San Francisco Bay Area Data Loss Prevention User Group

 View Only
Expand all | Collapse all

How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

  • 1.  How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 12:46 PM

    We would like to use Symantec DLP to detect any use of self-signed SSL certificates for outbound traffic.  How do we create a Policy to do that?  Thank you.

     

    BTW: We have Network Monitors at each outbound POP, and Network Prevents for Web at each BlueCoat proxy. 



  • 2.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 01:31 PM

    YIKES!  That is a new one!

    All the use of SSL certs I know of is internal to the product.  Unless they have exposed something in version 11, I don't know how you can get the details of a certificate. 

    I think you are going to have to open a ticket with support to find out.

    You might also want to make your sales contact aware of the issue so he can ask around and/or engage other department or layers of management.

     

    JGT



  • 3.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 02:06 PM

    We have taken more of a whitelisting approach to a similar problem.  We have a policy that detects sensitive data and as we find sites that we are business partners with we create an exception for their URL.  This doesn't prevent self signed certs, but it does keep users from posting sensitive data to un-approved sites which may solve the same problem a bit differently.

     



  • 4.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 03:27 PM

    You may have to create a "Custom File Type Signature for PKCS#12", unless Symantec DLP already supports this file format. You can find examples of creating custom file types by joining the:

    Data Loss Prevention (Vontu) Customer Group

    https://www-secure.symantec.com/connect/downloads/custom-file-type-signature-password-protected-rar 

     

    Please note the disclaimer:

    These definitions are not officially supported by Symantec or through any existing Symantec Data Loss Prevention licensing agreement.There has been limited quality assurance and testing on these definitions compared with official Symantec software releases.



  • 5.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 05:03 PM

    I'm not sure if the Web Prevent server even sees the ceritificates. As I understand it, the Web Prevent uses ICAP to commuicate with the Blue Coat. For the Web Prevent to monitor web traffic, the Blue Cost must unencrypt the session before forwarding over ICAP. So, Web prevent can only monitor the http session.



  • 6.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 05:38 PM

    Madstan,

    I think you're right.....the external interface of the Blue Coat Proxy would interact with the Web Server that is hosting the self-signed certificate and (as you mentioned) only pass the http data over to DLP. Genius!! 

    Tom,

    Maybe this is something that should be handled with a Blue Coat Proxy content expection rule.

     

     



  • 7.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 07:01 PM

    Some thoughts on the problem:

    1. I agree and do not think the Web Prevents may be of much use.
    2. However, the Network Monitor sees the SSL handshake traffic (and thus content) doesn't it? ...which comes before the tunnel is set up and before the the session data content (which it cannot see).  And so a self-signed certificate would be content that it could alert on wouldn't it? 
    3. If that is so, then an EDM policy of specific, known self-signed certificates would produce true positive alerts on uses of those certificates.  However, unknown self-signed certificates would be false negatives.  I am thinking that here is where such a more generic SDLP Policy could come into play and help reduce the number of false negatives.
    4. Finally, I don't think the BlueCoats are any help either.  The SSLIntersect policy on the BlueCoat proxies filter on the URL, if I am not mistaken.  Not on the use of SSL (or on IP addresses).  So whitelisting or blacklisting of websites for SSL by the BlueCoats is enforced based upon the URL, not the use of SSL  So what you are actually getting is a policy enforcement that is agnostic of whether the certificate is self-signed or public (like a VeriSign/Symantec one), or even a private/enterprise PKI SSL certificate.


  • 8.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 07:15 PM

    If I understand correctly, this is an interesting take on the problem.  Instead of detecting the self-signed certificate at use we'd be detecting its generation.  And, it would be particularly applicable when the generation processing is done outbound from the organization.

    On the other hand, public certificates are typically generated doing that, being sent out of the organization to be processed (e.g., by HTTP to a webportal) .  False positives for such public cetificates (e.g., VeriSign's ones) would be resolvable so long as there is a centrally managed LRA (or "adminisitrator") within the business/organization, wouldn't it?



  • 9.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 21, 2013 07:39 PM

    1. However, the Network Monitor sees the SSL handshake traffic (and thus content) doesn't it? ...which comes before the tunnel is set up and before the the session data content (which it cannot see). And so a self-signed certificate would be content that it could alert on wouldn't it?

    I don't think the Network Monitor is going to be able to open up the SSL session and look at the certificate. The certificate is opened higher up the stack.

    4. Finally, I don't think the BlueCoats are any help either. The SSLIntersect policy on the BlueCoat proxies filter on the URL, if I am not mistaken. Not on the use of SSL (or on IP addresses). So whitelisting or blacklisting of websites for SSL by the BlueCoats is enforced based upon the URL, not the use of SSL So what you are actually getting is a policy enforcement that is agnostic of whether the certificate is self-signed or public (like a VeriSign/Symantec one), or even a private/enterprise PKI SSL certificate.

    Looks like you may be able to do something at the BlueCoat Proxy....check out
     
    Deployment Guide: Deploying the SSL Proxy, Version 5.2.2 (page#5)
     
      

    What the SSL Proxy Does

    The SSL Proxy can be used to tunnel or intercept HTTPS traffic. The SSL
    Proxy tunnels all HTTPS traffic by default unless there is an exception, such
    as a certificate error or a policy denial. In such cases the SSL Proxy intercepts
    the SSL connection and sends an error page to the user. The SSL Proxy
    allows interception of HTTPS traffic even when there are no errors. Such
    interception enables the application of various security policies to HTTPS
    content.

    Some HTTPS traffic, such as financial information, should not be
    intercepted. The SSL proxy can do the following operations while tunneling
    HTTPS traffic.

    - Validate server certificates, including revocation checks using Certificate
    Revocation Lists (CRLs).

    - Check various SSL parameters such as cipher and version.

    - Log useful information about the HTTPS connection.

    When the SSL Proxy is used to intercept HTTPS traffic, it can also:

    - Cache HTTPS content.

    - Apply HTTP-based authentication mechanism.

     


  • 10.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 22, 2013 09:33 AM

    Tom,

    On point 2, the Network monitor would see the certificate being used to setup the tunnel.  However, there isn't anything I know of in the product that would expose the SSL certification information up to the detection chain.  It is the detection chain where tests are done to determine if an incident is created or not. 

    It occurs to me that Prevent could do the job IF the ICAP protocol gives the cert information AND DLP is changed to expose that information to the detection chain.

    GJT

     



  • 11.  RE: How do I create a SDLP Policy to detect any use of self-signed SSL certificates?

    Posted Feb 25, 2013 08:47 AM

    GJT,

    To continue beating this dead horse. According to the ICAP RFC, "HTTP headers MUST start with the request line or status-line for requests and responses, respectively, followed by interesting HTTP headers."  My read of the RFC for ICAP is, ICAP is for HTTP/1.1 and not SSL. Consequently, the DLP server will not see the certificate.