Cisco Cisco Web Security Appliance S690 Guida Utente
180
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
D E C R Y P T I O N PO L I C I E S O V E R V I E W
HTTPS is a web protocol that acts as a secure form of HTTP. HTTPS encrypts HTTP requests
and responses before they are sent across the network. Common thinking is that any
connection to a site using HTTPS is “safe.” HTTPS connections are secure, not safe, and they
do not discriminate against malicious or compromised servers. HTTPS is a secure way to
complete legitimate transactions, but more dangerously, it is a secure way to download
malware which can infect your network.
and responses before they are sent across the network. Common thinking is that any
connection to a site using HTTPS is “safe.” HTTPS connections are secure, not safe, and they
do not discriminate against malicious or compromised servers. HTTPS is a secure way to
complete legitimate transactions, but more dangerously, it is a secure way to download
malware which can infect your network.
Not being able to inspect HTTPS traffic makes the network vulnerable to the following risks:
• Secure site hosting malware. Spammers and phishers can create legitimate looking
websites that are only reachable through an HTTPS connection. Some users may
mistakenly trust the web server because it requires an HTTPS connection, resulting in
intentional and unintentional downloaded malware.
mistakenly trust the web server because it requires an HTTPS connection, resulting in
intentional and unintentional downloaded malware.
• Malware from HTTPS web applications. Some malware can infect the network from
legitimate web applications, such as secure email clients, by downloading attachments.
• Secure anonymizing proxy. Some web servers offer a proxy service over an HTTPS
connection that allows users to circumvent acceptable use policies. When users on the
network use a secure proxy server outside the network, they can access any website,
regardless of its web reputation or malware content.
network use a secure proxy server outside the network, they can access any website,
regardless of its web reputation or malware content.
The appliance uses both a URL filtering engine and IronPort Web Reputation Filters to make
intelligent decisions about when to decrypt HTTPS connections. With this combination,
administrators and end users are not forced to make a trade-off between privacy and security.
intelligent decisions about when to decrypt HTTPS connections. With this combination,
administrators and end users are not forced to make a trade-off between privacy and security.
You can define HTTPS policies that determine if an HTTPS connection can proceed without
examination or whether the appliance should act as an intermediary, decrypting the data
passing each way and applying Access Policies to the data as if it were a plaintext HTTP
transaction.
examination or whether the appliance should act as an intermediary, decrypting the data
passing each way and applying Access Policies to the data as if it were a plaintext HTTP
transaction.
To configure the appliance to handle HTTPS requests, you must perform the following tasks:
1. Enable HTTPS scanning. To monitor and decrypt HTTPS traffic, you must first enable
HTTPS scanning. For more information, see “Enabling HTTPS Scanning” on page 197.
2. Create and configure Decryption Policy groups. Once HTTPS scanning is enabled, you
can create and configure Decryption Policy groups to determine how to handle each
request from each user. For more information, see “Decryption Policy Groups” on
page 181.
request from each user. For more information, see “Decryption Policy Groups” on
page 181.
3. Import custom root certificates (optional). Optionally, you can import one or more
custom root certificates so the Web Proxy can recognize additional trusted root certificate
authorities used by HTTPS servers. For more information, see “Importing a Trusted Root
Certificate” on page 211.
authorities used by HTTPS servers. For more information, see “Importing a Trusted Root
Certificate” on page 211.
This book uses many terms from digital cryptography. This book also includes sections with
background information about HTTPS and digital cryptography for reference only. For a list of
background information about HTTPS and digital cryptography for reference only. For a list of