[Ach] Bluecoat Proxies
Adam Lewicki
adam at lewicki.at
Thu Nov 21 16:39:20 CET 2013
Hi *
Here's my initial writeup for the Bluecoat section;
maybe someone can funnel it into the proxy_solutions.tex file :)
# diff -u proxy_solutions.tex proxy_solutions_bc.tex
--- proxy_solutions.tex 2013-11-21 16:28:55.397613623 +0100
+++ proxy_solutions_bc.tex 2013-11-21 16:38:00.823926145 +0100
@@ -32,7 +32,54 @@
\end{lstlisting}
\subsubsection{Bluecoat}
-\todo{sure?}
+%% https://kb.bluecoat.com/index?page=content&id=KB5549
+\begin{description}
+\item[Tested with Version:] SGOS 6.5.x
+
+BlueCoat Proxy SG Appliances can be used as forward and reverse
proxies. The reverse proxy feature is rather under-developed, and
while it is possible and supported, there only seems to be limited use
of this feature "in the wild" - nonetheless there are a few cipher
suites to choose from, when enabling SSL features.
+
+\item[Only allow TLS 1.0,1.1 and 1.2 protocols:] \mbox{}
+
+\begin{lstlisting}[breaklines]
+$conf t
+$(config)ssl
+$(config ssl)edit ssl-device-profile default
+$(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
+ ok
+\end{lstlisting}
+\item[Select your accepted cipher-suites:]
+
+\begin{lstlisting}[breaklines]
+$conf t
+Enter configuration commands, one per line. End with CTRL-Z.
+$(config)proxy-services
+$(config proxy-services)edit ReverseProxyHighCipher
+$(config ReverseProxyHighCipher)attribute cipher-suite
+Cipher# Use Description Strength
+------- --- ----------------------- --------
+ 1 yes AES128-SHA256 High
+ 2 yes AES256-SHA256 High
+ 3 yes AES128-SHA Medium
+ 4 yes AES256-SHA High
+ 5 yes DHE-RSA-AES128-SHA High
+ 6 yes DHE-RSA-AES256-SHA High
+ [...]
+ 13 yes EXP-RC2-CBC-MD5 Export
+
+Select cipher numbers to use, separated by commas: 2,5,6
+ ok
+\end{lstlisting}
+
+The same protocols are available for forward proxy settings and
should be adjusted accordingly:
+In your local policy file add the following section:
+\begin{lstlisting}[breaklines]
+<ssl>
+ DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
+\end{lstlisting}
+
+Disabling protocols and ciphers in a forward proxy environment could
lead to unexpected results on certain (misconfigured?) webservers
(i.e. ones accepting only SSLv2/3 protocol connections)
+
+\end{description}
\subsubsection{Pound}
% See http://www.apsis.ch/pound
@@ -64,4 +111,4 @@
End
End
End
-\end{lstlisting}
\ No newline at end of file
+\end{lstlisting}
Quoting "L. Aaron Kaplan" <kaplan at cert.at>:
> On Nov 21, 2013, at 9:16 AM, Adam Lewicki <adam at lewicki.at> wrote:
>
>> Hi folks,
>>
>> in section 9.11.2 there's a TODO for a bit of BlueCoat voodoo.
>> If nobody else does I could write 1-2 paragraphs about configuring
>> a BlueCoat proxy and give some configuration snippets, although it
>> will most likely just lead to a *soft* recommendation to disable
>> the weakest of ciphers and such things as RC4-MD5.
>> The admins should be aware, that disabling these things most likely
>> leads to collateral damage such as unavailable webservices.
>>
>
> +1 Thanks !!
>
>> Best wishes
>> Adam
>>
>>
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> ---
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: PGP Digital Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/48691de2/attachment.sig>
More information about the Ach
mailing list