Inline SSL Traffic Filtering

Because SSL/TLS connections can carry sensitive data, some organizations may require the SSL/TLS connections to avoid inspection. The SSL connections that carries user data such as financial or health care information can be bypassed without inspection, based on a configured policy.

Based on the decryption policies, some connections are not decrypted and are passed through, optionally to and through tools, without decryption. The inline SSL decryption solution respects data privacy and supports compliance.

Inline SSL decryption provides different ways to filter traffic, as follows:

■   No-decrypt lists specify traffic to always pass through. A no-decrypt list policy states that traffic from certain sites should always skip decryption. Refer to No-decrypt Listing Policy.
■   Decrypt lists specify traffic to always decrypt. A decrypt policy states that traffic from certain sites should always be decrypted. Refer to Decrypt Listing Policy.
■   Both No-decrypt lists and Decrypt lists support comments, IP addresses, IP subnets and explicit wildcards for entries and domain rules.
■   URL Web Services categorizes the URLs by their type, such as MyBank.com is a financial institution, so as a policy, do not decrypt that traffic. This is also called URL filtering. Typically, banking and health care information are not decrypted. Refer to URL Categorization.
■   Policy rules based on network attributes, such as
o   Source IPv4 address
o   Destination IPv4 address
o   VLAN
o   L4 port

No-decrypt Listing Policy

No-decrypt lists are typically used in environments where the default is to decrypt, excepting for certain sites or classes of sites which cannot be decrypted for legal or compliance reasons. By default, traffic that is not to be decrypted is forwarded to the tools unless otherwise configured.

A no-decrypt list file can contain a maximum of 10,000 entries.

Decrypt Listing Policy

Decrypt listing is typically used at sites where specific classes of connections must be decrypted, although the default for other traffic is not to decrypt. Decrypt listed domains and host names will always be decrypted.

A decrypt list file can contain a maximum of 10,000 entries.

Rules and Notes while configuring a No-Decrypt/Decrypt List Policy

  1. The maximum domain/hostnames support per list is 10000.

  2. IP Subnets are supported from 5.13.01 version. Example, 10.10.10.0/24.

  3. Special characters are not supported unless they are used to define domain names, such as * . - @ are supported for domain names and / is supported if IP subnet is defined. # is supported to comment out a line. Example of a text file format would be as follows:

    • *.google.com

    • www.gigamon.com

    • gigamon.com

    • domain-registration.com.us

    • 10.10.1.1

    • 10.10.1.0/24

  4. Range of IP addresses are not supported example, 10.10.10.10-20.

  5. Use a newline for each entry. Adding characters such as , ; are not supported.

  6. On GigaVUE-OS pre-5.9 versions, gigamon.com as an entry matches gigamon.com and all its subdomains, that is, abc.gigamon.com, abc.xyz.gigamon.com etc.

  7. Starting from GigaVUE-OS v5.9, gigamon.com as an entry matches only gigamon.com. To match all subdomains of gigamon.com on v5.9+, use *.gigamon.com.

  8. If the system has large set of decrypt/no-decrypt list entries, GigaVUE-FM stats page and CLI stats command does not display any output. Wait for 5 to 10 minutes after reloading to check the inline SSL show stats command in CLI and stats page in GigaVUE-FM.

IP Address Subnet with Longest Prefix Match(LPM)

The No-decrypt and decrypt database allows the user to utilize IP subnets. This allows the user to configure overlapping IP addresses, in decrypt and no-decrypt database. The decision to decrypt or no-decrypt will be based on the longest prefix match of the IP entries available in the decrypt /no-decrypt database.

The format is as follows subnet (no space) /prefix.Eg: 191.1.1.0/32

URL Categorization

URL categories make it convenient to apply policies on all the possible URLs by simplifying the number of policy rules. Categorization is based on the hostname in the TLS Server Name Indication (SNI) or the hostname from the server certificate if there is no SNI. There are 83 categories including one for Uncategorized, which is a default category for URLs that do not match any of the other 82 categories. The categories are fixed meaning that categories cannot be added, deleted or modified.

GigaSMART ships with a local database of 1M entries and will also perform a cloud lookup for those hosts not found in the local database. The URL Web Service provides the URL categorization. The URL database is updated daily from the URL Web Service. Each update likely adds new entries and purges other entries, but always keeping the database at 1M entries.

Note:  When a URL is not in the cache, for cloud look-ups the stack port interface on GigaSMART must be configured to provide Internet access. Refer to Set up the Stack Port Interface for more information.

