Inline SSL Traffic Filtering
Because SSL/TLS connections can carry sensitive data, some organizations may require the SSL/TLS connections to avoid inspection. The SSL connections that carries user data such as financial or health care information can be bypassed without inspection, based on a configured policy.
Based on the decryption policies, some connections are not decrypted and are passed through, optionally to and through tools, without decryption. The inline SSL decryption solution respects data privacy and supports compliance.
Inline SSL decryption provides different ways to filter traffic, as follows:
|
■
|
No-decrypt lists specify traffic to always pass through. A no-decrypt list policy states that traffic from certain sites should always skip decryption. Refer to No-decrypt Listing Policy. |
|
■
|
Decrypt lists specify traffic to always decrypt. A decrypt policy states that traffic from certain sites should always be decrypted. Refer to Decrypt Listing Policy. |
|
■
|
Both No-decrypt lists and Decrypt lists support comments, IP addresses, IP subnets and explicit wildcards for entries and domain rules. |
|
■
|
URL Web Services categorizes the URLs by their type, such as MyBank.com is a financial institution, so as a policy, do not decrypt that traffic. This is also called URL filtering. Typically, banking and health care information are not decrypted. Refer to URL Categorization. |
|
■
|
Policy rules based on network attributes, such as |
|
o
|
Destination IPv4 address |
No-decrypt Listing Policy
No-decrypt lists are typically used in environments where the default is to decrypt, excepting for certain sites or classes of sites which cannot be decrypted for legal or compliance reasons. By default, traffic that is not to be decrypted is forwarded to the tools unless otherwise configured.
A no-decrypt list file can contain a maximum of 10,000 entries.
Decrypt Listing Policy
Decrypt listing is typically used at sites where specific classes of connections must be decrypted, although the default for other traffic is not to decrypt. Decrypt listed domains and host names will always be decrypted.
A decrypt list file can contain a maximum of 10,000 entries.
Rules and Notes while configuring a No-Decrypt/Decrypt List Policy
-
The maximum domain/hostnames support per list is 10000.
-
IP Subnets are supported from 5.13.01 version. Example, 10.10.10.0/24.
-
Special characters are not supported unless they are used to define domain names, such as * . - @ are supported for domain names and / is supported if IP subnet is defined. # is supported to comment out a line. Example of a text file format would be as follows:
-
Range of IP addresses are not supported example, 10.10.10.10-20.
-
Use a newline for each entry. Adding characters such as , ; are not supported.
-
On GigaVUE-OS pre-5.9 versions, gigamon.com as an entry matches gigamon.com and all its subdomains, that is, abc.gigamon.com, abc.xyz.gigamon.com etc.
-
Starting from GigaVUE-OS v5.9, gigamon.com as an entry matches only gigamon.com. To match all subdomains of gigamon.com on v5.9+, use *.gigamon.com.
-
If the system has large set of decrypt/no-decrypt list entries, GigaVUE-FM stats page and CLI stats command does not display any output. Wait for 5 to 10 minutes after reloading to check the inline SSL show stats command in CLI and stats page in GigaVUE-FM.
IP Address Subnet with Longest Prefix Match(LPM)
The No-decrypt and decrypt database allows the user to utilize IP subnets. This allows the user to configure overlapping IP addresses, in decrypt and no-decrypt database. The decision to decrypt or no-decrypt will be based on the longest prefix match of the IP entries available in the decrypt /no-decrypt database.
The format is as follows subnet (no space) /prefix.Eg: 191.1.1.0/32
URL Categorization
URL categories make it convenient to apply policies on all the possible URLs by
simplifying the number of policy rules. Categorization is based on the hostname in the
TLS Server Name Indication (SNI) or the hostname from the server certificate if there
is no SNI. There are 83 categories including one for Uncategorized, which is a default
category for URLs that do not match any of the other 82 categories. The categories are
fixed meaning that categories cannot be added, deleted or modified.
GigaSMART ships with a local database of 1M entries and will also perform a cloud
lookup for those hosts not found in the local database. The URL Web Service
provides the URL categorization. The URL database is updated daily from the URL
Web Service. Each update likely adds new entries and purges other entries, but
always keeping the database at 1M entries.
Note: When a URL is not in the cache, for cloud look-ups the stack port interface on GigaSMART must be configured to provide Internet access. Refer to Set up the Stack Port Interface for more information.
URL Look-ups and Caching
As part of the iSSL processing, URL look-ups are performed against the database. If the URL is not found in the database, then a lookup is performed against the local cache. If the URL is not found in the local cache, then an external lookup to the URL Web Services may be performed, if configured. If the URL is found in the external look-up, then it is dynamically saved in the local cache. Future look-ups may then find the URL in the local cache instead of requiring the external look-up.
