Video Screencast Help

Symantec Data Loss Prevention (DLP) / DLP Monitor and HTTPS traffic

Created: 26 Oct 2010 | 9 comments

My question concerns the ability to capture/track HTTPS traffic via DLP Monitor. I have been told that we will need to first install a Web Proxy solution to then be able to capture/track HTTPS via the Proxy into the DLP Monitor server.

Is this the case, or do I have the ability today to begin capturing and tracking HTTPS traffic via our DLP Monitor server and solution?

Thank you.

Comments 9 CommentsJump to latest comment

jjesse's picture

Once you have the web installed you can inspect HTTPS traffic.  THe only other way w/o a proxy is to use the DLP Endpoint Agent as it interfaces at the browser level and not the network level.

Jonathan Jesse Practice Principal ITS Partners

Alex Foley's picture

To my knowledge, Symantec's response would be that you need to have DLP Web Prevent deployed and hooked into each outbound proxy you might have -- perhaps there's a way to deploy network monitor inline before the proxy, but I'm not sure if that would give you the ability to see into HTTPS packets.  Putting it before the proxy would let you see into HTTP packets and identify the sender, instead of putting it after the proxy which shows all the traffic coming from the proxy itself (the purpose of the proxy).

---
Alex Foley

abistacchi's picture

Also which ever web proxy you use,you will have to do https inspection which usually costs and you will have to create a HTTPS certificate on the proxy and also install it on the end users browser.

 

It's basically a man in the middle attack that you are creating

Curtis Carroll's picture

Current versions of Network Monitor do not have the ability to monitor HTTPS encrypted traffic.  As others have stated, this can be done by integrating Web Prevent with web proxies that provide HTTPS/SSL interception or by installing the endpoint agent.

Curtis Carroll
Symantec DLP Product Manager

Sushant's picture

We have uploaded license file for complete symantec dlp package but after uploading llicense file network monitor product now showing in list.

Can anybody guess what is the reason and resolution .

Untitled.jpg
Stephen Heider's picture

Sushant-

You probably should have posted this into a new thread?

But if you have an issue with your License not showing a Monitor, I would check the file you uploaded with the License into Enforce? You can open it in Notepad - is Network Monitor listed there? If not, check with your sales contact.

If it is there, I would open a ticket with support to address this issue.

Rgds.

Sushant's picture

Hi,

THanks for your inputs ..yes that license was wrong.

One more thing now network monitor has showing & we are able to capture the traffic.

but HTTPS traffic not able to capture with latest version 11.0 what may be the reason?

 

ArtBahrs's picture

Hi Sushant,

   Web intercept needs a proxy for doing a "man in the middle attack" and for HTTPS your proxy will need to be able to do the decrypt and such.

   You may want to also talk with your network and/or web engineering team about this (if you haven't already.wink)

Paul Aho's picture

you may also need to work with your desktop team to put a certificate on the desktops to allow the web proxy servers to break down the SSL.  Esentially the workstation talks to the proxy, and the proxy forms a new connection with the external web site.  Proxy servers generally just act as a pass though with SSL traffic.  Before undertaking something like this you will also want to talk with your legal and HR teams to make sure that they are aware of what you are doing and have policies to support you.  It may be ok to break down and inspect traffing going to gmail, but not banking traffic.

It will also help if your proxy servers have SSL cards in them other wise the traffic may be really slow.

We started working with the 8.x version of vontu to see how this would work and with HTTP traffic the response time was to acceptable.  We are starting to look at this again with the 10.5 version.