Barracuda Web Security Gateway

Using SSL Inspection With the Barracuda Web Security Gateway

Due to recent vulnerabilities discovered with the SSL protocol, Barracuda strongly recommends that you upgrade to 8.1.0.005 before using this feature. See the Barracuda Networks Security Updates blog post around this topic: Barracuda delivers updated SSL Inspection feature. Available with the Barracuda Web Security Gateway 410 (limited) and higher.

For configuration steps, see How to Configure SSL Inspection. This feature is supported for the Barracuda Web Security Gateway version 7.0 and higher per the SSL Inspection Features Available by Model chart below.

Why SSL Inspection Is Important

Social media sites like Facebook and YouTube are now typically accessed over HTTPS, the encryption protocol used to protect online banking sessions and user logins for services of all kinds on the web.

By enabling the Barracuda Web Security Gateway to decrypt, inspect and re-encrypt web traffic at the URL level, administrators have fine grained control over the use of web-based applications. This allows administrators to choose to block certain portions of web based applications such as Facebook Chat and Facebook Sharing, while enabling other portions, such as the rest of Facebook. Since Facebook, Twitter, various search engines such as Google, and many web-based applications run over HTTPS, SSL Inspection is required for this level of monitoring and blocking. With this control the administrator can define what they deem permissible on their network and need not block all of Facebook, Twitter, Google Apps and other popular web-based applications. 

Additionally, since block pages cannot always be served when just using HTTPS filtering, using SSL Inspection almost guarantees presentation of a block page when needed.

SSL Inspection Features Available by Model

See the notes for (1) and (2) below.

Table 1.

 MODEL COMPARISON

310

410

610

810

910

1010 / 1011

Vx

Proxy Mode

Auto

X

X

X

X

X

X

  Add up to 5 domains

 

X

X

X(3)

X

X

X

  Add categories

 

X

X

X

X

X

X

Transparent Mode

Auto

X(1)

X(1)

X(2)

X (2)

X(2)

-

  Add up to 5 domains

 

-

-

X

X

X

-

  Add categories

 

-

-

-

-

-

-

Remote Filtering Tab (WSA)XXXXXXX
Safe SearchX(3)XXXXXX
Web Application Control X(3)XXXXX
Web Application Monitoring X(3)XXXXX

Notes:

(1) In Transparent mode, you cannot configure domains or categories. If you currently use Proxy inspection and are switching to Transparent inspection, any domains or categories you have specified for SSL Inspection are DISABLED. If you switch back to Proxy inspection, domains and categories are restored.

(2) In Transparent mode, you can configure domains, not categories. Test SSL Inspection with a few domains to ensure system performance is satisfactory. If you currently use Proxy inspection and are switching to Transparent inspection, any categories you have specified for SSL Inspection are DISABLED. If you switch back to Proxy inspection, categories are restored. To prevent system overload, after switching to Transparent inspection, you cannot add more domains.

(3) Available with version 10.0

Note that the Barracuda Web Security Gateway Vx virtual machine 610 and higher only supports Proxy Mode inspection, including adding domains and categories.

How SSL Inspection Works

With SSL Inspection, the content of a URL over HTTPS can be scanned. This allows the Barracuda Web Security Gateway to apply policies and detect malware and viruses at the URL level.

The Barracuda Web Security Gateway acts as a secure intermediary between user HTTPS web requests and the destination web server (i.e. Facebook.com, YouTube.com, yourdomain.com, etc.). HTTPS content in user web requests is decrypted and scanned by the Barracuda Web Security Gateway, which then detects malware and enforces web policies configured on the BLOCK/ACCEPT pages. After processing, this HTTPS traffic will be re-encrypted on the fly by the Barracuda Web Security Gateway and routed to the destination web server as shown in Figure 1.

Figure 1: SSL Inspection

HTTPS and SSL InspectionBWSG.png

To use this feature, the administrator installs a root certificate in client browsers from the Barracuda Web Security Gateway. The Barracuda Web Security Gateway can then intercept and inspect the HTTPS connections by presenting the client a CA derived from this root CA. If you have a high availability deployment, you must install the same root certificate on each Barracuda Web Security Gateway.

SSL Inspection Versus HTTPS Filtering

If you only need to block by domain and/or domain (content) categories, you can enable HTTPS filtering on the 210 and higher. See HTTPS Filtering With the Barracuda Web Security Gateway for details. Unlike SSL Inspection, HTTPS filtering does not decrypt the encrypted portion of URLs. This prevents monitoring or capturing of social media interactions such as chat, comments, shares, etc. HTTPS Filtering is a good choice when:

  • You have a Barracuda Web Security Gateway 210 or 310, which currently do not support SSL Inspection.
  • You have a Barracuda Web Security Gateway 410, which supports limited SSL Inspection (Safe Search and YouTube for Schools).
  • Your organization policies only require blocking web traffic over HTTPS by domain or domain categories.
  • Saving system resources for traffic processing other than SSL Inspection is important for your application. HTTPS filtering is a much less resource intensive option than SSL Inspection.

Popular Use Cases of SSL Inspection

Use case: Suspicious Keyword Tracking on Social Media
Use case: Google Apps Control Over HTTPS
Use case: Facebook Control Over HTTPS
Use cases: Safe Search Over HTTPS and YouTube for Schools
Use case: Secure Uploads and Downloads Via Web-Based Email

Popular for schools. Allow access to web-based email applications, but prevent potentially dangerous uploads and downloads.


Feedback Did you find this article helpful: |

Still need help?

If you have a technical issue with the product, please contact Barracuda Networks Technical Support.