Example: Exempting Outbound SSL Traffic from Inspection
The privacy policy for your business might include cases where sessions should remain encrypted throughout. For example, suppose you have an agreement with your users that your network security infrastructure will not interfere with SSL encrypted connections to banking sites. In these cases, you can create a whitelist of destination domain names, IP addresses, and subnets you want exempted from IDP policy inspection. If a server is included in the whitelist, the IDP system does not decrypt the traffic or inspect it. Instead, this traffic is passed through the IDP appliance uninspected.
 | Note: The whitelist applies only to traffic processing based on the SSL forward proxy feature. You would not use a whitelist to exclude inspection of traffic to internal destination servers. If desired, you can use a security policy rule to exempt such traffic from inspection. |
The following example shows the format of a whitelist file:
10.0.0.1 1.0.0.0/8 70.34.21.82 trustedsite.com landing.trustedsearch.com
Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.
The domain name in your whitelist should match the common name (CN) entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:
C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com
You can whitelist this site by adding the string us.etrade.com or the string etrade.com to your whitelist file.
In most cases, the CN entry in the server certificate for a website matches the server name that appears in the browser address bar. In some cases, there are differences. You can use the features of your Web browser to find the CN entry in the server certificate for the website.
Figure 1 shows the location of the certificate details in Firefox.
Figure 1: Firefox: Displaying the Server Certificate for a Website
Figure 2 shows the location of the certificate details in Internet Explorer.
Figure 2: Internet Explorer: Displaying the Server Certificate for a Website
To implement a whitelist:
- Log into the CLI as admin and enter su - to switch to root.
- Use an editor like vi to create a whitelist file.
A whitelist file should contain the IP address prefixes and/or domain
name suffixes you want to exempt from inspection. For example:
[root@defaulthost admin]# vi /tmp/whitelist.txte-trade.com bankofamerica.com
- Run the following command to import the whitelist
entries:
[root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt
| Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line. |