Note:
- For TLS connections containing SNI in the Client Hello, do not perform URL look-up in the certificate phase.
- CN based evaluation can be performed using the configuration option.
The local cache can hold up to 250k entries (in addition to the 1M entry database). The local cache works like a circular buffer – older entries are discarded to make room for newer ones if the cache is full. Each cache entry is valid for 24 hours and updated with current time stamp whenever an entry is made. If an expired entry is encountered, a new query is issued to the URL Web Services to refresh the entry in the cache. Expired entries don’t get actively deleted from the cache.
While the URL Web Service is hosted on AWS, external look-ups need to occur very quickly. Gigamon provides a timeout option, up to 10 seconds for external URL look-ups via the URL cache miss defer option.
Note:
- URLs may get recategorized as part of updates from the URL Web Services. This is transparent to Gigamon and customers.
The URL category classification is fixed, and a new category cannot be added. Gigamon provides the no-decrypt list/decrypt list functionality, which can achieve the same result as creating a custom category. If a URL belongs to multiple categories, any no-decrypt policy would take precedence over all decrypt policies.
Inline SSL URL categories
The following are the list of Inline SSL URL categories with examples.
Note: Gigamon does not endorse any of the following categories, descriptions, and examples, but replicated the information from the URL Web Services. Some categories are presented without examples since they are not appropriate.
Category Name
|
Description and Examples
|
Abortion
|
Abortion topics, either pro-abortion and anti-abortion.
|
Abused Drugs |
Discussion or remedies for illegal, illicit, or abused drugs such as heroin, cocaine,
or other street drugs. This category includes information on the misuse of non-proscribed substances (eg. "glue sniffing"), or the misuse of prescription medications. |
Adult and Pornography |
Sexually explicit material for the purpose of arousing a sexual or prurient interest.
Online groups, including newsgroups and forums, that are sexually explicit in nature. |
Alcohol and Tobacco |
Sites that provide information on, promote, or support the sale of alcoholic beverages
or tobacco products and associated paraphernalia. |
Auctions |
Sites that support the offering and purchasing of goods between individuals as their
main purpose. Does not include classified advertisements.
|
Botnets |
These are URLs, typically IP addresses, which are determined to be part of a Bot
network, from which network attacks are launched. Attacks may include SPAM
messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts. |
Business and Economy |
Business firms, corporate websites, business information, economics, marketing,
management, and entrepreneurship.
|
Content Delivery Networks |
Delivery of content and data for third parties, including ads, media, files, images, and
video.
|
Cheating |
Sites that support cheating on examinations and contain such materials, including free essays, exam
copies, plagiarism, etc. |
Computer and Internet Info |
General computer and Internet sites, technical information. SaaS sites and other
URLs that deliver internet services.
|
●
|
http://system.netsuite.com |
|
Computer and Internet Security |
Computer/Internet security, security discussion groups.
|
Confirmed Spam Sources |
Confirmed SPAM sources. |
Cult and Occult |
Internet resources which include discussion of astrology, spells, curses, magical powers, satanic rituals or supernatural beings. This includes horoscope sites. |
Dating |
Dating websites focused on establishing personal relationships.
|
Dead Sites |
These are dead sites that do not respond to http queries. Policy engines
should usually treat these as “Uncategorized” sites.
|
Dynamic Content |
Domains that generate content dynamically based on arguments to their URL or other
information (like geo-location) on the incoming web request.
|
Education Institution |
Pre-school, elementary, secondary, high school, college, university, and vocational
school and other educational content and information including enrollment, tuition,
and syllabus.
|
Entertainment and Arts |
Motion pictures, videos, television, music and programming guides, books, comics,
movie theatres, galleries, artists or reviews on entertainment.
|
Fashion and Beauty |
Fashion or glamour magazines, beauty, clothes, cosmetics, style.
|
●
|
http://visionmodels.co.uk |
|
Financial Services |
Banking services and other types of financial information, such as loans,
accountancy, actuaries, banks, mortgages, and general insurance companies. Does
not include sites that offer market information, brokerage or trading services.
|
●
|
http://firstpremierbankcards.com |
|
Gambling |
Gambling or lottery web sites that invite the use of real or virtual money. Information or
advice for placing wagers, participating in lotteries, gambling, or running numbers.
