Ironport WebProxys are capable of intercepting SSL to ensure they are not being used to tunnel other protocols. It used to be that you could run your SSH daemon on port 443, and even if you where behind a proxy you could potentially tunnel your traffic via SSH so you can get out and do whatever it is you want to do (BitTorrent, MSN, etc. etc.)
The reason for this was fairly simple: Since the connection was a secure connection, the proxy could not see the traffic encapsulated inside the port and thus was unable to determine if it was legitimate traffic or not. Luckily however the Cisco Ironport has a method around this, by inserting itself in any SSL path, so the actual SSL stream looks like this:
Client <--- Secure SSL with IronPorts Public Cert ---> Iron Port <---- Iron Port secure connection with SSL website ---> Secure Website.
The main drawback from this approach is that the certificate presented to the client will be untrusted, because it is signed by the Ironport application. This is easily resolved by either trusting the ironports self-signed certificate as a root-CA (Meaning any certificates the ironport subsequently signs are trusted) or by having the ironport request a Root-CA certificate from your own organizations root-CA and then rolling out the trust relationship via group policy.
Another awesome Ironport feature and a great way to stop people doing the dodgy on your network.
Subscribe to:
Post Comments (Atom)
Popular old posts.
-
Hi Guys Having spent a lot of time with customers working on vPC deployments, I have found quite a few of the gotcha's for vPC that I w...
-
Hi Guys! This blog post is attempting to be the DEFINITIVE guide on Jumbo MTU, It's a topic that DOES MY HEAD IN! There are SO many ...
-
So some of the readers of this blog might already know this little trick, and what's more some of you might be surprised I didn't kn...
Say I point my browser to https://mail.google.com. My browser will see a certificate "issued to" "ironport.mycompany.com" instead of "mail.google.com." So, my question is: Even if the certificate issued to "ironport.mycompany.com" is trusted, why won't my browser throw an error because of the mismatch?
ReplyDeleteBecause the certificate is issued to mail.google.com by the cert authority ironport.mycompany.com.
ReplyDeleteThanks so much for your reply Scott! Anonymous, scott is spot on, the domain on the cert (the subject name) doesn't match the domain name your visiting ,hence, the certificate is invalid
ReplyDelete