Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
1
Helpful
6
Replies

IronPort WebProxy TLS Decryption

Go to solution
adamgibs7
Level 6
Level 6

‎03-18-2022 03:53 AM

Dears

I have one clarification, if i m doing the TLS decryption for my end user traffic on proxy server, what is the benefit of doing that, becz Proxy is not a prevention system, if any malicious traffic is inside the connection how we can prevent it to reach to end user.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎11-15-2022 04:06 AM

Hi 

please allow me to describe some points here, 

[1] first lets say you are trying to download a virus from HTTPS connection, if WSA had no idea what is inside it wont Block it, 
[2] WSA has coupe of scanning engine such as Sophos, Mcafee, Webroot which they are scanning for malware 
[3] WSA also is integrated with AMP (on-cloud or on-perm) and will send the HASH of the file to AMP server, if the disposition is Clean or MALICIOUS we know what to do, Block or Allow. and if the disposition is UNKNOWN and the file criteria are matched to send the file to File analysis server (Formerly ThreatGrid) the file will be sent for sandboxing and further check.

 

amojarra_0-1668513395239.png

 

Kindly check this link : User Guide for AsyncOS 14.5 for Cisco Secure Web Appliance - GD (General Deployment) - File Reputation Filtering and File Analysis [Cisco Secure Web Appliance] - Cisco

 

[4] Also WSA had some preventing system which is powered by Talos, with Web reputation scoring and URL categorization you can prevent access to some MALICIOUS web sites

 

 

so regarding your questions: 

hence SSL vendors are saying that malicious traffic is hidden in SSL tunnel , so how it is ??

the SSL/TLS or in general HTTPS traffic are encrypted point to point between Client and server, in Proxy environment if we enable SSL inspection or HTTPS decryption, the Web Client is WSA, so all the data will be landed on WSA as encrypted and WSA will decrypt it and have full visibility on it.

 

until it is bogus DNS inside network ( which need to be address DNS level?)

in Explicit mode Proxy server is responsible for DNS resolution, and in transparent mode client is responsible, 

when we enabled L4TM, we can monitor DNS activity 

also with equipping the network with CISCO Umbrella we will have DNS level security 

 again with WBRS (web reputation scoring) if the resolved IP for the FQDN is pointing at some known bad IP address, and Talos knows that it will block it before the session established 

 

If the URL is well know good URL and it is passed by WSA on return traffic an attacker has done a man in the middle attack this type of connection will be detected by WSA.

if the attacker wants to be man in the middle in HTTPS traffic, he/she  needs to have a certificate, which WSA will check the certificate validity , when HTTPS proxy is enabled 

 

 

 

also you can check the network flow and WSA's protection layers before, during and after attack 

amojarra_1-1668513977249.png

 

hope these information are useful

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2022 07:51 AM

Most of the sites now a days encrypted, so if you like to see any traffic https you need to decrypt and inspect.

 

So https decryption help here. this is from public network to inside network

 

 if any malicious traffic is inside the connection how we can prevent it to reach to end user.

if the device already malicious inside lan, this should product by end device anitivurs right ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎03-18-2022 08:03 AM

The point of decryption is to SEE that "malicious traffic", and then do something about it. 

Without decryption the WSA can make decisions based on the domain portion of the URL... is "www.whaterversite.com" in a category we'll allow our users to visit?

 

With decryption, you can see what the full URL is and see the files that users are downloading. 

So now you can do things like control specific behaviors in web sites (download, but not upload, post comments, but not photos, etc.), and scan files for malware.

 

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to Ken Stieers

‎03-18-2022 09:29 AM

Dears

 

thanks for the replies. Please correct me if i m wrong.

 

  1. If the user traffic is decrypted on the WSA if there is any malicious file the inspection of file will be done by WSA if it is known it will drop the file if it is unknown it will send for sandboxing if available.
  2. If the URL is well know good URL and it is passed by WSA on return traffic an attacker has done a man in the middle attack this type of connection will be detected by WSA.

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to adamgibs7

‎03-18-2022 09:46 AM

1 - your understanding correct.

2. Encryption and decryption happening 2 level

 

user to WAS  also encryption , WSA to Pubic site also encrypted.

where is the middle in the man attack take place ? until it is bogus DNS inside network ( which need to be address DNS level?)

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
adamgibs7
Level 6
Level 6
In response to balaji.bandi

‎11-12-2022 08:13 AM

Dear Balaji

Organization are doing SSL decryption for most of the traffic, hence SSL vendors are saying that malicious traffic is hidden in SSL tunnel , so how it is ??

Thanks

 

 

0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎11-15-2022 04:06 AM

Hi 

please allow me to describe some points here, 

[1] first lets say you are trying to download a virus from HTTPS connection, if WSA had no idea what is inside it wont Block it, 
[2] WSA has coupe of scanning engine such as Sophos, Mcafee, Webroot which they are scanning for malware 
[3] WSA also is integrated with AMP (on-cloud or on-perm) and will send the HASH of the file to AMP server, if the disposition is Clean or MALICIOUS we know what to do, Block or Allow. and if the disposition is UNKNOWN and the file criteria are matched to send the file to File analysis server (Formerly ThreatGrid) the file will be sent for sandboxing and further check.

 

amojarra_0-1668513395239.png

 

Kindly check this link : User Guide for AsyncOS 14.5 for Cisco Secure Web Appliance - GD (General Deployment) - File Reputation Filtering and File Analysis [Cisco Secure Web Appliance] - Cisco

 

[4] Also WSA had some preventing system which is powered by Talos, with Web reputation scoring and URL categorization you can prevent access to some MALICIOUS web sites

 

 

so regarding your questions: 

hence SSL vendors are saying that malicious traffic is hidden in SSL tunnel , so how it is ??

the SSL/TLS or in general HTTPS traffic are encrypted point to point between Client and server, in Proxy environment if we enable SSL inspection or HTTPS decryption, the Web Client is WSA, so all the data will be landed on WSA as encrypted and WSA will decrypt it and have full visibility on it.

 

until it is bogus DNS inside network ( which need to be address DNS level?)

in Explicit mode Proxy server is responsible for DNS resolution, and in transparent mode client is responsible, 

when we enabled L4TM, we can monitor DNS activity 

also with equipping the network with CISCO Umbrella we will have DNS level security 

 again with WBRS (web reputation scoring) if the resolved IP for the FQDN is pointing at some known bad IP address, and Talos knows that it will block it before the session established 

 

If the URL is well know good URL and it is passed by WSA on return traffic an attacker has done a man in the middle attack this type of connection will be detected by WSA.

if the attacker wants to be man in the middle in HTTPS traffic, he/she  needs to have a certificate, which WSA will check the certificate validity , when HTTPS proxy is enabled 

 

 

 

also you can check the network flow and WSA's protection layers before, during and after attack 

amojarra_1-1668513977249.png

 

hope these information are useful

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents