Use Forefront to add a protective cover to the HTTPS connection

HTTP and HTTPS are popular text transmission protocols. Both protocols can be used for Web communication, and their working principles are similar. The main difference between the two lies in security. HTTP is transmitted in plain text on the network, while HTTPS encrypts the transmitted data. Therefore, HTTPS is much more secure. Currently, many online banking and email systems use HTTPS. However, the magic is high. Currently, attacks against HTTPS are not at a low level. In practice, network security management personnel can add a protective mask to the HTTPS connection through Forefront to enhance the security of HTTPS connections.
 

I. How does Forefront protect HTTPS connections?

As shown in, Forefront is actually a man-in-the-middle role in protecting HTTPS connections. For example, if an enterprise's internal network client needs to connect to an Internet mailbox or an online bank account, it will apply for an application with the server (or the server may apply for an active application) create an encrypted HTTPS connection. When the Forefront server detects the request (provided that the HTTPS protection mechanism is used), it will force the first-hand insertion. That is, before establishing an HTTPS connection, the relevant content will be verified and checked for security purposes. Specifically, the following content will be checked.

First, it checks the validity of the requested server. After Forefront intercepts a user's request, it does not reject the user's connection request. The Forefront system needs to verify the validity of the server before you establish an HTTPS secure connection with the user. This mainly checks the validity of the certificate of the server that establishes a secure connection with the website requested by the client. Note: Without Forefront, the client generally considers the requested server to be safe. This poses an insecure factor to users' daily access.

Second, a new SSL Certificate will be created. When Forefront considers that the server certificate is correct, it will copy the detailed information of the target server certificate and use the information to create a new SSL certificate. The new certificate is also signed by the certificate authority with the default name HTTPS. In this case, it is equivalent to two certificates. This adds another security measure on the basis of the original HTTPS.

Third, match the new certificate with the client. After a new certificate is created using the above information, the system will provide the new certificate to the client computer and create a separate SSL tunnel on the client computer. After this processing, there are two security tunnels. There is an HTTPS connection between Forefront and the target server, and there is an SSL security tunnel between the client and Forefront. If hackers want to Use HTTPS to steal related information, they need to break the two tunnels at the same time. In practice, it is easier to break the HTTPS tunnel of the Internet, that is, the connection between Forefront and the target server. However, it is much more difficult to break the connections between Forefront and internal clients.

Another advantage of using this method is that you can filter and check the content of the HTTPS connection. If this HTTPS protection mechanism is not enabled, the client and the target server will be connected directly using HTTPS. Because of its encryption mechanism, Forefront cannot check and filter its content. In this case, Forefront is useless even if the information it transmits contains Trojans or malware. If this security and confidentiality mechanism is adopted, Forefront serves as a intermediary. It decrypts the data transmitted from the target server and then checks the data according to certain rules. When no suspicious data is found, encrypt the data and send it to the client.

 

Ii. Main Application of the HTTPS protection mechanism in Forefront in Enterprises

This HTTPS protection mechanism is mainly used in the following two scenarios.

First, all traffic needs to be filtered and reviewed. In the Forefront system, if the data between the client and the external server is encrypted or in a peer application, Forefront cannot apply relevant rules to the data. So some people will use this feature to bypass the policies set by the Administrator, so as to achieve some ulterior motives. This is often not allowed in some security-level application fields, such as the financial field. In this case, you can use this HTTPS security protection mechanism to apply related policies to all information traffic, including the encrypted information.

Second, some viruses and Trojans have quietly intruded into the enterprise's internal network through the SSL channel. This is mainly because Forefront cannot check encrypted information. At this time, even if the transmitted data contains a notorious Trojan, it will be securely accessible to the internal network of the enterprise because it cannot be checked. This is like installing a safe deposit box for a trojan file. Forefront cannot open the safe (it does not have a key or a key), so it cannot check the content.

In actual work, if you encounter the above two situations, you can consider enabling the HTTPS protection mechanism in Forefront to improve the security of HTTPS connections, it will not be the umbrella for Trojans or viruses.

 

Iii. Restrictions on HTTPS check

In the latest Forefront version, all HTTPS connections are not supported. For example, the HTTPS check does not support extended validation SSL. If you are using an extended HTTPS connection, you will not be able to see the correct content. This problem may be solved in later versions. However, in the configuration process, the security administrator needs to exclude the site from the HTTPS check by means of "exclusion.

In practice, we can enable the HTTPS check first. When a user finds that a website cannot be accessed normally, the security administrator is notified. Then the Administrator checks to analyze and determine whether the other party has used the extended validation SSL. If the website is used, remove the website. That is, this server does not adopt the HTTPS check mechanism. After exclusion, the user can access the requested website normally. If you do need to exclude a server from the HTTPS check mechanism, the administrator can follow the steps below.

Step 1: Open the operation panel. The administrator can find the "Web Access Policy" node in the Forefront console. In the "task" window, click "Configure HTTPS check ".

Step 2: In the window opened above, you can see a "target exception" tab. This is an exceptional Configuration tool. On this tab, click "add". A "add network entity" dialog box is displayed. Click Create, add the URL address to be excluded, and click OK.

However, I should note that this exception mechanism is used only when necessary. If the server of the other party uses normal HTTPS instead of Extended Authentication, there is no need to adopt this exception rule. After all, HTTPS applications are often used by systems with high security levels. Generally, web pages do not use HTTPS. Therefore, its security is often more important. Therefore, it is necessary to use HTTPS.

Finally, I will contribute a little bit of skill. How does the security manager determine the compatibility between the HTTPS security check and the target network? Do I have to analyze the data traffic before I can confirm it? In fact, there is a skill here. In the above "Configure HTTPS check" window, you can also see a "Source exception tab ". On this tab, you can specify that a client in the enterprise is not subject to HTTPS check constraints. In this case, the administrator can set his host as an exception. When other users complain to you, You can first use your computer to check. If your computer can be accessed normally, but other users cannot access it, it is likely that the authentication mechanism used is not compatible with the HTTPS check. In this case, you can add the target server to the exception options. Obviously, this judgment is much faster than analyzing data traffic.