Date

August 17, 2017

Description

Customers who use Bluecoat Proxies may not be able to access Silo

Duration

~ 4 days

Affected components

All Silo connections from affected customers are blocked

Affected customers

Any user who uses a Bluecoat proxy for content filtering and has enabled a block of the “Proxy Avoidance” category, will have Silo connections blocked.

Root cause analysis

Bluecoat’s internal mis-categorization and subsequent update to customers’ devices



Event Log

On 8/17/2017 at 11:35 AM Pacific Time, some Authentic8 customers began reporting that they were not able to connect to Silo.  In addition, these customers reported that they could not access https://support.authentic8.com or our homepage, https://www.authentic8.com.


We also reviewed system info and there were no production issues.


After some discussion with these customers, we discovered that they were using Bluecoat proxies and that whitelisting our domains allowed the connections to go through again.  



A subsequent check on Symantec’s categorization site (https://sitereview.bluecoat.com/sitereview.jsp) revealed that authentic8.com is listed as a “Proxy Avoidance” site. 

Resolution

As customers have reported this issue, we have been alerting them to the whitelisting solution and have begun asking them to report this mis-categorization to Bluecoat. 


Note: See the below for detailed information on how to whitelist our domain.  


Moving Forward

Incidents like this may occur again in the future with this vendor or others and our goal is to improve our service offering whenever possible.  Our customer base may assist by doing the following:


  • Immediately report this mis-categorization to your content provider.  Silo is used as both a security tool and a research tool, not as a proxy avoidance mechanism.  For the majority of our customers in secure networks, It is actually not possible to run our product without whitelisting our connections from SSL termination since our client will not allow connections which attempt to SSL terminate.  By definition, this means that all connections to our service are sanctioned by our corporate IT departments.  




Quick Guide to Whitelisting Authentic8 using Bluecoat Proxy URL Categories


Testing a URL via the CLI

  1. Login to the CLI via ssh or via the console admin account

  2. Activate enable mode by typing "enable" and entering the enable password

  3. Activate configure mode by typing "conf t"; your prompt will change to # to show that you are now in configure mode

  4. Activate the content-filter section of the configuration by typing "content-filter"

  5. Test a url using the "test-url" command followed by the URL. For example,

#(config content-filter) test-url authentic8.com

Testing URL 'http://authentic8.com/'

categories:                Technology/Internet; Proxy Avoidance

application name:          none

application operation:     none

  1. When you are done testing URLs, use "exit" repeatedly to exit each component and logout


Testing a URL via the management console web UI

  1. Login to the management console web 

  2. UI, navigate to Configuration, Content Filtering, General

  3. In the "Diagnostics" section, enter a URL in the "URL" text box. Click the "Test" button to check the categorization of the URL.

You can also use the "Categories" button to view a list of all categories.

Whitelisting or exempting a URL

The basic instructions for this are available from Symantec

  1. Login to the management console web UI, navigate to Configuration, Policy, Visual Policy Manager, and click the "Launch" button

  2. In the Visual Policy Manager, add a new Web Access Layer

  1. Give the new layer a unique and memorable name

 

  1. The new layer starts with a default deny rule, which we will modify. 

    1. First, set the Destination:


    1. Set the destination to a new “Request URL Category” object. First, click the New… button


    1. Then, scroll down the list and select Request URL Category…


    1. Now, configure the new Request URL Category with a unique name and select the Policy top-level category (your configuration may have custom entries underneath this top-level object already)


    1. Click the Add button to create a new category under the Policy top-level object. Give the object a unique and memorable name.


    1. Ensure that the checkbox is selected.


    1. Click the Edit URLs button to add the Authentic8 URLs to the new category


    1. Click Okay to save the edited URLs. Click Okay again to save the Request URL Category object. Click Okay once more to save the Destination. You should now be back at the web access layer rules screen. The Destination should be set to the new Request URL Category object.

    2. Right click on the rule’s Action to change it from Deny to Allow


    1. The final rule should look something like this (I like to make sure I add helpful comments to my rules). 

  1. Next, you’ll need to ensure that the new whitelist web access layer is processed prior to any other web access layers. To do this, select the Edit menu and choose Reorder Layers…

  1. Ensure that the new whitelist web access layer is above other web access layers

  1. Finally, install and test the new policy



If you have any questions about this process, please contact Authentic8 support.