Astaro HTTPS Filtering

Introduction
Astaro Gateway Software V7.4 introduced HTTPS (SSL) filtering as a standard feature of Web Security. HTTPS is widely abused by both end users and programs which operate by tunneling over the HTTPS port, with or without their awareness. This introduces a blind-spot in the network security perimeter as traditional filtering solutions are unable to examine the encrypted contents of this type of traffic. Many HTTPS/encrypted sites such as customer resources, file backup services, webmail, and finance are required for daily business operations, so it is not feasible to totally block HTTPS. The HTTPS filtering abilities of Astaro gives administrators an easy way to increase security of critical web sessions which contain sensitive information, while performing actual scanning of the content inside. By doing full inspection of HTTPS traffic, Astaro’s Web Security can:
-disassemble and rebuild secure sessions while fully examining their contents
-prevent HTTPS from being abused by tunneling programs
-defeat Phishing schemes with certificate control
This document will provide a general overview of how HTTPS filtering works, and how Astaro’s solution can solve the problems faced when using HTTPS.

How HTTPS works
HTTPS is a “secured” medium, designed to provide an encrypted session between a client and a target, usually a web server. Normal HTTP traffic on port 80 is unencrypted and can be intercepted along of the multiple points on the route between the client browser and the destination server. For this reason, traffic of a sensitive nature is often secured over HTTPS. This allows the destination web server to provide a secure way to exchange this type of information, and gives the user a measure of privacy and security as they work within the site. Online banking, payment sites, personal information entry pages, and other transactions are commonly secured over HTTPS to prevent their contents from being compromised during the session. During the HTTPS communication, digital certificates are involved in order to ensure the sessions integrity. During the very early phase of an HTTPS transaction, certificates are exchanged, validated, and accepted so that the real encrypted session can begin. This must be accommodated for when trying to filter this traffic, and is discussed later in the Feature Brief.

Effective HTTPS Filtering
It is difficult to easily provide filtering of it once the session is established between the client and the server. As HTTPS traffic is encrypted, Astaro decrypts then re-encrypts the traffic, making filtering possible by having the Astaro product represent itself as the client to the destination server, and then building its own, separate tunnel to the client. In this manner, Astaro acts as a “man-in-the-middle”, which gives total HTTPS filtering ability. This technique solves the problem of how to reliably examine an HTTPS session. To visualize how Astaro’s HTTPS works, picture a transmission from one person to another. The message is intercepted by someone impersonating the receiving party (the Astaro product), so the sender believes they have reached the right person. From there, the impersonator then contacts the intended recipient of the message while pretending to be the initial sender, and receives a reply. Once the reply has been received, the interceptor can then analyze the message, examine the content and choose to filter or edit it, then pass along a “sanitized” version to the original sender. In this manner, there have actually been two conversations, one between the sender and the middleman (Astaro), and another between the middleman and the target party.
Within an HTTPS communication, there are some additional technical steps in the process regarding factors like the certificate, the authorities that validate them, and steps where the client must trust their Astaro device as a valid CA.
With Astaro’s complete and easy-to-implement HTTPS inspection (Figure 2 below),companies benefit from increased security versus other solutions which do not provide the same functionality. Some competing, inferior products to Astaro can only examine the certificates involved in the HTTPS transaction, and make their decisions solely on the unencrypted URL’s being transmitted as part of the initial HTTPS “handshake”. Solutions that do not provide true HTTPS inspection can only do basic URL filtering on the domain
involved in the session which is about to happen, and cannot actually do filtering on the contents inside this session once it is established.
As an example, while a basic “HTTPS filter” can use URL filtering technology to determine that https://www.paypal.com is a Financial/Banking site, it has no ability to stop an end user from downloading a virus over this connection once the site has been
allowed. With Astaro’s full-featured HTTPS inspection, not only can this same URL filtering be done, but more importantly the entire contents of the established HTTPS session can also be fully filtered, preventing the download of infected files, spyware infection, Trojan horses, and other unwanted activity or payloads from entering the network.

Defeat Tunneling Programs
HTTPS traffic (which uses port 443) is typically not denied fully on many security devices (as outlined in the introduction). The protocol was designed as a medium for securing web site sessions; however software authors often use it to tunnel their programs
through the firewall to circumvent any possible security measures which might interfere with their operation. This situation can often create a network security problem, as activity which is not “real” HTTPS site traffic can communicate out this open avenue to
the Internet.
A benefit of Astaro’s HTTPS filtering is the ability to stop such programs. When Astaro’s HTTPS filter is enabled, programs that do not have correct certificate handling operations, are blocked as they try to abuse Port 443 This is ideal for administrators that
are struggling to lock-down their networks against programs like UltraSurf, which enables anonymous, encrypted browsing and circumvents most Web Filtering policies. In addition to stopping unwanted programs, Astaro administrators can prevent spyware,
adware, and other applications from compromising the security policy if they seek to connect to the Internet to upload their payloads, transmit user files without their knowledge, or otherwise leak information over SSL. It is also possible to prevent users
from bypassing alerts generated by their browser when encountering security messages resulting from certificate concerns.

Certificate Enforcement
Phishing schemes and other attacks can take advantage of the initial phase of an HTTPS session where credentials are exchanged and verified so that an encrypted session can begin. This all happens within milliseconds and is normally accepted by the average end
user, regardless of any error messages that are presented to them. Astaro can enforce some of the expected behavior of this session-building, providing protection against endusers which continue to sites despite the warnings that are displayed.

The initial phase involves the user requesting a site, (such as https://www.paypal.com) to which the site responds with a certificate that is used for the encryption process. Since this initial communication occurs unencrypted, it is subject to tampering. To guard
against this, the process is reinforced by a Certificate Authority (CA), which places their official “stamp” on the certificate which is received by the user, validating it as the authentic, original certificate given out by the site. Browsers today are equipped with a
list of official CA’s which they trust implicitly to verify certificates as genuine. If during a point along the path between the user and the destination site, the certificate is intercepted, and altered or replaced, the user will get a browser error informing them of
a problem. For example, should the site which is listed in the certificate not match the destination URL, if the authority which “stamped” the certificate is not trusted, or if the certificate is past its expiration date, error messages will result. Users are accustomed to clicking through/accepting these errors (as shown in Figure 3) without actually reading or understanding them, which breaks the security of the HTTPS system. Astaro blocks HTTPS sessions which have erroneous certificate problems, hence denying the user the chance to continue despite the warnings.

Since a CA verifies a certificate for the end user to ensure security of the HTTPS session, the nature of the process by which HTTPS filtering is performed will also cause certificate errors, since the Astaro device terminates the session from the user, and creating its own session to the target website. Thus while the user is expecting a certificate from https://www.paypal.com for example, they will get a responding certificate from Astaro itself. In order to prevent frequent errors while using the HTTPS filter, the client needs to trust the Astaro CA in their browser, which is a one-time deployment operation that can be done via the UserPortal, the administrator emailing out a link, or even an Active Directory push. Once completed, Astaro can scan the HTTPS sessions of users without triggering browser errors. The Astaro CA tells the connected users that the certificates which it substitutes in during the HTTPS transactions are valid, and since the user’s browser trusts the Astaro CA (Figure 4 below), the entire process proceeds without error.
Astaro only trusts valid certificates
No more certificate error warnings

Share this post

Leave a Reply