How is a flow processed in the SSL Visibility appliance?

book

Article ID: 168222

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

How is traffic processed in the SSL Visibility appliance?

What are the events that take place in the SSL Visibility appliance to determine if a flow is SSL?

Resolution

Policy rules in the SSL Visibility Appliance only apply to SSL flows. The sequence of events is as follows.
Note: Cut Through means the packets are passed to/through any attached security appliances, and then sent out on the other side of the bump in the wire:
  1. No TCP flows are cut through immediately by the Flow processor.
  2. New TCP flows are cut through by the Flow processor, but the flow is monitored by the Flow processor to see if it becomes an SSL flow.
  3. If the Flow processor sees a Client Hello indicating the start of an SSL flow, it does the following:
  • stops passing packets on the flow to/through attached security appliances
  • sends the packets out on the other side of the bump in the wire (so the SSL handshake can continue)
  • gathers information from the SSL handshake (we do not modify the packets between client and server)
  • when the SSL Server Certificate begins to arrive, captures it and does not send on to client.
  1. Once the full SSL Server Certificate is received, the appliance has all the information needed for the policy engine to make a decision on what to do with the flow.
a) If the policy engine determines that the flow should be inspected, the appliance modifies the server certificate and becomes a Man-In-The-Middle so it can decrypt and re-encrypt the flow in order to see the clear text.
b) If the policy engine determines that the flow should not be inspected, the following occurs:
  • replay the SSL handshake sequence to/through the attached security appliances so they see it.
  • cut through all future packets on this SSL flow.