Solved

Blue Coat SSL Interception

Posted on 2011-02-22
4
1,971 Views
Last Modified: 2012-05-11
Hi,

We have the Blue Coat appliance that allow for SSL interception.  Is anyone familiar with this? Does this require pushing a certificate out to every work station?  Thanks.
0
Comment
Question by:NYGiantsFan
  • 3
4 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34952084
Yes, it does.

The bluecoat appliance has a fake "ca" certificate (which you can generate yourself if you wish, although it will happily self-generate) which you must push to all workstations or they will generate a "invalid certificate" error.

In an AD environment you can conveniently do this via group policy. on a non-ad environment (but one with login scripts) You can export the cert in the form of a registry key and use silent registry import (or a bit of vbs) to push it into registry keystores.

Note that the certificate will *still* be invalid for java applets and non-microsoft browsers (opera, firefox, chrome etc) as the windows keystore is used by ms products pretty much exclusively (so internet explorer or dotnet apps)
0
 

Author Comment

by:NYGiantsFan
ID: 34952280
Dave,

Thanks for your brilliance again!


The problem I am having is that people are saying that every user needs a seperate key that needs to be purchased from entrust. (Thus running into hundreds of thousands of dollars)

  I believe you can set up your own certificate authority and assign a private key to blue coat, then the public key will be sent to each brower.  That public certificate can be assigned via active directory.

Is this correct?

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 34953148
no, not even that complex.

The bluecoat requires a CA type key and certificate - you can generate this yourself, but the bluecoat comes with a tool to create a self-signed certificate if you dont' have a ca already (I think its basically just openssl.exe though).

I usually use xca, which has stood me in good stead for such things, so haven't tried the bundled tool.

during operation, the bluecoat visits the target site, then generates a matching certificate signed with its own CA key, and with its own public key replacing the original (so it can decrypt the traffic) which is sent to the client. that is then used as the primary element in a man-in-the-middle attack, similar to that performed by the "webscarab" program.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34953464
This might help
https://kb.bluecoat.com/index?page=content&id=KB3700
step by step instructions on how to set up a bluecoat ssl proxy using the MS CA.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 Login Audit Report 1 36
Securing a laptop that travels frequently 21 88
Network Security Solution 7 45
Orphaned SIDs on shared folders 3 22
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question