Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

Requesting Feedback for OpenSSL, stunnel, and DLP Web Prevent 12.5 for Secure ICAP

  • 1.  Requesting Feedback for OpenSSL, stunnel, and DLP Web Prevent 12.5 for Secure ICAP

    Posted Jan 26, 2015 10:21 AM

    We're planning the implmentation of Secure ICAP to secure the ICAP traffic between our BlueCoat proxies and Web Prevent v12.5 server, and I would like to pick the community brain before I start installing software. 

    Environment

    • DLP Web Prevent v12.5 running on Windows 2012 R2. 
    • BlueCoat Proxies

    Has anyone implemented a similar secure ICAP config before? 

    What were the challenges? Any issues? 

    Was (is) there any performance impacts switching from ICAP to Secure ICAP? 

    Thoughts on effectiveness? Did you find any sites or services that failed to function after implementing the BC SSL inspection and Secure ICAP config? 

    Any problems using OpenSSL or Stunnel? 

    Any insights would be appreciated. 

    Sincerely,

    BionicSecurityEngineer

     

    Addendum: 

    I dislike self-signed certificates, so the big technical question is, "could we modify step 6 to - generate a CSR and obtain a signed cert from an internal CA vs a self signed cert?" Would you still need OpenSSL if you're using an internal CA? Could you simply point stunnel to the local keychain to use the new certificate? 

    This is the simplified install overview:

            Steps for configuring Secure ICAP for Network Prevent for Web with Windows servers

    1. Install OpenSSL for Windows.
    2. Install stunnel for Windows.
    3. Generate a private key and public certificate using OpenSSL.
    4. Configure the stunnel service on Windows.
    5. Start the stunnel service on the Network Prevent for Web Server on Windows.
    6. Create and import the self-signed certificate.
    7. Create a new device profile.
    8. Create a new ICAP service or modify an existing ICAP service to use Secure ICAP.


  • 2.  RE: Requesting Feedback for OpenSSL, stunnel, and DLP Web Prevent 12.5 for Secure ICAP

    Posted Mar 17, 2015 03:31 PM

    Interesting twist while implementing this process.

    Make sure when you setup the stunnel.conf file something like this. Disable SSLv2/3 to force TLSv1.2.

    ; **************************************************************************
; * Global options *
; **************************************************************************

debug = 7
output = c:\path\log.txt

; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************

options = NO_SSLv2
options = NO_SSLv3
cert = c:\path\dlp_server.cer
key = c:\path\dlp_server.pem 
fips = no

[icaps]
; PROXY VIP
accept = dlpservers_ip_address:11344
; Note - localhost allows stunnel to redirect incoming ICAPS (ICAP over TLS)
; to the Symantec DLP port.
connect = 127.0.0.1:1344