[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Bluecoat SSL Intercept

Posted on 2010-12-20
17
Medium Priority
?
10,099 Views
Last Modified: 2012-05-10
Hi..
   My organisation is using SSL interception feature of Bluecoat Proxy SG. We are not intercepting Any financial or E-commerse site. The main purpose of Interception is to catch malware and virus in SSL traffic.
My question is "can I able to capture the Intercepted SSL traffic and use it in Third party Forensic softwares". How depth is the SSL interception in Bluecoat. Complete decripted payload avilable for forensic reasons.

Please help

Thanks,
Peter
0
Comment
Question by:anishpeter
  • 8
  • 8
17 Comments
 
LVL 65

Expert Comment

by:btan
ID: 34398846
We know that SSL traffic is encrypted hence just tapping the line and sniffing it would means that you have to decrypt that packet stream to see the clear data payload. Typically if they wanted to intercept SSL, the Man-In-The-Middle "stunt" need to be performed, in other words, trick the sender that you (the fake) are the actual 'legit' recipient. For SSL, it means you need to have your certificate exchanged with the sender. For one way SSL implementation, it is susceptible to this MITM (involved Arp spoofing etc for those unlegit means) but for two way SSL (meaning client, the recipient, certificate is used too). There are tools that do that such as the well known SSLStrip

If the proper SSL handshakes are done, and malwares are using the legitimate SSL exchanges, the channel would not be simply be break out in forensic. Imagine, breaking crypto algorithm of RSA 1024/2048 and above. That takes a long long while - not feasible for forensic since time is of essences. Looking at the malware toolkit like Mpack, Rock Phish Kit etc. Malware targeting online banking like Zeus is using SSL too. Some may not be using legit handshakes and simply just employ obfuscation, that would be more viable for forensic analysis - this would need more packet for initial packet exchange and also knowing the process performing this exchanges by the "infected" client (or bot). The identified malware would then be further analysed for the key used to obfuscate, it may involved some reverse engineering. Typically XOR schemes are adopted. Some network security technologies (mostly from AVs) would be able to detect such shellcode XORed traffic (signature based though).

Since you are using the Bluecoat, I see it as already kind of MITM. To do forensic, will be good to get the clear traffic. I believe Bluecoat has two modes that can be configured:

1. Transparent mode through intercept with user going direct (to website)
2. Explicit mode through client proxy enforced for it to stay in-line

@ http://dvas0004.wordpress.com/2010/12/20/configuring-mutual-ssl-authentication-between-proxysg-and-bcaaa-agent/
@ http://www.netleets.com/2010/05/bluecoat-transparent-vs-explicit-proxy.html

Either one, it can terminate the SSL traffic and retransmit using own device certificate that is distributed to all of your enterpise client as a trusted CA to remain transparent within the enterprise deployment. When the traffic is obtained you may then have it for analysis. Note that you will only be able to decrypt traffic that you have certificates for. Brute force is not logical and applicable.

Network forensic does not have a clear methodology but it typically can revolve
a) identify any signature based on blacklist URL (shadowserver, cloud based services), spoofed source IPs and malware/shellcode detection (javascript XOR, etc)
b) identify anomaly such as regular beacon, odd timing packet, malformed protocol, spikes in traffic etc
c) identify unauthorised application such as IRC, peer to peer, eMule etc
d) identify suspicious outbound leakages such as sensitive data tagged with classification (assuming the data payload is not encrypted, some malware will go for end to end simple encryption)

I understand that Bluecoat can be integrated with a supported Internet Content Adaptation Protocol (ICAP) virus scanning server.
@ http://www.bluecoat.com/solutions/enterprise/controlsecurity/webvirusscanning/virus_scanning-ICAP
@ http://www.google.com.sg/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.bluecoat.com%2Fdoc%2F517&rct=j&q=bluecoat%20ICAP&ei=_F8QTfqIK4bVrQfl0v3KCw&usg=AFQjCNFbxp6wHfCcMhSGsAwiIGhP1H1vHw&cad=rja

Useful for automated workflow but due to sensitive, you may also decide not to do so.
There are offline means as long as you can get the pcap packet for analysis. Available free tools can help but manual though.
Check out networkwitness investigator, honeysnap, xplico @ http://www.darknet.org.uk/tag/network-forensics/

Actually it is kind of acting like IDS for the offline means, this is a paper for good read.
@ http://insecure.org/stf/secnet_ids/secnet_ids.html
0
 

Expert Comment

by:gmit
ID: 34402406
We use a turnkey SSL interception/analysis setup .... we just switched to a Palo Alto Networks firewall.  It takes care of all the MITM doing bunches of checks on the content.  The unique advantage of this setup is that the firewall is able to decode applications (not just noting port numbers).  It watches outgoing connections for threats.  I like the comment aimed at folks who are not watching outgoing traffic  "Your firewall is backwards" (I believe it came from Rob Lee of SANS).

