Enabling HTTPS Inspection with Upstream Explicit Proxy using Flexible Inline SSL (6.3)

Introduction

Nearly 80% of enterprise traffic is SSL/TLS encrypted. Typically, enterprises have explicit web proxy deployed in the perimeter for enforcing security policies. However, it's not prudent to rely on single security control. Deploying additional security controls is intense and challenging. The GigaSECURE Inline SSL solution’s ability to decrypt once and feed to multiple tools facilitates seamlessly managing the security tool's stack. The following Gigamon Validated Design (GVD) illustrates deploying the solution behind an explicit web proxy and tuning it to match the security enforcements on the proxy.

Design Topology

Design Overview

In the below example, an enterprise has an explicit proxy deployed for inspecting web traffic and wants to deploy an Advanced Threat Prevention (ATP) tool such that it inspects the traffic, which is inspected by the proxy. The ATP can be stacked behind the proxy, but stacking tools serially adversely impacts the network performance and results in operational nightmares. To account for future expansion and/or maintenance of security tools, the enterprise can deploy the Gigamon HC device behind the proxy so that the ATP can be connected to it. To match with the security enforcements in the proxy, we will illustrate.

  • Configuring the proxy’s SSL root CA in the Gigamon HC device to decrypt the SSL/TLS traffic and feed it to the ATP.

  • Bypassing SSL/TLS traffic such as financial_services, health_and_medicine, and so on to comply with business, legal and regulatory requirements.

Some of our customers may have their explicit proxy on the downstream of the network. The Gigamon configuration remains the same. Please refer to the attached document of this GVD for deploying the Inline-SSL solution for deploying the proxy in the south side of the network

To learn more about this solution, read complete details on the Gigamon Community:

Enabling_HTTPS_Inspection_with_Upstream_Explicit_Proxy_using_Flexible_Inline_SSL