Virtual casinos and offshore gambling ventures. Sports picks and betting pools. |
Games |
Playing or downloading, video games, computer games, electronic games, tips, and
advice on games or how to obtain cheat codes. Also includes sites dedicated to
selling board games as well as journals and magazines dedicated to game playing.
|
Government |
Information on government, government agencies and government services such as
taxation, public, and emergency services. Also includes sites that discuss or explain
laws of various governmental entities. Includes local, county, state, and national
government sites.
|
●
|
http://premier-ministre.gouv.fr |
|
Gross |
Sites that contain material which describe or display material which would be considered foul or disgusting. Examples would include bodily fluids, injuries, gore. |
Hacking |
Illegal or questionable access to or the use of communications equipment/software.
Development and distribution of programs that may allow compromise of networks
and systems. |
Hate and Racism |
Sites that contain content and language in support of hate crimes and racism. |
Health and Medicine |
General health, fitness, well-being, including traditional and non-traditional methods
and topics. Medical information on ailments, various conditions, dentistry, psychiatry,
optometry, and other specialties.
|
●
|
http://missionvalleymedical.com |
|
Home and Garden |
Home issues and products, including maintenance, home safety, decor, cooking,
gardening, home electronics, design, etc.
|
●
|
http://waysidegardens.com |
|
Hunting and Fishing |
Sport hunting, gun clubs, and fishing.
|
●
|
http://fishingworks.com
|
|
●
|
http://wildlifelicense.com |
|
Illegal |
Criminal activity, copyright and intellectual property violations,
etc. |
Image and Video Search |
Photo and image searches, online photo albums/digital photo exchange, image
hosting.
|
●
|
http://images.google.fr
|
|
Individual Stock Advice and Tools |
Promotion and facilitation of securities trading and management of investment assets.
Also includes information on financial investment strategies, quotes, and news.
|
Internet Communications |
Internet telephony, messaging, VoIP services and related businesses.
|
Internet Portals |
Web sites that aggregate a broader set of Internet content and topics, and which
typically serve as the starting point for an end user.
|
Job Search |
Assistance in finding employment, and tools for locating prospective employers, or
employers looking for employees.
|
Keyloggers and Monitoring |
Downloads and discussion of software agents that track a user's keystrokes or
monitor their web surfing habits. |
Kids |
Sites designed specifically for children and teenagers.
|
●
|
http://www.mundogaturro.com |
|
●
|
http://www.poptropica.com |
|
Legal |
Legal websites, law firms, discussions and analysis of legal issues.
|
●
|
http://www.pepperlaw.com
|
|
●
|
http://earlcaterlaw.com |
|
Local Information |
City guides and tourist information, including restaurants, area/regional information,
and local points of interest.
|
●
|
http://downtownlittlerock.com
|
|
●
|
http://sandiegorestaurants.com |
|
Malware Sites |
Malicious content including executables, drive-by infection sites, malicious scripts,
viruses, trojans, and code. |
Marijuana |
Marijuana use, cultivation, history, culture, legal issues. |
Military |
Information on military branches, armed services, and military history.
|
Motor Vehicles |
Car reviews, vehicle purchasing or sales tips, parts catalogs. Auto trading, photos,
discussion of vehicles including motorcycles, boats, cars, trucks and RVs. Journals
and magazines on vehicle modifications.
|
Music |
Music sales, distribution, streaming, information on musical groups and
performances, lyrics, and the music business.
|
News and Media |
Current events or contemporary issues. Also includes radio stations,
magazines, online newspapers, headline news sites, newswire services, personalized
news services, and weather sites.
|
●
|
http://newsoftheworld.co.uk |
|
Nudity |
Nude or seminude depictions of the human body. These depictions are not
necessarily sexual in intent or effect but may include sites containing nude paintings
or photo galleries of artistic nature. |
Online Greeting Cards |
Online Greeting card sites.
|
●
|
http://123greetings.com |
|
●
|
http://greeting-cards.com |
|
Online Personal Storage |
Online storage and posting of files, music, pictures, and other data.
|
●
|
http://freefilehosting.net |
|
Open HTTP Proxies |
The proxy servers that are accessible by any Internet user. |
P2P (Peer to Peer) |
Peer to peer clients and access that includes torrents, music download and programs. |
Parked Sites |
Parked domains are URLs which host limited content or click-through ads which may
generate revenue for the hosting entities but generally do not contain content useful to
the end user. Also includes Under Construction, folders, and web server default home
pages.
|
●
|
http://buythisdomain.com |
|
Pay to Surf |
Sites that pay users in the form of cash or prizes, for clicking on or reading specific
links, email, or web pages. |
Personal Sites and Blogs |
Personal websites posted by individuals or groups, as well as blogs.
|
Philosophy and Political Advocacy |
Politics, philosophy, discussions, promotion of a particular viewpoint or stance in order
to further a cause.
|
●
|
http://philosophynow.org
|
|
Phising and Other Frauds |
Phishing, pharming, and other sites that pose as a reputable site, usually to harvest
personal information from a user. These sites are typically quite short-lived, so
examples may not last long. |
Private IP Addresses |
RFC 1918, Address Allocation for Private Intranets.