There is one problem to be aware of  in all these MITM situations.  At the user's end it is going to create extra work.  Because their browser doesn't see the right cert for the site they will need to go through some additional clicks to OK the connection.  It's a irritation with Firefox and a real pain with IE.  Sometimes an application which uses SSL will fail without presenting a user message, e.g., for some browser updates.
0
 
LVL 65

Expert Comment

by:btan
ID: 34407046
agree with gmit that focus on ingress traffic is not sufficient and egress is one area we have to handle as well. Internal machines can be infected to become bot and potential leakages and manipulation for attack (such as DDoS) can be disastrous for enterprise folks. It may entails blackholing the traffic and impact business running. Palo Alto also termed as next gen firewall mainly covers the appl aware and added in user/contextual info to analyse the traffic. But I doubt it will support all application protocol but should be sufficient in your case .... of course I believe they can customised for specific appl too ...

actually my thought is that SSL interception isnt really a good way to monitor but we should look at the endpoint instead - that is the source and target for the attacker. eventually the traffic need to be decrypted at the endpoint and the alerts should come to the endpoint monitoring systems like your AV's central mgmt console etc. Also coupled with SIEM for correlation can give the extra threat awareness but it can be expensive (though there are open source like OSSEC and OSSIM) and eventually human has to be in control with the proper incident response workflow (include forensic roles). I am not seeing it to the extend of having a security operation centre (SOC) but there can be dedicated team if really the enterprise key asset is already been targeted.

But I see that the SSL interception may be from the detection of data leakage and so DLP vendors (RSA, Symantec, McAfee, etc) can be consulted as well. There again policy control of external storage device has to be factored in for a holistic security posture.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:anishpeter
ID: 34424073
Thanks Tan and Gmit.
   But you have never tried to answer my question regarding how can Pull out Intrercepted SSL traffic ( decripted) from Bluecoat and send to third party Forensic softwares. Ready for manual download of data from Proxy.  Please try to reply this

Peter
0
 
LVL 65

Expert Comment

by:btan
ID: 34424283
1) Pull out intercepted SSL traffic
- PCAP: traffic export as PCAP for offline analysis, you may want to set filter on specific protocol else the file can be huge w/o filter based on the period. Can send pcap to ftp server (e.g. SG800#pcap transfer ftp://ftp.acme.org username password). can see config guide Appendix E (the PCAP Utility) for more details

- ICAP: utilize the Internet Content Adaptation Protocol (ICAP) to hand off HTTP requests and/or responses to an external server for configured processing and transformation. can see config guide (general detail) Section A: ICAP

- LOG: Access log files in Bluecoat ProxySG (Custom or W3C ELFF Format) format send to external analyser, and generate dynamic statistics from them, analyzing and reporting events. Can see config guide Section G: Configuring the Upload Client. Another is the syslog to pump into a SIEM solution (that should correlated with the other access log and etc), see config guide pg842 for the syslog information

2) send to third party Forensic software (analysis would involved detecting the anomalies as listed in previous sharing)
- PCAP: the PCAP file can be sent to networkwitness investigator, honeysnap, xplico (as shared previously) where application based identification can be further surfaced up

- ICAP: Blue Coat ICAP implementation is fully compatible today with many AV ICAP aware server. can see ProxySG ICAP Integration  

- LOG: One of the external log files analyser is Sawmill. It imports them into a MySQL, Microsoft SQL Server, or Oracle database (or its own built-in database), aggregate them, and generate dynamically filtered reports. Its filtered statistic can correlate key alerting event (high traffics) for further analysis

3) References
-ProxySG Configuration and Management Guide @ http://www.bluecoat.co.jp/downloads/manuals/SGOS_CMG_4.1.4.pdf
-ProxySG ICAP Integration @ www.bluecoat.com/doc/919
-Sawmill @ http://www.sawmill.net/formats/blue_coat_w3_c.html
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34426115
Hii Tan,
     The point is that how we can extract intercepted SSL traffic ( Decripted) from Blucoat. I tried to get PCAP file. But not Intercerpted traffic got. LOG file doesnot contain any data payload. The Last thing I have to try is PCAP redirection.  Here I am already using PCAP for content virus cleaning. I understand ICAP can be integarted with any ICAP Supportive DLP.   But My tool is an inhouse developed and there is no need of doing DLP.  My intention is to extract decripted data in PCAP file and use it for forensic purpose. Any Clue

Thanks,
Peter
0
 
LVL 65

Expert Comment

by:btan
ID: 34426175
Just to clarify that the LOG is just to aid the analysis if necessary to correlate other access log events. The intent is to supplement the analysis of decrypted payload. Also for the ICAP, it is not necessarily only for DLP but also to external server's content checking. But now I understand where you are coming from.