URL Look-ups and Caching

As part of the iSSL processing, URL look-ups are performed against the database. If the URL is not found in the database, then a lookup is performed against the local cache. If the URL is not found in the local cache, then an external lookup to the URL Web Services may be performed, if configured. If the URL is found in the external look-up, then it is dynamically saved in the local cache. Future look-ups may then find the URL in the local cache instead of requiring the external look-up.

Note:  

  • For TLS connections containing SNI in the Client Hello, do not perform URL look-up in the certificate phase.
  • CN based evaluation can be performed using the configuration option.

The local cache can hold up to 250k entries (in addition to the 1M entry database). The local cache works like a circular buffer – older entries are discarded to make room for newer ones if the cache is full. Each cache entry is valid for 24 hours and updated with current time stamp whenever an entry is made. If an expired entry is encountered, a new query is issued to the URL Web Services to refresh the entry in the cache. Expired entries don’t get actively deleted from the cache.

While the URL Web Service is hosted on AWS, external look-ups need to occur very quickly. Gigamon provides a timeout option, up to 10 seconds for external URL look-ups via the URL cache miss defer option.

Note:   

  • URLs may get recategorized as part of updates from the URL Web Services. This is transparent to Gigamon and customers.
  • The URL category classification is fixed, and a new category cannot be added. Gigamon provides the no-decrypt list/decrypt list functionality, which can achieve the same result as creating a custom category.

  • If a URL belongs to multiple categories, any no-decrypt policy would take precedence over all decrypt policies.

Inline SSL URL categories

The following are the list of Inline SSL URL categories with examples.

Note:  Gigamon does not endorse any of the following categories, descriptions, and examples, but replicated the information from the URL Web Services. Some categories are presented without examples since they are not appropriate.

Category Name

Description and Examples

Abortion

Abortion topics, either pro-abortion and anti-abortion.

Abused Drugs Discussion or remedies for illegal, illicit, or abused drugs such as heroin, cocaine, or other street drugs. This category includes information on the misuse of non-proscribed substances (eg. "glue sniffing"), or the misuse of prescription medications.
Adult and Pornography Sexually explicit material for the purpose of arousing a sexual or prurient interest. Online groups, including newsgroups and forums, that are sexually explicit in nature.
Alcohol and Tobacco Sites that provide information on, promote, or support the sale of alcoholic beverages or tobacco products and associated paraphernalia.
Auctions

Sites that support the offering and purchasing of goods between individuals as their main purpose. Does not include classified advertisements.

http://ebay.co
http://quibids.com
Botnets These are URLs, typically IP addresses, which are determined to be part of a Bot network, from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.
Business and Economy

Business firms, corporate websites, business information, economics, marketing, management, and entrepreneurship.

http://samsung.com
http://ups.com
Content Delivery Networks

Delivery of content and data for third parties, including ads, media, files, images, and video.

http://metacdn.co
http://edgestream.com
Cheating Sites that support cheating on examinations and contain such materials, including free essays, exam copies, plagiarism, etc.
Computer and Internet Info

General computer and Internet sites, technical information. SaaS sites and other URLs that deliver internet services.

http://ranking.co
http://system.netsuite.com
Computer and Internet Security

Computer/Internet security, security discussion groups.

http://siteadvisor.co
http://webroot.com
Confirmed Spam Sources Confirmed SPAM sources.
Cult and Occult Internet resources which include discussion of astrology, spells, curses, magical powers, satanic rituals or supernatural beings. This includes horoscope sites.
Dating

Dating websites focused on establishing personal relationships.

http://eharmony.com
Dead Sites

These are dead sites that do not respond to http queries. Policy engines should usually treat these as “Uncategorized” sites.

http://g00gle.com
http://whitehouse.info
Dynamic Content

Domains that generate content dynamically based on arguments to their URL or other information (like geo-location) on the incoming web request.

booking.com
Education Institution

Pre-school, elementary, secondary, high school, college, university, and vocational school and other educational content and information including enrollment, tuition, and syllabus.

http://mit.edu
http://ox.ac.uk
Entertainment and Arts

Motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.

http://eonline.com
http://warnerbros.com
Fashion and Beauty

Fashion or glamour magazines, beauty, clothes, cosmetics, style.

http://visionmodels.co.uk
http://genejuarez.com
Financial Services

Banking services and other types of financial information, such as loans, accountancy, actuaries, banks, mortgages, and general insurance companies. Does not include sites that offer market information, brokerage or trading services.

http://firstpremierbankcards.com
http://paypal.com
Gambling Gambling or lottery web sites that invite the use of real or virtual money. Information or advice for placing wagers, participating in lotteries, gambling, or running numbers. Virtual casinos and offshore gambling ventures. Sports picks and betting pools.
Games

