Integrated SSL Scanning
Page 2 Finjan proprietary and confidential
• Between the end-user and the Scanning Server
• Between the Scanning Server and the HTTPS server
When the end-user initially sends the request to the Scanning Server, the
Scanning Server does not have the certificate of the original Web server,
so it must retrieve the certificate before establishing the connection. The
Scanning Server retrieves the certificate from the HTTPS server and then
generates a new certificate on-the-fly, which includes the same
information as the original certificate. The Scanning Server signs the new
certificate with its own private key and sends it to the end-user.
2.2 Certificate Validation
Vital Security HTTPS ensures that corporate policies for certificates are
enforced, thereby removing the decision from the end-users by
automatically validating each certificate and ensuring that the chain
returns to the trusted authority. Policies regarding certificates are enforced
by checking individual certificate names, expiry dates, trusted authority
chains, and revocation lists.
A list of trusted certificate authorities is supplied with the system and is
used for digital signature analysis and for HTTPS certificate validation.
Digital certificate lists are updated via Finjan security updates. These lists
include the required trusted certificate authorities and Certificate
Revocation Lists (CRLs).
Certificate validation is based on the action taken according to policy type
(Bypass/Inspect Content/User Approval). When Bypass is selected, the
original server certificate is obtained, and certificate validation is not
performed by the system (no security or HTTPS validation is carried out
on traffic). If Inspect Content or User Approval is selected, the server
certificates are analyzed and replaced by a certificate containing the same
mismatches as the original. The resulting mismatches are compared
against SSL certificate conditions.
To view the certificate validation rules, navigate in the Management
Console to Policies Æ Condition Settings Æ HTTPS Certificate
Validation Æ Default Certificate Validation Profile.
NOTE: The Default Profile can also be duplicated and adjusted
to an organization’s needs.
The Default Certificate Validation Profile comprises the
certificate error events.
To Next Page
Loading...
Need help?
General