I am not sure whether the CPL or VPM can configure rule to export or redirect the decrypted traffic or even tap on ICAP traffic that may be clear. Would be best to verify with vendor (sorry not sure of the scripting) or post this in their forum (did search through existing but nothing close - http://forums.bluecoat.com/viewforum.php?f=1).

There are postings on decryption using Wireshark which may not be as seamless but at least it does give you the decrypted version.

http://dvas0004.wordpress.com/2010/08/04/exporting-saving-decrypted-data-from-wireshark/
http://dvas0004.wordpress.com/2010/08/02/decrypting-https-traffic-with-bluecoat-reverse-proxy/ 
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34428339
Hi.. Tan,
    I will check with blucoat Support about the issue and post it here.

Thanks,
Peter
0
 
LVL 65

Expert Comment

by:btan
ID: 34429838
very much appreciated as all can benefit. thanks
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34434415
I got Reply from Bluecoat Technical Support. As per them I can connect any DLP , that is comapctable with ICAP Standard.  Through ICAP, the DLP or Forencis software can get Unencripted Data.

Thanks,
Peter
0
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 34434902
Looks like it is also same as what I found in this short reply in forum
@ http://8.21.4.158/viewtopic.php?f=1&t=7888&start=0&st=0&sk=t&sd=a

actually ICAP is just encapsulating the HTTP packet, meaning its ICAP's encapsulated sections may be the headers or bodies of HTTP messages. I understand that wireshark does filter the icap traffic as well, from there can also export the pcap accordingly too (besides from the ICAP server).
@ http://www.wireshark.org/docs/dfref/i/icap.html

Also know there is some limitation in ICAP as well, if I am not wrong, Proxy ICAP only support in HTTP/HTTPS/FTP, currently it does not supported for IM, Stream, live HTTP stream, CIFS, MAPI, TCP tunnel.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34441325
Hi.. Tan,
    It is interesting that Wireshark can do something with ICAP. But If wireshark can accept ICAP Connection directly from Bluecoat SG, then only we can utilise it for exporting ICAP data as PCAP. But I am confused about it.  Please try to find somthing about it. May be I dont have much deeper knoledge of wireshark. I will also try.
Wireshark sould be able to accept ICAP connection and send back ICAP response to bluecoat SG. Bluecoat SG will always wait for ICAP response before serving HTTPS stream to users.


Thanks,
Peter
0
 
LVL 65

Expert Comment

by:btan
ID: 34446872
I see wireshark more of just sniffing the icap traffic instead of it being a icap server (or direct input from Bluecoat SG).
Wireshark incorporate codes to identify the icap traffic
@ http://wireshark.sourcearchive.com/documentation/1.0.6/packet-icap_8c-source.html

there are actually other open source icap server for considerations
a) GreasySpoon (java mainly) - mentioned to integrate with Bluecoat @ http://greasyspoon.sourceforge.net/
- Diagram of architecture @ http://greasyspoon.sourceforge.net/fig/arch_gs.jpg
- understand that it has function to be incorporated into script to extract the raw bytes (doubt it is in pcap format). Can see the example of script that is pumped into ClamAV (http://greasyspoon.sourceforge.net/sample_java.html)

Bluecoat can simply point to this icap server for processing, wireshark can sniff the traffic in between or have icap server to dump raw byte out
@ https://kb.bluecoat.com/index?page=content&id=KB3802
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34462562
Hi.. Tan,
    You have tried lot for me. Thanks for the Approach. Give me  cople of days to come back
0
 
LVL 65

Expert Comment

by:btan
ID: 34489620
No problem, just trying my best to help. I am keen to learn from all as well. :)
0
 
LVL 1

Author Comment

by:anishpeter
ID: 34840325
Yes. It is possible with ICAP Service. Only problm is that your ICAP Listner should well work with ICAP Standards
0
 
LVL 1

Author Closing Comment

by:anishpeter
ID: 34840328
Yes it is possible. The solution is ok
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question