Playing or downloading, video games, computer games, electronic games, tips, and advice on games or how to obtain cheat codes. Also includes sites dedicated to selling board games as well as journals and magazines dedicated to game playing.

http://duowan.com
http://ubi.com
Government

Information on government, government agencies and government services such as taxation, public, and emergency services. Also includes sites that discuss or explain laws of various governmental entities. Includes local, county, state, and national government sites.

http://www.nasa.gov
http://premier-ministre.gouv.fr
Gross Sites that contain material which describe or display material which would be considered foul or disgusting. Examples would include bodily fluids, injuries, gore.
Hacking Illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs that may allow compromise of networks and systems.
Hate and Racism Sites that contain content and language in support of hate crimes and racism.
Health and Medicine

General health, fitness, well-being, including traditional and non-traditional methods and topics. Medical information on ailments, various conditions, dentistry, psychiatry, optometry, and other specialties.

http://webmd.com
http://missionvalleymedical.com
Home and Garden

Home issues and products, including maintenance, home safety, decor, cooking, gardening, home electronics, design, etc.

http://homedepot.com
http://waysidegardens.com
Hunting and Fishing

Sport hunting, gun clubs, and fishing.

http://fishingworks.com
http://wildlifelicense.com
Illegal Criminal activity, copyright and intellectual property violations, etc.
Image and Video Search

Photo and image searches, online photo albums/digital photo exchange, image hosting.

http://images.google.fr
http://gettyimages.com
Individual Stock Advice and Tools

Promotion and facilitation of securities trading and management of investment assets. Also includes information on financial investment strategies, quotes, and news.

http://stockstar.com
http://morningstar.com
Internet Communications

Internet telephony, messaging, VoIP services and related businesses.

http://skype.com
http://www.chatib.com/
Internet Portals

Web sites that aggregate a broader set of Internet content and topics, and which typically serve as the starting point for an end user.

http://yahoo.com
http://qq.com
Job Search

Assistance in finding employment, and tools for locating prospective employers, or employers looking for employees.

http://monster.com
http://51job.com
Keyloggers and Monitoring Downloads and discussion of software agents that track a user's keystrokes or monitor their web surfing habits.
Kids

Sites designed specifically for children and teenagers.

http://www.mundogaturro.com
http://www.poptropica.com
Legal

Legal websites, law firms, discussions and analysis of legal issues.

http://www.pepperlaw.com
http://earlcaterlaw.com
Local Information

City guides and tourist information, including restaurants, area/regional information, and local points of interest.

http://downtownlittlerock.com
http://sandiegorestaurants.com
Malware Sites Malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, and code.
Marijuana Marijuana use, cultivation, history, culture, legal issues.
Military

Information on military branches, armed services, and military history.

http://defense.gov
http://www.mod.uk
Motor Vehicles

Car reviews, vehicle purchasing or sales tips, parts catalogs. Auto trading, photos, discussion of vehicles including motorcycles, boats, cars, trucks and RVs. Journals and magazines on vehicle modifications.

http://www.carmax.com
http://carsales.com.au
Music

Music sales, distribution, streaming, information on musical groups and performances, lyrics, and the music business.

http://itunes.com
http://bandcamp.com
News and Media

Current events or contemporary issues. Also includes radio stations, magazines, online newspapers, headline news sites, newswire services, personalized news services, and weather sites.

http://abcnews.go.com
http://newsoftheworld.co.uk
Nudity Nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect but may include sites containing nude paintings or photo galleries of artistic nature.
Online Greeting Cards

Online Greeting card sites.

http://123greetings.com
http://greeting-cards.com
Online Personal Storage

Online storage and posting of files, music, pictures, and other data.

http://box.net
http://freefilehosting.net
Open HTTP Proxies The proxy servers that are accessible by any Internet user.
P2P (Peer to Peer) Peer to peer clients and access that includes torrents, music download and programs.
Parked Sites

Parked domains are URLs which host limited content or click-through ads which may generate revenue for the hosting entities but generally do not contain content useful to the end user. Also includes Under Construction, folders, and web server default home pages.

http://000.com
http://buythisdomain.com
Pay to Surf Sites that pay users in the form of cash or prizes, for clicking on or reading specific links, email, or web pages.
Personal Sites and Blogs

Personal websites posted by individuals or groups, as well as blogs.

http://blogger.com
http://wordpress.org
Philosophy and Political Advocacy

Politics, philosophy, discussions, promotion of a particular viewpoint or stance in order to further a cause.

http://philosophynow.org
http://political.com
Phising and Other Frauds Phishing, pharming, and other sites that pose as a reputable site, usually to harvest personal information from a user. These sites are typically quite short-lived, so examples may not last long.
Private IP Addresses

RFC 1918, Address Allocation for Private Intranets.

