Network Integration Guide › Decoding SSL Communications › How to Set up SSL Decode › Include or Exclude IP Ranges from SSL Decoding › Define Exclusion Caching Controls

Define Exclusion Caching Controls

The NBA console supports client and server exclusion caching. If you are not using a web proxy, you can enable these caches to simplify the process of excluding certain traffic from SSL decoding. In particular, you can allow 'failed connection' SSL sessions to pass through the NBA without decoding them and without needing to specify a domain exclusion or an excluded IP range.

Server exclusion caching

When enabled, the server exclusion cache allows unmonitored sessions to SSL servers that do not accept connections from the SSL decoder.

This can happen if the decoder's SSL protocols are unacceptable to the server. A client must attempt to connect to the server before the decoder can determine this, so only subsequent connections are permitted. The IP address and port number of the server are cached so that future connections to this server and port are excluded from SSL decoding.

Note: If you have a web proxy or similar device between the decoder and the internet that hides the real server's IP address from your internal network, you cannot use the server exclusion cache and must disable it. This is because all web servers will appear to have the same IP address, so connections to all web servers will be excluded from SSL decoding.

Client exclusion caching

When enabled, the client exclusion cache allows unmonitored sessions from clients that fail to connect to the SSL decoder on the NBA.

This can happen if the client does not have the NBA master certificate installed. The IP addresses of both server and client as well as the port number of the server are cached, so that future connections from this client to the server are excluded from SSL decoding.

Note: Be aware that some client applications do not cause the SSL negotiation error needed to trigger the caching. Instead, they simply close the connection after it has been negotiated.

Note: If you have a web proxy or similar device between the clients and the decoder that hides the real client IP addresses from the NBA, you cannot use the client exclusion cache and must disable it. This is because all clients will appear to have the same IP address, so connections from all clients will be excluded from SSL decoding.

To control exclusion caches using the NBA console

1. Log on to the NBA console and go to the SSL tab.
2. Click the General option.
3. Click the Enable/Disable button for the required cache.

To exclude domains by editing nbapolicy.xml

1. Open nbapolicy.xml. 
2. Edit the following elements:

   <serverexclusioncache type="booleanType" value="false"/>
   <clientexclusioncache type="booleanType" value="false"/>
   

   Where

   value="false" disables the cache.

   value="true" enables the cache.

SSL Statistics

(Bivio 7000 appliances and the Linux Server Platform only)

Optionally, you can view the SSL statistics for each CPU on the SSL Statistics page.

To view SSL statistics

1. Log on to the NBA console and go to the SSL tab.
2. Click the Statistics option.

The following statistics are available.

Decoder State

Shows the state of the SSL Decoder. This can be Hardware, Software, or Disabled. The normal states are Hardware or Software.

• Hardware: Shown if SSL streams are being processed and the NBA appliance is fitted with SSL acceleration co-processors.
• Software: Shown if SSL streams are being processed but the NBA appliance does not have SSL acceleration co-processors or they have been manually disabled.

  Note: You can manually disable the co-processors. To do this, write a file named 'disablesslcoprocessor' to the /NBA /config folder (this file does not need any content) and then restart the NBA.

  Disabled: Shown if SSL streams are not being processed. Examine the log file to identify the relevant CPU in order to determine the cause of the problem.

Active Sessions

Shows the number of SSL sessions in progress.

If you take the Network appliance offline or change filter settings that affect SSL decoding, SSL sessions may be disconnected. Therefore, you must only perform these actions when the number of active sessions is zero.

Total Sessions

Shows the total number of SSL sessions that have been decoded.

This count includes attempts to decode a session that later fails due to a certificate negotiation problem.

Excluded Sessions

Shows the total number of SSL sessions that have been excluded from SSL decoding. Data on these sessions cannot be analyzed.

Sessions are excluded when the domain name of the connection matches an entry in the excluded domains list.

Sessions are also excluded if a decoder connection failure causes the connection to be excluded from decoding. Such exclusions are only permitted when client or server exclusion caching is enabled or if the domain in a certificate matched a domain in the exclusion list.

Dropped Frames

The dropped frames count shows the number of frames that have been dropped by the NBA in response to a flow-control event. The NBA uses the TCP window mechanism to try and limit the amount of data it needs to buffer for each SSL session. 

If the client/server doesn’t react to the reduced TCP window quickly enough, the NBA drops frames on that connection and expects the client/server to resend these frames when the TCP window is restored.

Decrypted Frames

Shows the total number of network frames containing data that has been decrypted.

Decrypted Records

Shows the total number of SSL records that have been decrypted.

A network packet can contain multiple SSL records and an SSL record can be spread across multiple network packets. The hardware-accelerated decoder is much more efficient when SSL records are large and spread across multiple network packets, but SSL record size is controlled by the client and server using the SSL connection.

Decrypted Bytes

Shows the total number of bytes decrypted.

Cached Trusted Certificates

Shows the number of SSL certificates in the trusted cache.

Creating a certificate for a connection is time-consuming for the SSL decoder, and fetching a single web page may create many connections. To make the decoding more efficient, the NBA caches trusted certificate details for up to one hour.

Cached Untrusted Certificates

Shows the number of SSL certificates in the untrusted cache.

The NBA creates an untrusted certificate to mimic the untrusted certificate provided by the web server. The comment field in the untrusted certificate gives the reason why the decoder does not trust the web server certificate. For example, there may be a validity date problem or a problem with the root certificate used by a web site's certificate.

To make the decoding more efficient, the NBA caches untrusted certificate details for up to one hour.

Cached Excluded Sessions

(Not displayed in the NBA console. This statistic is included in the statistics log file for diagnostic purposes.)

Shows the number of SSL sessions in the exclusion cache.

If a certificate negotiation failure causes the connection to be excluded from decoding, the NBA caches session details so that future SSL connections are permitted without decoding them. Such exclusions are only permitted when client or server exclusion caching is enabled or if the domain in a certificate matched a domain in the exclusion list.

Cached Included Sessions

(Not displayed in the NBA console. This statistic is included in the statistics log file for diagnostic purposes.)

Shows the number of cached SSL sessions that need decoding.

If HTTP web traffic is directed from client machines via the NBA and then through an RFC2817 web proxy, the NBA decodes the HTTP CONNECT requests to discover the requested domains. When the connection transitions to SSL, the NBA compares the requested domain to the list of excluded domains. If the requested domain is:

• Excluded, the NBA allows the session to go through without decoding it.
• Not excluded, the NBA decodes the session identified from the cached session details.