261_BLUECOAT-SGOS_Vol4_SecuringSG_5.3.1.pdf
(
2661 KB
)
Pobierz
Blue Coat
®
Systems
ProxySG
®
Appliance
Configuration and Management Suite
Volume 4: Securing the Blue Coat ProxySG
SGOS Version 5.3.x
Volume 4: Securing the Blue Coat ProxySG
Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation:
documentation@bluecoat.com
Copyright© 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering
Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian
and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the
Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Document Number: 231-03013
Document Revision: SGOS 5.3.1—08/2008
ii
Contents
Contact Information
Chapter 1: About Security
Controlling ProxySG Access ........................................................................................................... 11
Controlling User Access with Identity-based Access Controls.................................................. 12
SSL Between the ProxySG and the Authentication Server ......................................................... 12
About This Book................................................................................................................................ 13
Document Conventions ................................................................................................................... 13
Notes and Warnings ......................................................................................................................... 14
About Procedures ............................................................................................................................. 14
Illustrations ........................................................................................................................................ 15
Chapter 2: Controlling Access to the ProxySG
Limiting Access to the ProxySG...................................................................................................... 17
Requiring a PIN for the Front Panel ........................................................................................ 17
Limiting Workstation Access.................................................................................................... 18
Securing the Serial Port ............................................................................................................. 18
About Password Security ................................................................................................................ 18
Limiting User Access to the ProxySG—Overview....................................................................... 19
Moderate Security: Restricting Management Console Access Through the Console Access
Control List (ACL) .................................................................................................................... 21
Maximum Security: Administrative Authentication and Authorization Policy ..................... 23
Defining Administrator Authentication and Authorization Policies ................................. 23
Defining Policies Using the Visual Policy Manager.............................................................. 23
Defining Policies Directly in Policy Files ................................................................................ 24
Admin Transactions and <Admin> Layers............................................................................ 24
Example Policy Using CPL Syntax .......................................................................................... 28
Chapter 3: Controlling Access to the Internet and Intranet
Section A: Managing Users
About User Login.............................................................................................................................. 30
Viewing Logged-In Users ................................................................................................................ 30
Logging Out Users............................................................................................................................ 31
Inactivity Timeout ...................................................................................................................... 32
Administrator Action................................................................................................................. 32
Policy ............................................................................................................................................ 32
iii
Volume 4: Securing the Blue Coat ProxySG
Refreshing User Data ...................................................................................................................... 33
Credential Refresh Time ........................................................................................................... 33
Authorization Refresh Time .................................................................................................... 34
Surrogate Refresh Time............................................................................................................. 34
Policy............................................................................................................................................ 35
Related CLI Syntax to Manage Users ............................................................................................ 35
Section B: Using Authentication and Proxies
Terminology ...................................................................................................................................... 37
About Authentication Modes ......................................................................................................... 38
Setting the Default Authenticate Mode Property.................................................................. 40
About Origin-Style Redirection ............................................................................................... 40
Selecting an Appropriate Surrogate Credential .................................................................... 41
Configuring Transparent Proxy Authentication ................................................................... 41
Permitting Users to Login with Authentication or Authorization Failures ...................... 42
Using Guest Authentication ..................................................................................................... 43
Using Default Groups................................................................................................................ 45
Guest Authentication Example....................................................................................................... 45
Overview of Policy Steps .......................................................................................................... 45
Section C: Using SSL with Authentication and Authorization Services
Using SSL Between the Client and the ProxySG ................................................................... 46
Section D: Creating a Proxy Layer to Manage Proxy Operations
Using CPL ................................................................................................................................... 47
Chapter 4: Managing X.509 Certificates
Section A: Concepts
Public Keys and Private Keys ......................................................................................................... 58
Certificates ......................................................................................................................................... 58
SSL Certificates ........................................................................................................................... 58
CA Certificates............................................................................................................................ 59
External Certificates................................................................................................................... 59
Keyrings ............................................................................................................................................. 59
Cipher Suites Supported by SGOS Software ................................................................................ 59
Server-Gated Cryptography and International Step-Up ............................................................ 60
Section B: Using Keyrings and SSL Certificates
Creating a Keyring ........................................................................................................................... 63
Deleting an Existing Keyring and Certificate ........................................................................ 66
Section C: Managing Certificates
Managing Certificate Signing Requests ........................................................................................ 67
Creating a CSR............................................................................................................................ 67
iv
Contents
Viewing a Certificate Signing Request.................................................................................... 69
Managing SSL Certificates .............................................................................................................. 69
Creating Self-Signed SSL Certificates...................................................................................... 70
Importing a Server Certificate ..................................................................................................71
Using Certificate Revocation Lists ................................................................................................ 72
Troubleshooting Certificate Problems ........................................................................................... 73
Section D: Using External Certificates
Importing and Deleting External Certificates .............................................................................. 75
Deleting an External Certificate ............................................................................................... 76
Digitally Signing Access Logs......................................................................................................... 76
Section E: Advanced Configuration
Importing an Existing Keypair and Certificate ............................................................................ 77
About Certificate Chains ................................................................................................................. 79
Importing a CA Certificate .............................................................................................................. 79
Creating CA Certificate Lists .......................................................................................................... 81
Section F: Checking Certificate Revocation Status in Real Time (OCSP)
About OCSP ...................................................................................................................................... 84
How Blue Coat ProxySG Uses OCSP ...................................................................................... 84
Basic OCSP Setup Scenarios ..................................................................................................... 85
BlueCoat Reverse Proxy and SSL Proxy Scenarios ............................................................... 87
Creating and Configuring an OCSP Responder .......................................................................... 88
Setting the Default Responder ........................................................................................................ 92
OCSP CLI Commands...................................................................................................................... 93
OCSP CPL Policy Configuration .................................................................................................... 94
OCSP Listed Exceptions .................................................................................................................. 94
OCSP Access Log Fields .................................................................................................................. 94
Chapter 5: Certificate Realm Authentication
How Certificate Realm Works ........................................................................................................ 97
Creating a Certificate Realm ........................................................................................................... 98
Defining a Certificate Realm ........................................................................................................... 98
Defining Certificate Realm Authorization Properties................................................................. 99
Defining Certificate Realm General Properties .......................................................................... 101
Revoking User Certificates ............................................................................................................ 103
Creating the Certificate Authorization Policy ............................................................................ 104
Tips ................................................................................................................................................... 105
Certificate Realm Example ............................................................................................................ 105
Chapter 6: Oracle COREid Authentication
About COREid Interaction with Blue Coat................................................................................. 109
Configuring the COREid Access System .................................................................................... 110
v
Plik z chomika:
tinparade
Inne pliki z tego folderu:
124_ELAMAN-200805-CATALOGUE-P1.zip
(222151 KB)
105_AMESYS-PROP_GEN_SECU_V2.pdf
(17233 KB)
100_AMESYS-EAGLE-GLINT-Operator_Manual-EXTRAS.pdf
(2095 KB)
101_AMESYS-EAGLE-SMINT-en.pdf
(428 KB)
102_AMESYS-GLINT-en.pdf
(258 KB)
Inne foldery tego chomika:
Zgłoś jeśli
naruszono regulamin