Solved

Default Microsoft appsuite SSL do not decrypt rule - SSL Decryption Default Policy

  • 1 November 2022
  • 3 replies
  • 132 views
MetgatzNK
Rank
Badge +11

Hello good afternoon, thank you for your time and for your collaboration.

 

I have a question, checking the tenant, one of the default policies that are preconfigured at the SSL decrypt Policies level, is one related to the Office 365 Suite, which indicates that decrypt is not performed. It also indicates the following:

 

Policy name: Default Microsoft appsuite SSL do not decrypt rule
Action: Do Not Decrypt
"SNI-based policies will apply but no deep analysis performed via real-time protection policies"

 

Based on this: ""SNI-based policies will apply but no deep analysis performed via real-time protection policies"" I understand that it is important to be able to deeply examine Office traffic, to correctly inspect, decrypt and distinguish SaaS Cloud Apps of Office 365, distinguish the movements made by users in Sharepoint, in Teams, in Onedrive, in Outlook, Office 365 in general. Now as indicated, if by default it does not perform Microsoft App Suite traffic decryption, then this means that none of the Inline controls with real-time policies will be effective... Or does this only apply to Office desktop applications? Since reviewing the configuration of "Steering Configuration" Defualt Tenant config, Exceptions, only Office 365 appears, related to the desktop APP: Microsoft Office 365 Outlook.com MacOS / Windows.

 

Reviewing the details, I see that it does not indicate the entire Suite of all the Applications, including the SaaS cloud Apps, so with this No Decrypt policy, by default I will be losing all visibility of Microsoft...? Or is this because many Microsoft products use Cert Pinned Application ? but if so, what happens with all the Web Cloud App traffic of the Microsoft suite, with this default rule I will not be able to inspect in depth, to apply inline themes, such as restrict download, upload, share, Post, View, Edit , Delete, Share, raneme, among others, that is, everything related to Activities, since by not decrypting, I will not be able to inspect the traffic, correctly identify the applications, the actions, etc. and Netskope will only bypass no matter how much it matches with some real time policy...

 

I remain attentive to your comments and your considerations, details and/or classifications.

 

Thank you

 

Best regards

 

SSL Decryption:

https://docs.netskope.com/en/ssl-decryption.html#:~:text=If%20there%20is%20any%20traffic%20that%20you%20would%20like%20to%20leave%20encrypted%2C%20such%20as%20anonymous%20guest%20traffic%20and%20private%20financial%20/%20medical%20traffic%2C%20you%20can%20specify%20them%20in%20a%20SSL%20Decryption%20policy.%20Note%20that%20traffic%20left%20encrypted%20will%20not%20be%20further%20analyzed%20by%20Netskope .

 

icon

Best answer by MetgatzNK 1 November 2022, 19:22

View original

3 replies

qyost
Userlevel 5
Badge +16

Your understanding of the loss of visibility and enforcement through the default DnD rule is entirely correct.   Additionally, traffic that matches an accept DnD is not logged as part of the App log; even if the DnD was done through App match.

As for the steering exceptions, a vast majority of those are associated with traffic coming from a specific binary name.  If the named executable matches from Security Cloud Platform - App Definition - Certificate Pinned Apps, and the OS matches the steering exception, and the destination is listed in the cert pinned app steering exception; the traffic egresses directly to the workstation to the destination.  Your Netskope tenant won't even see the traffic if the default "Bypass" rule is applied.  For it to transit through the Netskope tenant, you would need to change the default to "Bypass + Tunnel".

Exceptions (netskope.com)

 

 

 

---Q.
MetgatzNK
Rank
Badge +11

Hello @qyost, thank you for your reply.

So to be able to observe and perform a proper inspection to the traffic of the entire Office 365 Suite, at least at the level of SaaS Cloud access type Apps, it would only be enough to remove the default policy mentioned above or simply change its action to whether to perform Decrypt.

With this I already regain visibility with respect to all Cloud App Web SaaS traffic, by means of real time Inline policies ?

 

Thank you

 

I remain attentive

 

Best regards

 

 

qyost
Userlevel 5
Badge +16

That has been my experience, yes.
With the enhanced visibility it then becomes possible to identify your specific instances and create rules that permit access to just those.   Additionally, the traffic going to those apps also becomes visible (and subject to) your real-time DLP rules.

---Q.

Reply


Terms & ConditionsCookie settings