SSL Decryption is an important part of the Umbrella Intelligent Proxy. This article goes through how it works and what the requirements are to implement it.
The feature allows the Intelligent Proxy to go beyond simply inspecting normal URLs and actually proxy and inspect traffic that's sent over HTTPS. The SSL Decryption feature does require the root certificate be installed, as covered below.
Requirements and Implementation
Although only SSL sites on our 'grey' list will be proxied, it's required that the root certificate be installed on the computers that are using SSL Decryption for the Intelligent Proxy in their policy. Sites on our 'grey' list can include popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.
- Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible. The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case. The traffic won't be decrypted and inspected; instead, the entire website won't be available.
- With the root certificate installed, errors won't occur and the site will be accessible when it's been proxied and allowed. For information on installing the root certificate on multiple browsers and platforms, read here:https://docs.umbrella.com/product/umbrella/cisco-certificate-import-information/
Enabling SSL Decryption
This feature is part of the Intelligent Proxy and as such, the Intelligent Proxy must be enabled first.
In our policy wizard, the feature is included in Step 2, "What should this policy do?". Expand "Advanced Settings" and click "SSL Decryption" to enable the feature:
On an existing policy, SSL Decryption can be enabled from the Summary Page by clicking Advanced Settings:
Testing SSL Decryption
Once you’ve deployed the Cisco Root CA to your client machines and configured the feature, you’ll want to confirm it is working. We’ve created the following URL to allow you to test this:
This will lead to a page advising if your request was successfully proxied or not.
What is being decrypted and proxied?
Some solutions, such as deep packet inspection solutions on the gateway of a network, will inspect all of the traffic sent through at it a granular level to look for information, such as strings of malicious code, or confidential information. This is *not* what the SSL Decryption for the Intelligent Proxy does, instead, this is really just the Intelligent Proxy for SSL websites. The only thing that is being inspected are the requested URLs and domain names that are considered suspicious to begin with and are on our 'grey list', and we will block HTTPS URLs if they're considered malicious in our ruleset. We are not recording (or even looking) at anything beyond the URLs, potentially malicious files (and checksums) and the domain names themselves.
If File Inspection is enabled, then our proxy also inspects files attempted to be downloaded from those risky sites using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP), providing comprehensive protection against malicious files. Having SSL Decryption enabled along with File Inspection protects against sites using valid HTTPS but serving malicious files along with innocuous ones.