10.0.0.0 - 10.255.255.255 (10/8 prefix)

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Proxy Avoid and Anonymizers Proxy servers and other methods to gain access to URLs in any way that bypasses URL filtering or monitoring. Web-based translation sites that circumvent filtering.
Questionable Tasteless humor, “get rich quick” sites, and sites that manipulate the user experience or client in some unusual, unexpected, or suspicious manner.
Real Estate

Information on renting, buying, or selling real estate or properties. Tips on buying or selling a home. Real estate agents, rental or relocation services, and property improvement.

http://prudentialproperties.com
http://realtor.com
Recreation and Hobbies

Information, associations, forums and publications on recreational pastimes such as collecting, kit airplanes, outdoor activities such as hiking, camping, rock climbing, specific arts, craft, or techniques; animal and pet related information, including breed-specifics, training, shows and humane societies.

http://petloverspublications.com
http://craftster.org
Reference and Research

Personal, professional, or educational reference material, including online dictionaries, maps, census, almanacs, library catalogues, genealogy, and scientific information.

http://reference.com
http://wikipedia.org
Religion

Conventional or unconventional religious or quasi-religious subjects as well as churches, mosques, synagogues, or other places of worship.

http://therocksandiego.org
http://biblesociety.ca
Search Engines

Search interfaces using key words or phrases. Returned results may include text, websites, images, videos, and files.

http://google.com
http://sogou.com
Sex Education

Information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, sexuality, birth control, sexual development, and contraceptives.

http://sexetc.org
Shareware and Freeware

Sites that contains softwares, screensavers, icons, wallpapers, utilities, ringtones including downloads that request a donation on open source projects.

http://download.com
http://sourceforge.net
Shopping

Department stores, retail stores, company catalogs and other sites that allow online consumer or business shopping to purchase goods and services.

http://amazon.com
http://groupon.com
Social Network

Social networking sites that have user communities where users interact, post messages, pictures, and otherwise communicate.

http://facebook.com
http://twitter.com
Society

A variety of topics, groups, and associations relevant to the general populace, broad issues that impact a variety of people, including safety, children, societies, and philanthropic groups.

http://dar.org
http://unicefusa.org
Spam URLs URLs contained in SPAM.
Sports

Team or conference web sites, international, national, college, professional scores and schedules; sports-related online magazines or newsletters, fantasy sports and virtual sports leagues.

http://nba.com
http://schoenen-dunk.de
Spyware and Adware Spyware or Adware sites that provide or promote information gathering or tracking that is unknown to, or without the explicit consent of, the end user or the organization, also unsolicited advertising popups and programs that may be installed on a user's computer.
Stream Media

Sales, delivery, or streaming of audio or video content, including sites that provide downloads for such viewers.

http://youtube.com
http://ustream.tv
Swimsuits and Intimate Apparel Swimsuits, intimate apparel or other types of suggestive clothing.
Training and Tool

Distance education, trade schools, online courses, vocational training, software training, and skills training.

http://trainingtools.com
http://prezi.com
Translation

Language translation sites that allow users to see URL pages in other languages.

http://translate.google.com
http://microsofttranslator.com
Travel

Airlines and flight booking agencies. Travel planning, reservations, vehicle rentals, car rentals, descriptions of travel destinations, promotions for hotels or casinos.

http://cheapflights.com
http://expedia.com
Uncategorized Sites that have not been categorized by URL Web Service.
Unconfirmed Spam Sources Unconfirmed SPAM sources.
Violence Sites that advocate violence, depictions and methods, including game/comic violence, and suicide.
Weapons Sales, reviews, descriptions of weapons such as guns, knives, martial arts accessories.
Web Advertisements

Advertisements, media, content, and banners.

http://casalemedia.com
http://justwebads.com
Web Based Email

Sites offering web-based email and email clients.

http://google.com/mail
http://foxmail.com
Web Hosting

Free or paid hosting services for web pages and information concerning their development, publication, and promotion.

http://siteground.com
http://bluehost.com

Proxy Server Profile for URL Categorization and Certificate Revocation status

To ensure a stable security network you can now redirect URL look-ups and Certificate Revocation status checks to a Proxy Server Profile. This Proxy Server profile will be attached to your Inline SSL deployment . To learn more refer to Proxy Server Configuration