Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Example: Exempting Outbound SSL Traffic from Inspection

    The privacy policy for your business might include cases where sessions should remain encrypted throughout. For example, suppose you have an agreement with your users that your network security infrastructure will not interfere with SSL encrypted connections to banking sites. In these cases, you can create a whitelist of destination domain names, IP addresses, and subnets you want exempted from IDP policy inspection. If a server is included in the whitelist, the IDP system does not decrypt the traffic or inspect it. Instead, this traffic is passed through the IDP Series device uninspected.

    Note: The whitelist applies only to traffic processing based on the SSL forward proxy feature. You would not use a whitelist to exclude inspection of traffic to internal destination servers. If desired, you can use a security policy rule to exempt such traffic from inspection.

    The following example shows the format of a whitelist file:

    10.0.0.1
    1.0.0.0/8
    70.34.21.82
    trustedsite.com
    landing.trustedsearch.com

    Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.

    The domain name in your whitelist should match the common name (CN) entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:

    C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security, CN=us.etrade.com

    You can whitelist this site by adding the string us.etrade.com or the string etrade.com to your whitelist file.

    In most cases, the CN entry in the server certificate for a website matches the server name that appears in the browser address bar. In some cases, there are differences. You can use the features of your Web browser to find the CN entry in the server certificate for the website.

    Figure 1 shows the location of the certificate details in Firefox.

    Figure 1: Firefox: Displaying the Server Certificate for a Website

    Image s036687.gif

    Figure 2 shows the location of the certificate details in Internet Explorer.

    Figure 2: Internet Explorer: Displaying the Server Certificate for a Website

    Image s036686.gif

    To implement a whitelist:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Use an editor like vi to create a whitelist file. A whitelist file should contain the IP address prefixes and/or domain name suffixes you want to exempt from inspection. For example:

      [root@defaulthost admin]# vi /tmp/whitelist.txt
      e-trade.com
      bankofamerica.com
    3. Run the following command to import the whitelist entries:

      [root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt

    Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line.


    Published: 2011-02-08