Barracuda Web Filter

Barracuda Web Filter



Using SSL Inspection With the Barracuda Web Filter

Last update: Monday, 24. Feb 2014

SSL Inspection is a resource intensive feature which is supported by the Barracuda Web Filter as follows:

  • 410 in Forward Proxy or Inline deployments, running version 7.1 and higher, for Safe Browsing and YouTube for Schools. See How to Configure SSL Inspection 7.1.
  • 610 and higher in Forward Proxy or Inline deployments, running version 7.1 and higher. After enabling SSL Inspection, all applications you select on the BLOCK/ACCEPT > Web App Control and Web App Monitor pages are automatically subject to SSL Inspection.
  • 610 and 810 in Forward Proxy mode, 910 and higher in Forward Proxy or Inline deployments, running firmware version 6.0.1 and higher. See How to Configure SSL Inspection 6.x.

Why SSL Inspection Is Important

By enabling the Barracuda Web Filter to decrypt, inspect and re-encrypt web traffic at the URL level, administrators have fine grained control over the use of web-based applications. What this means is that administrators can choose to block certain portions of web based applications such as Facebook Chat and Facebook Sharing, while enabling the rest of Facebook. Since Facebook, Google and other search engines and many web-based applications run over HTTPS, SSL Inspection is required for this level of monitoring and blocking. With this control the administrator can define what they deem permissible on their network without having to block all of Facebook, Twitter, Google Apps and other popular web-based applications. 


How SSL Inspection Works

With SSL Inspection, the content of a URL over HTTPS can be scanned. This allows the Barracuda Web Filter to apply policies and detect malware and viruses at the URL level.

The Barracuda Web Filter acts as a secure intermediary between user HTTPS web requests and the destination web server (i.e. Facebook.com, YouTube.com, yourdomain.com, etc.). HTTPS content in user web requests is decrypted and scanned by the Barracuda Web Filter, which then detects malware and enforces web policies configured on the BLOCK/ACCEPT pages. After processing, this HTTPS traffic will be re-encrypted on the fly by the Barracuda Web Filter and routed to the destination web server as shown in Figure 1.

Figure 1: SSL Inspection

HTTPS and SSL Inspection.png

To use this feature, the administrator installs a root certificate in client browsers from the Barracuda Web Filter. The Barracuda Web Filter can then intercept and inspect the HTTPS connections by presenting the client a CA derived from this root CA. If you have a high availability deployment, you must install the same root certificate on each Barracuda Web Filter.

Popular Use Cases of SSL Inspection

Social media sites like Facebook and YouTube are now typically accessed over HTTPS,  the encryption protocol used to protect online banking sessions and user logins for services of all kinds on the web.

  • Suspicious Keyword Tracking – (Version 7.0 and higher) Monitor social messaging over HTTP/HTTPS in real time, with keyword alert emails to teachers or administrators to trigger immediate responses to emerging cases of bullying, harassment, or loss of confidential data. This feature only requires the use of SSL Inspection if traffic is over HTTPS (which is typical for Facebook, Google Apps, etc.) and is available on the Barracuda Web Filter 610 and higher. Database of keywords is embedded in the Barracuda Web Filter, is frequently updated, and can be customized. See the BLOCK/ACCEPT > Web App Monitor page to configure.
  • Google Apps Control Over HTTPS – Granular regulation of Google Apps tools over HTTPS; for example, allow business Gmail account access, but block personal Gmail account access.
  • Facebook Control Over HTTPS – Regulation and archiving of Facebook application interactions (chat, posting, games, etc.)
  • Safe Search over HTTPS - Users or groups you specify will not see search engine content that contains objectionable thumbnail images in the search results; only filtered thumbnails are displayed in the search results.
  • Allowing access to web-based email applications, but preventing potentially dangerous uploads and downloads.

For configuration steps, see How to Configure SSL Inspection.

With version 6.0 - 7.0, if you enable SSL Inspection, only the domains (maximum of 5) and/or URL categories that you specify on the ADVANCED > SSL Inspection page will be filtered at the URL level. For version 7.1.0 and higher, see How to Configure SSL Inspection 7.1.


 


Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support. Did you find this article helpful: |