Policy rules in the SSL Visibility Appliance only apply to SSL flows. The sequence of events is as follows.
Note: Cut Through means the packets are passed to/through any attached security appliances, and then sent out on the other side of the bump in the wire:
- No TCP flows are cut through immediately by the Flow processor.
- New TCP flows are cut through by the Flow processor, but the flow is monitored by the Flow processor to see if it becomes an SSL flow.
- If the Flow processor sees a Client Hello indicating the start of an SSL flow, it does the following:
- stops passing packets on the flow to/through attached security appliances
- sends the packets out on the other side of the bump in the wire (so the SSL handshake can continue)
- gathers information from the SSL handshake (we do not modify the packets between client and server)
- when the SSL Server Certificate begins to arrive, captures it and does not send on to client.
- Once the full SSL Server Certificate is received, the appliance has all the information needed for the policy engine to make a decision on what to do with the flow.
a) If the policy engine determines that the flow should be inspected, the appliance modifies the server certificate and becomes a Man-In-The-Middle so it can decrypt and re-encrypt the flow in order to see the clear text.
b) If the policy engine determines that the flow should not be inspected, the following occurs:
- replay the SSL handshake sequence to/through the attached security appliances so they see it.
- cut through all future packets on this SSL flow.