Blue Coat Labs

Labs Blog

SSL Proxy and Anti-Malware Go Hand In Hand

SSL Proxy and Anti-Malware Go Hand In Hand

Tim Chiu

At first glance you may think that an SSL proxy and anti-malware have nothing to do with each other. While each serves its own purpose in a Secure Web Gatway architecture and deployment, they are actually crucial to each other's success in protecting an organization's network from web based threats, malware, and cybercrime.

Let's start with the SSL proxy. Having a web proxy without an SSL proxy used to be quite common, as few web pages other than financial services had encryption protection. In addition SSL proxies generally put a significant load on proxy servers, with the need for CPU power to decrypt and encrypt the SSL sessions.  

There was a time when a web proxy that handled web pages in the clear covered almost all the web pages of interest for an organization's policy compliance. Today, webmail offerings routinely use SSL encrypted logins and even maintain SSL connections for the web based email session. SSL is also used today wherever personal credentials are entered, whether it's a social networking site, shopping or other entertainment site. Because of the widespread use of encryption on websites, making sure you use an SSL proxy (basically a proxy that can inspect and enforce policy around the contents within an SSL session) is more important than ever. 

At one time, an SSL proxy used with inspection was important mostly for DLP (Data Leakage Protection). Organizations used it to make sure confidential data wasn't leaving the organization through secure encrypted sessions. Today it's important to make sure web threats don't enter through secure encrypted connections.

The key to providing complete security with SSL inspection is an anti-malware or anti-virus scanner, along with hardware assisted SSL encryption and decryption. Traditional methods of content inspection like URL databases are hampered by the user credentials usually associated with URLs returned after an SSL authenticated session. URL filtering technologies generally rely on available URLs and not the custom URL generated after a user credential is verified. 

In order to ensure the content within an SSL encrypted page is safe, use an anti-malware or anti-virus scanner locally at the proxy to inspect the data the SSL proxy is receiving as it's coming in from the Internet. If the anti-malware program detects any threats, the proxy can block the downloads and infected web pages. Without SSL proxy and anti-malware, threats buried in encrypted pages would pass into the organization's network. 

A company using an SSL proxy should of course follow prudent guidelines around privacy concerns and any country based regulations with regard to content found in SSL sessions. A common approach is to set up the SSL proxy to bypass visits to financial sites, so as not invade a typical end-user's privacy.

Any organization concerned with web threats, needs to implement an SSL proxy if they haven't done so already, and tied to that implementation should be a plan to get anti-malware scanning as a standard part of the web gateway.