| With the application based on SSL protocol,both on the Internet and enterprise inner network, developed rapidly, SSL traffic makes up a much bigger part among transmission traffic.As most network security devices cannot provide visibility and precise control into SSL traffic, Encrypted SSL traffic becomes a new tunnel of viruses, spyware,fraudulent applications and other network threats into the enterprise network. Therefore, Confidential information within the enterprise also facing leakage,theft and other possibilities.So, at the present,the industry actively studing how to implement SSL traffic inspection,especially by decrypted the SSL traffic to inspect plaintext traffic,filter and block malicious SSL traffic, completely protect the network security.This paper focuses on design and implement of SSL traffic inspect gateway system, especially expanding research to process associated with the digital certificate of the key technologies during encryption and decryption of SSL traffic.We propose the schedule of gateway digital certificate processing, deeply analyze all the technologies’ realization, and complete the detail implementation. To make sure the security transaction in SSL data between gateway and client, we design and realize a small CA system in the protected network to provide the uniform trust mechanism.Mainly works on:Firstly, we propose the system design scheme based on transparent SSL interception, from the aspect of SSL traffic inspection gateway’s deploy environment and function requisition to solve the balance among platform network processing performance, security policy control, and security.Secondly, we design a small CA system to support gateway’s function, towards the trust relationship between the gateway and client when they setup SSL session, also provide the keys that are needed in gateway data encryption.CA system uses strict two-level hierarchy confidence model, which the gateway and the protected client trust the same one root CA, and make the client receive the SSL session from the gateway. The CA system function implementation uses the open source package OpenSSL.Thirdly, based on the principle of gateway work, we propose the design scheme of the digital certificate processing sub-system. According to inner digital certificate processing flow, we analyze the key technology of certificate processing from four aspects: extraction of server certificate data; parsing server certificate information; building the gateway self-signature certificate; using gateway certificate to replace server certificate in SSL session.We describe all the key technology processing flow and the algorithm realization, implement all the function module in the sub-system one by one.At last, we setup the system function test platform to give out the test result, proved that the whole design scheme is reasonable and the system function is correct.This paper introduce the design scheme of digital certificate processing and small CA system, which also provide valuable analyzing and implement methods for different SSL traffic inspect platform. |
PDF Full Text Request