrypts it. This effectively means you have decrypted SSL traffic on your network, which is an issue in Europe even if it is in the server room only. Moreover you typically want to fine-tune policies, e.g. allow upper management to do online transactions without scanning but scan for everybody else. This requires in most cases double administration overhead, but not with Webwasher.

How does the Webwasher SSL Scanner work exactly?

Basically all we’re doing is separating one SSL connection between the browser and the server into two separate SSL connections. Upon the browser request to connect to an encrypted website the Webwasher SSL Scanner actually does it for the browser. One of the beneficial side effects is the ability to do SSL certificate inspection centrally instead of leaving it up to the end user. We all are aware of that pop up window saying that we initiated a session with an encrypted web site, do you want to accept the certificate. We see that typically 90% or more end-users just click accept and don’t care if the certificate is valid, self signed, expired or whatever. Once Webwasher validated the certificate we initiate the SSL session and terminate it, thereby extracting the certificates “common name”. To the web server, Webwasher acts as a normal browser. Now we have the decrypted traffic and can apply our arsenal of content security, anti-spyware, anti-malware and outbound content control filters to it. Remember, all this is done on the same box and in memory, so no privacy issues here. Once we’re done with the filtering we act as a webserver to the actual end user browser. This is what we need the common name for. Webwasher re-encrypts the traffic using either the customer company’s certificate or a self-signed certificate with the common name of the web server. This way the browser doesn’t complain if you’re connecting to your American Airlines account, for example, and the certificate says something else. All our customers have to do is roll out their own either officially signed or self signed certificate once and the end users will never get an accept certificate message pop up ever again.

Will the IT department have to maintain a whitelist of certificates? Will users be complaining?

We were able to keep the administrative overhead near zero. The Webwasher appliance or software application checks for revoked certificates with our servers on a daily basis, so you’re always up to date. We also invented a training mode. So you get Webwasher SSL scanner up and running and basically it accepts all certificates presented and stores these. After this training mode, let’s say 2 weeks, the admin can go in and look what certificates have been requested and reject the ones that don’t seem to be ok. Webwasher offers a set of tools for this so the admin doesn’t have to be a subject matter expert. Once this training phase is done the administrative overhead should be negligible.

How does it prevent users from using SSL proxies to circumvent web content filters?

As mentioned above there’s tons of web surfing anonymizers that are based on SSL encrypted traffic. Typically URL Filter vendors try to block access to these by blacklisting the servers the application tries to connect to, but that’s one battle you can never win, there will always be a vendor who sets up new servers and is not blocked. But far more imminent is the help when it comes to data loss. We see the typical spyware and adware application switching from IRC and HTTP back-channels to HTTPS back channels simply because hackers have figured out that this channel isn’t blocked or controlled. Two very popular examples in this are Gator and Cool WebSearch.

Webwasher can, for example, be configured to only allow Social Security numbers or credit card numbers be posted to legit and known sites that are in the Banking and shopping category. Even if you had a trojan attempting to steal a credit card number on your PC it wouldn’t be able to send the information back home; not even through HTTPS. Before somebody might ask, we also have solutions that cover this for Instant Messaging and peer to peer, just not on the same box yet.

What’s the performance overhead. Don’t you need special accelerator cards?

Performing the SSL security proxy does add an overhead, of course, but it can be calculated and the servers can be scaled in advance to have enough horsepower for it. What we typically see is a HTTPS traffic is about 20-30 % of the over all web traffic. In this area, switching on the SSL scanner function typically means the appliance can handle 70-80% of the load it could handle without scanning SSL. So the drop in performance isn’t dramatic. For really large installations we offer the application as software for Solaris and Linux (and still on Windows), supporting a series of accelerator cards. We have customers running more than 20,000 users with SSL scanning enabled, so this isn’t some myth, this is reality.

How does it install in the network? Does Webwasher play nicely with other solutions?

In order to get hold of the SSL traffic the best way is to establish a firewall rule to forward all SSL traffic to the SSL proxy and only accept it from the SSL proxy. This way we can make sure nobody can sneak by. For CISCO environments with WCCP enabled devices, like their routers, content engines and some firewalls, we invented a mechanism on the appliances to transparently request HTTPS traffic. So installation in CISCO environments is extremely easy. We are ICAP compatible.

Sign up for a Webwasher Web Demo Here

If you would like to learn more, please email Jon Robinson or Oliver Braekow: oliver_braekow@securecomputing.com