Cisco Cisco Web Security Appliance S380 Guida Utente
Chapter 10 Decryption Policies
Decryption Policies Overview
10-2
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Not being able to inspect HTTPS traffic makes the network vulnerable to the
following risks:
following risks:
•
Secure site hosting malware. Spammers and phishers can create legitimate
looking websites that are only reachable through an HTTPS connection.
Some users may mistakenly trust the web server because it requires an
HTTPS connection, resulting in intentional and unintentional downloaded
malware.
looking websites that are only reachable through an HTTPS connection.
Some users may mistakenly trust the web server because it requires an
HTTPS connection, resulting in intentional and unintentional downloaded
malware.
•
Malware from HTTPS web applications. Some malware can infect the
network from legitimate web applications, such as secure email clients, by
downloading attachments.
network from legitimate web applications, such as secure email clients, by
downloading attachments.
•
Secure anonymizing proxy. Some web servers offer a proxy service over an
HTTPS connection that allows users to circumvent acceptable use policies.
When users on the network use a secure proxy server outside the network,
they can access any website, regardless of its web reputation or malware
content.
HTTPS connection that allows users to circumvent acceptable use policies.
When users on the network use a secure proxy server outside the network,
they can access any website, regardless of its web reputation or malware
content.
The appliance uses both a URL filtering engine and IronPort Web Reputation
Filters to make intelligent decisions about when to decrypt HTTPS connections.
With this combination, administrators and end users are not forced to make a
trade-off between privacy and security.
Filters to make intelligent decisions about when to decrypt HTTPS connections.
With this combination, administrators and end users are not forced to make a
trade-off between privacy and security.
You can define HTTPS policies that determine if an HTTPS connection can
proceed without examination or whether the appliance should act as an
intermediary, decrypting the data passing each way and applying Access Policies
to the data as if it were a plaintext HTTP transaction.
proceed without examination or whether the appliance should act as an
intermediary, decrypting the data passing each way and applying Access Policies
to the data as if it were a plaintext HTTP transaction.
To configure the appliance to handle HTTPS requests, you must perform the
following tasks:
following tasks:
1.
Enable the HTTPS Proxy. To monitor and decrypt HTTPS traffic, you must
first enable the HTTPS Proxy. For more information, see
first enable the HTTPS Proxy. For more information, see
.
2.
Create and configure Decryption Policy groups. Once the HTTPS Proxy is
enabled, you can create and configure Decryption Policy groups to determine
how to handle each request from each user. For more information, see
enabled, you can create and configure Decryption Policy groups to determine
how to handle each request from each user. For more information, see
.
3.
Import custom root certificates (optional). Optionally, you can import one
or more custom root certificates so the Web Proxy can recognize additional
trusted root certificate authorities used by HTTPS servers. For more
information, see
or more custom root certificates so the Web Proxy can recognize additional
trusted root certificate authorities used by HTTPS servers. For more
information, see
.