Example: Exempting Outbound SSL Traffic from Inspection
The privacy policy for your business might include cases where sessions should
remain encrypted throughout. For example, suppose you have an agreement with
your users that your network security infrastructure will not interfere with SSL
encrypted connections to banking sites. In these cases, you can create a whitelist of
destination domain names, IP addresses, and subnets you want exempted from IDP
policy inspection. If a server is included in the whitelist, the IDP system does not
decrypt the traffic or inspect it. Instead, this traffic is passed through the IDP appliance
uninspected.
NOTE: The whitelist applies only to traffic processing based on the SSL forward proxy
feature. You would not use a whitelist to exclude inspection of traffic to internal
destination servers. If desired, you can use a security policy rule to exempt such
traffic from inspection.
The following example shows the format of a whitelist file:
10.0.0.1
1.0.0.0/8
70.34.21.82
trustedsite.com
landing.trustedsearch.com
Each line in the whitelist file specifies the IP address or domain name for a destination
server. To whitelist multiple sites with one entry, you can use an IP prefix to match
address blocks and a domain suffix to include all subdomains.
The domain name in your whitelist should match the common name (CN) entry in
the certificate presented by the destination server. For example, suppose the
certificate for the E-Trade HTTPS server contains the following subject:
C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION,
OU=Global Information Security, CN=us.etrade.com
You can whitelist this site by adding the string us.etrade.com or the string etrade.com
to your whitelist file.
In most cases, the CN entry in the server certificate for a website matches the server
name that appears in the browser address bar. In some cases, there are differences.
You can use the features of your Web browser to find the CN entry in the server
certificate for the website.
Figure 1 shows the location of the certificate details in Firefox.
Example: Exempting Outbound SSL Traffic from Inspection
■
1
Figure 1: Firefox: Displaying the Server Certificate for a Website
Figure 2 shows the location of the certificate details in Internet Explorer.
2
■
Example: Exempting Outbound SSL Traffic from Inspection
Figure 2: Internet Explorer: Displaying the Server Certificate for a Website
To implement a whitelist:
1.
Log into the CLI as admin and enter su - to switch to root.
Example: Exempting Outbound SSL Traffic from Inspection
■
3
2.
Use an editor like vi to create a whitelist file. A whitelist file should contain the
IP address prefixes and/or domain name suffixes you want to exempt from
inspection. For example:
[root@defaulthost admin]# vi /tmp/whitelist.txt
e-trade.com
bankofamerica.com
3.
Run the following command to import the whitelist entries:
[root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt
NOTE: To update the active whitelist, import an updated whitelist file. To clear the
whitelist, import a file that contains only one empty line.
Related Topics
The following related topic is included in the IDP Concepts and Examples Guide:
■
Inspection of SSL Traffic Overview
The following related topic is included in the IDP Administration Guide:
■
scio ssl
Published: 2010-01-12
4
■
Example: Exempting Outbound SSL Traffic from Inspection