Check Point’s SSL Inspection Technology | Enterprise Network Security


Hello my name is Eytan Siegel. I’m the
director of VPN products at Check Point Software Technologies. Encrypted SSL
traffic is critical for user privacy and to securely conduct business across the
net and indeed we’ve seen a huge rise in websites shifting to SSL in recent years.
This is a good thing however, encrypted traffic can be used to conceal attacks
to prevent threats we need the ability to look inside encrypted traffic. I’m
going to talk about checkpoints SSL inspection technology which allows our
advanced security functions to analyze the content of encrypted network traffic.
With SSL inspection our gateways can force the same level of security on
encrypted traffic as they do with clear traffic. We’ll start by reviewing how SSL
is used by browsers to establish secure communication with a web site on the
Internet. We’ll be using Facebook as an example.
Notice the browser is using HTTPS. The s denotes that the HTTP session is
encrypted with SSL. The first function of SSL is to establish trust with a site
the browser trusts a web server if the server has a digital certificate that
was issued by a trusted certificate authority or CA that is vetting the
site’s identity. The SSL handshake starts off with the web server sending its
certificate to the browser. Facebook’s web server needs a way to
prove it’s the rightful owner of the certificate. For this, Facebook has a file
called a private key which is cryptographically paired with its
certificate. Without possession of Facebook’s private key
no one can forge its certificate and impersonate the site on the web. This is
a key part of SSL. Facebook certificate is signed by a CA named Verisign. our browser searches for Verisign certificate in its store of trusted CA
certificates. On windows the list of justed cas is maintained by Microsoft. In
our example the Verisign certificate is found in a trusted store and so the
browser decides to trust Facebook certificate now that the SSL
cryptographic validation is done and the browser trusts the website browsing
commences using SSL encrypted communication.
Let’s visit Facebook again but now we’re going to turn on checkpoint as a cell
inspection. Do this from the HTTPS inspection page on a smart dashboard. The first step for enabling SSL inspection is to create a CA certificate to be used
by the Gateway for signing. We provide a certificate name, validation date, and a password that will protect the private key. We then enable HTTPS inspection.
You’ll notice I skipped step two. We’ll get back to that in a short moment.
Now that our Gateway is performing SSL inspection let’s browse the Facebook
again and see what happens this time. The Gateway sees the browser’s as a sell
request and rather than letting the request who initiates its own as a self
session with Facebook pretending to be our browser. Like the browser the Gateway
has its own trusted CA store which it uses to validate that we trust Facebook
certificate. This validation is critical in order to preserve the trust
validations to normally carried out by the browser. Once the connection between
the Gateway and Facebook is established the Gateway creates an SSL certificate
that is very similar to that of Facebook. This certificate has its own private key
associated with it the Gateway signs the copied certificates using the CA
certificate we created for the Gateway. Now the Gateway completes the SSL
session with our browser pretending to be Facebook and using that just created
certificate. But wait the certificate that the Gateway has generated for
Facebook is not signed with the CA that the browser trusts. It’s signed with the
we generated a moment ago. So, the browser warns the user that the certificate is
not valid. There’s one more key step that must happen before the Gateway can
perform as a SSL inspection without generating a warning in our browser and
that is that the Gateway CA certificate must be added to the
browser’s trusted store. To accomplish this we export the Gateway CA
certificate file. That’s the second step we skipped a moment ago and then import
it manually to your PCs trusted CA store. You can also automatically distribute
the Gateway CA by using Group Policy objects in Microsoft Active Directory.
From this point on the browser trusts certificates generated by the Gateway
and will thus just the one that the Gateway has just created for Facebook at
this point the Gateway has established SSL connections with both Facebook and
our browser acting as a bridge between the two this way the Gateway can inspect
the content of the encrypted SSL traffic. As an example let’s see SSL inspection
in action with checkpoints data loss prevention, DLP. Using my personal gmail
account, which uses SSL, I write an email to my friend Jim attaching a file
containing confidential customer data. When I try to send it I immediately get
an on screen message from the Gateway alerting me to the potential breach.
Before SSL inspection this breach would have gone unnoticed. We can now also
prevent threats concealed in SSL by enabling inspection for IPS antivirus
and other software plates. You may decide to avoid inspecting some encrypted
traffic in order to comply with regulatory requirements or privacy laws. For example I may want to turn on SSL inspection to perform URL filtering but
at the same time I’d like to exclude traffic to online banking and health
sites from being inspected in order to protect employee privacy. To achieve this
we use the HTTPS inspection policy in the smart dashboard. We add a rule to the
rule base to get this done. As you can see SSL inspection
technology enables the suite of advanced Check Point security applications to scan
encrypted data in order to maximize your protection and to ensure you are secure
from malicious attacks. To find out more information about checkpoints advanced
security technologies please visit us at checkpoint.com

9 thoughts on “Check Point’s SSL Inspection Technology | Enterprise Network Security

  1. it doesn't called ssl inspection it call https inspection. it workes in some cases but TAC support only browser' based HTTPs traffic (the feature also called HTTPs Inspection and not SSL Inspection)

Leave a Reply

Your email address will not be published. Required fields are marked *