10.0.0.0 - 10.255.255.255 (10/8 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
|
Proxy Avoid and Anonymizers |
Proxy servers and other methods to gain access to URLs in any way that bypasses
URL filtering or monitoring. Web-based translation sites that circumvent filtering. |
Questionable |
Tasteless humor, “get rich quick” sites, and sites that manipulate the user
experience or client in some unusual, unexpected, or suspicious manner. |
Real Estate |
Information on renting, buying, or selling real estate or properties. Tips on buying or
selling a home. Real estate agents, rental or relocation services, and property
improvement.
|
●
|
http://prudentialproperties.com |
|
Recreation and Hobbies |
Information, associations, forums and publications on recreational pastimes such as
collecting, kit airplanes, outdoor activities such as hiking, camping, rock climbing,
specific arts, craft, or techniques; animal and pet related information, including
breed-specifics, training, shows and humane societies.
|
●
|
http://petloverspublications.com |
|
Reference and Research |
Personal, professional, or educational reference material, including online
dictionaries, maps, census, almanacs, library catalogues, genealogy, and scientific
information.
|
Religion |
Conventional or unconventional religious or quasi-religious subjects as well as
churches, mosques, synagogues, or other places of worship.
|
●
|
http://therocksandiego.org |
|
Search Engines |
Search interfaces using key words or phrases. Returned results may include text,
websites, images, videos, and files.
|
Sex Education |
Information on reproduction, sexual development, safe sex practices, sexually
transmitted diseases, sexuality, birth control, sexual development, and contraceptives.
|
Shareware and Freeware |
Sites that contains softwares, screensavers, icons, wallpapers, utilities, ringtones
including downloads that request a donation on open source projects.
|
Shopping |
Department stores, retail stores, company catalogs and other sites that allow online
consumer or business shopping to purchase goods and services.
|
Social Network |
Social networking sites that have user communities where users interact, post
messages, pictures, and otherwise communicate.
|
Society |
A variety of topics, groups, and associations relevant to the general populace, broad
issues that impact a variety of people, including safety, children, societies, and
philanthropic groups.
|
Spam URLs |
URLs contained in SPAM. |
Sports |
Team or conference web sites, international, national, college, professional scores
and schedules; sports-related online magazines or newsletters, fantasy sports and
virtual sports leagues.
|
●
|
http://schoenen-dunk.de |
|
Spyware and Adware |
Spyware or Adware sites that provide or promote information gathering or tracking
that is unknown to, or without the explicit consent of, the end user or the organization,
also unsolicited advertising popups and programs that may be installed on a user's
computer. |
Stream Media |
Sales, delivery, or streaming of audio or video content, including sites that provide
downloads for such viewers.
|
Swimsuits and Intimate Apparel |
Swimsuits, intimate apparel or other types of suggestive clothing. |
Training and Tool |
Distance education, trade schools, online courses, vocational training, software
training, and skills training.
|
●
|
http://trainingtools.com |
|
Translation |
Language translation sites that allow users to see URL pages in other languages.
|
●
|
http://translate.google.com |
|
●
|
http://microsofttranslator.com |
|
Travel |
Airlines and flight booking agencies. Travel planning, reservations, vehicle rentals, car
rentals, descriptions of travel destinations, promotions for hotels or casinos.
|
●
|
http://cheapflights.com |
|
Uncategorized |
Sites that have not been categorized by URL Web Service. |
Unconfirmed Spam Sources |
Unconfirmed SPAM sources. |
Violence |
Sites that advocate violence, depictions and methods, including game/comic
violence, and suicide. |
Weapons |
Sales, reviews, descriptions of weapons such as guns, knives, martial arts
accessories. |
Web Advertisements |
Advertisements, media, content, and banners.
|
Web Based Email |
Sites offering web-based email and email clients.
|
Web Hosting |
Free or paid hosting services for web pages and information concerning their
development, publication, and promotion.
|
Proxy Server Profile for URL Categorization and Certificate Revocation status
To ensure a stable security network you can now redirect URL look-ups and Certificate Revocation status checks to a Proxy Server Profile. This Proxy Server profile will be attached to your Inline SSL deployment . To learn more refer to Proxy Server Configuration
|
|