Home > Cisco, DLP & PCI DSS, Proxy, Security, Windows > SSL decryption on Cisco Ironport & Firefox CA management

SSL decryption on Cisco Ironport & Firefox CA management

If you decide to terminate SSL on your proxy (such as Cisco Ironport, for instance) to check your traffic for viruses and/or DLP puposes (which I highly recommend otherwise you do leave a huge hole in your security perimeter) you will face a need to distribute Ironport’s self signed certificate within your organization. It is not a problem for IE and Chrome where you can simply roll the certificate out using AD Group Policy but if you’re using Firefox you have a problem.

These guys do not bother to include any management tools to maintain their lovely browser (no sarcasm – it’s realy good :)) in enterprise. Moreover they decided to be clever and implemented they own CA management. Long story short you need to use their own certutil.exe from NSS package to automate certificate rollout. Bad news is that they do not provide binaries and suggest you to compile your own ones! Clever move… why?!..

Alternatively, if you want to make your life simpler and do not care about certificates your users might have already installed in their Firefoxes you may simply import the certificate on one machine and then distribute  resulting cert8.db (overwriting those already installed).

  1. rkl
    May 17, 2012 at 8:03 pm

    There is a good reason to not supply such management tools. SSL is only as secure as its root certificate store. Once you compromise it, as you are advocating here, the security provided by SSL and your browser is meaningless. Consider the implications of importing this cert: you are now allowing spoofed certificates to masquerade as legitimate ones. There is no differentiation to the end user without reviewing the entire certificate chain.

    • May 28, 2012 at 1:33 pm

      I see what you mean and agree with importance of trusted root certificates but following your logic it, perhaps, would not be a bad idea at all to get rid of Active Directory and group policies then?

      When someone is trying to compete on the enterprise market (say Firefox vs IE) it is vital to match competitors on management front as well. As I personally do not have time to manually import a certificate on 600 desktops I will never deploy Firefox in my company as a primary browser…

      Also, the IronPort as many other proxy servers, does not blindly re-encrypt all data regardless of the original certificate of a web site. Administrator is able to define what to do with certificates which have expired, do not match the host name or have other problems. So security is not just not weaker but it is even stronger as you are able to enforce the policy with regard to invalid certificate handling and not simply rely on sensibility of a user who may simply add another exception in their Firefox (regardless informational safety of the website).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: