Securing Internet for Remote Users
Table of contents
Designing a SWG Policy
A Secure Web Gateway (SWG) protects company data and enforces security policy by operating between the company’s employees and the Internet. This protection is based on DNS and URL filtering policies derived from a database classifying websites by topic or category. DNS filtering blocks web traffic based on DNS queries, meaning the websites are filtered according to the domain name. URL filtering blocks web traffic based on an entire URL, not just the domain name. URLs can refer to specific web pages or files hosted at a domain, not the entire domain.
To protect web traffic properly, it is recommended to have SSL inspection enabled for all traffic. SSL inspection refers to a process in which SSL-encrypted internet communication between a client and a server is intercepted and inspected. Most Internet communications are encrypted using SSL; therefore, enabling SSL inspection is crucial when using the Web Gateway advanced URL filtering and Security solutions. SSL Exclusions enables exclusion of certain domains from SSL inspection. Domains can be excluded for various reasons, such as to avoid inspecting domains that handle sensitive data or for applications that use certificate pinning, since SSL inspection of such application’s traffic could result in connection failure. HPE Aruba maintains a list of default URLs that are excluded from inspection. Operators can identify additional exclusions, as well
Designing a CASB/DLP Policy
The HPE Aruba Networking SSE CASB (Cloud Access Security Broker) provides custom SaaS-specific controls to restrict the actions a user can perform within that SaaS application. To apply controls, an administrator simply creates custom SaaS definitions that specify which actions to control, then adds the SaaS definition in a policy rule.
For example, to block the Google Drive application, a SaaS Application definition that matches “Google Drive”. This SaaS application would then be added to a block rule in the Policy list. Since the Web Traffic Default Rule is set to “Allow” by default, all other SaaS traffic would be allowed except for Google Drive
Designing a CASB policy involves defining rules and configurations to enforce security, compliance, and governance controls for cloud applications and services. Use the following guidance:
Step 1 Understand Requirements and Objectives: Identify the security, compliance, and governance requirements of your organization. Determine the objectives for implementing CASB, such as protecting sensitive data, enforcing access controls, and ensuring compliance with regulatory requirements.
Step 2 Inventory Cloud Applications: Conduct an inventory of all cloud applications and services used in the organization. Categorize the applications based on factors such as usage, risk level, and compliance requirements.
Step 3 Understand HPE Aruba Networks SSE capabilities to control various applications.
Step 4 Define User and Device Policies: Define intended policy based on roles and groups from existing identity sources.
Following these steps, an effective CASB policies can be established to protect organization’s cloud environment, enforce security controls, and ensure compliance with regulatory requirements.
Managing Certificates
Certificate Authorities are trusted entities that issue SSL (Secure Sockets Layer) certificates. These certificates link an entity with a public key, thus authenticating online content. The CA certificates attest to the authenticity and trustworthiness of websites, domains, and organizations.
CA certificates provide authentication and encryption for secure communication, and they ensure the integrity of the documents signed with the certificate so that they cannot be altered in transit.
Admins must configure certificates for the Atmos Web gateway to allow HPE Aruba Networking SSE block page URLs to be trusted, while visiting websites, and for SSL inspection, visibility, and control of encrypted sessions.
The CA certificate is configured on both the Atmos cloud and a user’s endpoint. On the Atmos side, the CA certificate is uploaded and then designated as the certificate to be used to decrypt a user’s SSL sessions. On the user’s endpoint, the CA certificate is added to the store of trusted CAs, allowing a user’s client to trust the Atmos cloud for presenting block pages and for decryption. Note that it is possible to use an already configured certificate (as part of the organization PKI Infrastructure) and upload it to the HPE Aruba Networking SSE Platform.
Threat Protection
It is recommended to proxy traffic, including basic web, through HPE Aruba Networking SSE to provide effective threat protection.
Online threats such as malware, phishing scams, and cyber attacks are becoming increasingly common, posing a significant risk to individuals and organizations. With the rise in the number of websites hosting malicious content, it is more critical than ever to ensure that users do not access websites that could potentially harm their devices or organization.
Atmos provides a solution to mitigate these risks by using threat intelligence protection to prevent users from accessing websites that could be harmful. Atmos’s advanced technology ensures that users can browse the Internet safely without worrying about potential security breaches.
The detection of high-risk websites is accomplished by analyzing various factors, including web content, domain registration information, and reputation data. Using advanced algorithms and techniques, the threat intelligence protection system can accurately identify websites that pose a significant risk to users and organizations.