Cisco Cisco Web Security Appliance S170 사용자 가이드
12-9
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decrypting HTTPS Traffic
•
Drop. The appliance drops the connection and does not notify the client. This is the most restrictive
option.
option.
•
Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts the traffic
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. For
more information about how the appliance decrypts HTTPS traffic, see
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. For
more information about how the appliance decrypts HTTPS traffic, see
.
•
Monitor. The appliance does not drop the connection, and instead it continues comparing the server
request with the Decryption Policy groups. This is the least restrictive option.
request with the Decryption Policy groups. This is the least restrictive option.
Note
When an invalid server certificate is monitored, the errors in the certificate are maintained and
passed along to the end-user.
passed along to the end-user.
Some server certificates might be invalid for multiple reasons. If a server certificate is invalid for
multiple reasons, the HTTPS Proxy performs the most restrictive action configured for each reason using
the following order, with the most restrictive action listed first:
multiple reasons, the HTTPS Proxy performs the most restrictive action configured for each reason using
the following order, with the most restrictive action listed first:
•
Drop
•
Decrypt
•
Monitor
For more information about configuring the appliance to handle invalid server certificates, see
Decrypting HTTPS Traffic
The request and response data is encrypted for HTTPS connections before it is sent across the network.
Because the data is encrypted, third parties can view the data, but cannot decrypt it to read its contents
without the private key of the HTTPS server.
Because the data is encrypted, third parties can view the data, but cannot decrypt it to read its contents
without the private key of the HTTPS server.
shows an HTTPS connection between a client and a HTTPS server.
Figure 12-3
HTTPS Connection
The Web Security appliance does not have access to the server’s private key, so in order to inspect the
traffic between the client and the server, it must intercept the connection and break the connection into
two separate connections. The appliance acts as an intermediary between the client and the server
pretending to be the server to the client, and the client to the server. This is sometimes referred to as
being the “man in the middle.”
traffic between the client and the server, it must intercept the connection and break the connection into
two separate connections. The appliance acts as an intermediary between the client and the server
pretending to be the server to the client, and the client to the server. This is sometimes referred to as
being the “man in the middle.”
shows an HTTPS connection between a client and a HTTPS server that goes through the
Web Security appliance.
Client
Server