|
|
|
To exclude IP ranges from decryption, add network filters for IP addresses.
To exclude servers by IP address:
Enter the IP range that you want to exclude, for example:
10.20.0.12:443
TCP
ignore
The excluded IP address in this example has a smaller range than the included IP addresses. The excluded IP range therefore takes precedence over the included IP range. Consequently, SSL traffic from this address is ignored and not decrypted.
You can also specify exclusions based on DNS names. If an SSL connection is made to a server with a matching domain name, the connection is not decoded.
Default List of Excluded Domains
The NBA is prepopulated with a default list of excluded domains. These domains are the addresses of Windows Update and Activation servers. We recommend that you add antivirus and other infrastructure management connections to this list. Or add an IP address filter or port number filter (or both) to exclude these sessions from SSL decoding.
How Are Domains Verified?
If you have an RFC2817 HTTP CONNECT proxy that browsers use to connect to secure web sites, and your NBA appliance is between the clients and the proxy, the NBA appliance identifies the destination domain for each connection. If the domain is excluded, SSL connections to the domain are allowed to proceed without decoding.
For connections that do not go through a proxy, the NBA compares domains against the "Subject" or "Issued to" property of the SSL certificate. The first connection to the domain is closed and subsequent connections are allowed to proceed without decoding.
Subdomains
Subdomains of excluded domains are also excluded. For example, if the excluded domain is "company.com" but the website is "special.company.com", then the subdomain is still excluded.
To exclude domains using the NBA console
To exclude domains by editing nbapolicy.xml
<domainexcludelist type="stringListType"> <element value="update.microsoft.com"/> <element value="download.microsoftupdates.com"/> <element value="activation.sls.microsoft.com"/> <element value="windowsupdate.microsoft.com"/> </domainexcludelist>
The NBA console supports client and server exclusion caching. If you are not using a web proxy, you can enable these caches to simplify the process of excluding certain traffic from SSL decoding. In particular, you can allow 'failed connection' SSL sessions to pass through the NBA without decoding them and without needing to specify a domain exclusion or an excluded IP range.
When enabled, the server exclusion cache allows unmonitored sessions to SSL servers that do not accept connections from the SSL decoder.
This can happen if the decoder's SSL protocols are unacceptable to the server. A client must attempt to connect to the server before the decoder can determine this, so only subsequent connections are permitted. The IP address and port number of the server are cached so that future connections to this server and port are excluded from SSL decoding.
Note: If you have a web proxy or similar device between the decoder and the internet that hides the real server's IP address from your internal network, you cannot use the server exclusion cache and must disable it. This is because all web servers will appear to have the same IP address, so connections to all web servers will be excluded from SSL decoding.
When enabled, the client exclusion cache allows unmonitored sessions from clients that fail to connect to the SSL decoder on the NBA.
This can happen if the client does not have the NBA master certificate installed. The IP addresses of both server and client as well as the port number of the server are cached, so that future connections from this client to the server are excluded from SSL decoding.
Note: Be aware that some client applications do not cause the SSL negotiation error needed to trigger the caching. Instead, they simply close the connection after it has been negotiated.
Note: If you have a web proxy or similar device between the clients and the decoder that hides the real client IP addresses from the NBA, you cannot use the client exclusion cache and must disable it. This is because all clients will appear to have the same IP address, so connections from all clients will be excluded from SSL decoding.
To control exclusion caches using the NBA console
Available for Bivio 7000 appliances only.
To exclude domains by editing nbapolicy.xml
<serverexclusioncache type="booleanType" value="false"/> <clientexclusioncache type="booleanType" value="false"/>
Where
value="false" disables the cache.
value="true" enables the cache.
(Bivio 7000 appliances only) The SSL statistics for each CPU are shown on the SSL Statistics page.
To view SSL statistics
The following statistics are available.
SSL statistics
Shows the state of the SSL Decoder. This can be Hardware, Software, or Disabled. The normal states are Hardware or Software.
Note: You can manually disable the co-processors. To do this, write a file named 'disablesslcoprocessor' to the /NBA /config folder (this file does not need any content) and then restart the NBA.
Disabled: Shown if SSL streams are not being processed. Examine the log file to identify the relevant CPU in order to determine the cause of the problem.
Shows the number of SSL sessions in progress.
If you take the Network appliance offline or change filter settings that affect SSL decoding, SSL sessions may be disconnected. Therefore, you must only perform these actions when the number of active sessions is zero.
Shows the total number of SSL sessions that have been decoded.
This count includes attempts to decode a session that later fails due to a certificate negotiation problem.
Shows the total number of SSL sessions that have been excluded from SSL decoding. Data on these sessions cannot be analyzed.
Sessions are excluded when the domain name of the connection matches an entry in the excluded domains list.
Sessions are also excluded if a decoder connection failure causes the connection to be excluded from decoding. Such exclusions are only permitted when client or server exclusion caching is enabled or if the domain in a certificate matched a domain in the exclusion list.
The dropped frames count shows the number of frames that have been dropped by the NBA in response to a flow-control event. The NBA uses the TCP window mechanism to try and limit the amount of data it needs to buffer for each SSL session.
If the client/server doesn’t react to the reduced TCP window quickly enough, the NBA drops frames on that connection and expects the client/server to resend these frames when the TCP window is restored.
Shows the total number of network frames containing data that has been decrypted.
Shows the total number of SSL records that have been decrypted.
A network packet can contain multiple SSL records and an SSL record can be spread across multiple network packets. The hardware-accelerated decoder is much more efficient when SSL records are large and spread across multiple network packets, but SSL record size is controlled by the client and server using the SSL connection.
Shows the total number of bytes decrypted.
Shows the number of SSL certificates in the trusted cache.
Creating a certificate for a connection is time-consuming for the SSL decoder, and fetching a single web page may create many connections. To make the decoding more efficient, the NBA caches trusted certificate details for up to one hour.
Shows the number of SSL certificates in the untrusted cache.
The NBA creates an untrusted certificate to mimic the untrusted certificate provided by the web server. The comment field in the untrusted certificate gives the reason why the decoder does not trust the web server certificate. For example, there may be a validity date problem or a problem with the root certificate used by a web site's certificate.
To make the decoding more efficient, the NBA caches untrusted certificate details for up to one hour.
Shows the number of SSL sessions in the exclusion cache.
If a certificate negotiation failure causes the connection to be excluded from decoding, the NBA caches session details so that future SSL connections are permitted without decoding them. Such exclusions are only permitted when client or server exclusion caching is enabled or if the domain in a certificate matched a domain in the exclusion list.
or if the domain in a certificate matched a domain in the exclusion list
Shows the number of cached SSL sessions that need decoding.
If HTTP web traffic is directed from client machines via the NBA and then through an RFC2817 web proxy, the NBA decodes the HTTP CONNECT requests to discover the requested domains. When the connection transitions to SSL, the NBA compares the requested domain to the list of excluded domains. If the requested domain is:
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |