Network Protection documentation update: Setting up SSL inspection for the Network Protection appliance

Product documentation


Abstract

This documentation update provides detailed information on how to set up SSL inspection for the Network Protection appliance.

Content

From a network configuration standpoint, the Network Protection appliance inspects traffic remaining simply as a network repeater, which operates on packets at the physical layer of the network. No IP address configuration is required on the network segment under inspection. When SSL inspection is enabled, each protected pair of interfaces must be configured with an IP address and gateway that is valid on the network segment under inspection.

For all non-SSL/non-TLS traffic, the appliance still acts like a network repeater. For SSL/TLS traffic, the appliance acts like a two-port bridge and uses a local routing table to route packets to the correct interfaces.

In some deployments when the client devices are not on the same network segment as the appliance protected pair, but are instead located on a different routable network segment separated by a non-NAT router, you might need to configure a static route on the appliance. The static route must indicate the gateway address that the appliance uses to reach the internal client network.

The process for setting up SSL inspection for the Network Protection appliance is as follows:

1. Configure a protection pair IP address.
2. Optional: Generate CA certificates on the appliance.
3. Install a public CA on all clients.
4. Configure and enable SSL inspection rules.


1: Configuring a protection pair IP address

To configure a protection pair for SSL inspection:

1. From the appliance Local Management Interface (LMI), click Manage > Protection Interfaces or in SiteProtector Management, select the Protection Interfaces policy.
2. Select the protection interface pair that is inspecting SSL traffic, and then click Edit.
3. Provide an available static IP address that is reachable by the client network.
4. Assign an appropriate netmask to the protection pair.
5. For the gateway, enter the next hop to the external network. Tip: This is usually the IP address of your router.
6. Click Save Configuration.

Note: A separate IP configuration is required for both IPv4 and IPv6 traffic. Only the type of traffic that is inspected on your network requires a protection pair IP address to be configured.

2: Optional: Generating CA certificates on the appliance

SSL inspection relies on a Certificate Authority (CA). When you install the appliance, a CA is created on the appliance, which you can use as it is. You can also generate a new CA or upload your own CA to the appliance.

You manage the appliance CA from the SSL Inspection Certificates page in the appliance LMI at Manage > SSL Inspection Certificates (for V5.1 or V5.1.1) or from the Outbound SSL Certificates page in the appliance LMI at Manage > Outbound SSL Certificates (for V5.1.2 or later). You can install multiple CA certificates on the appliance, but only one certificate can be active at a time.

3: Installing a public CA on all clients

You must install the active, public CA that is used by the appliance on all of the clients that have their traffic inspected by SSL inspection.

To download the public CA to all clients:

1. From the appliance LMI, click Manage > SSL Inspection Certificates (for V5.1 or V5.1.1) or click Manage > Outbound SSL Certificates (for V5.1.2 or later).
2. Select the CA that is marked Active, and then click Download
3. Install the downloaded cert.pem file as a CA Authority and allow it to verify websites.

If you are using Google Chrome to install the public CA:

1. From the Settings menu, click Show Advanced Settings.
2. Under HTTP/SSL, click Manage certificates, and then click the Authorities tab.
3. Click Import.
4. Select the downloaded cert.pem file, and then click Done.
5. Check Trust this certificate for identifying websites, and then click OK.

If you are using Mozilla Firefox to install the public CA:

1. From the Tools menu, click Options > Advanced.
2. Click the Encryption tab.
3. Click View Certificates, and then click the Authorities tab.
4. Click Import.
5. Select the downloaded cert.pem file, and then click Open.
6. Check Trust this CA to identify websites, and then click OK.

If you are using Internet Explorer to install the public CA:

1. From the Tools menu, click Internet Options > Content.
2. In the Certificates area, click Certificates, and then click the Trusted Root Certification Authorities tab.
3. Click Import. The Certificate Import Wizard is displayed.
4. Click Next, and then browse to select the certificate file. You must change the file type from the default X.509 Certificate (*.cer,*.crt) to All Files.
5. Select the downloaded cert.pem file, and then click Open.
6. Click Next. Make sure the certificate store is Trusted Root Certification Authorities.
7. Click Next, and then click Finish.
8. In the Securities Warning window, answer Yes to install the certificate.

4: Configuring and enabling SSL inspection rules

SSL inspection is not active until you enable SSL inspection rules in the LMI. The appliance provides several predefined rules that you can use to set up the SSL inspection configuration quickly, or you can create your own SSL inspection rules.

You configure SSL inspection rules in the SSL Decryption policy from the LMI at Secure > SSL Decryption Policy.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Network Protection

Software version:

5.1, 5.1.1, 5.1.2, 5.1.2.1, 5.2.0

Operating system(s):

Firmware

Reference #:

7039297

Modified date:

2013-08-19

Translate my page

Machine Translation

Content navigation