[177407] in North American Network Operators' Group
Re: HTTPS redirects to HTTP for monitoring
daemon@ATHENA.MIT.EDU (kendrick eastes)
Sun Jan 18 07:41:57 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CAPiURgX9jGFQMvVcW2ON1gnUkG1yEF2=n6AqfS9U6HjJu_vWdA@mail.gmail.com>
Date: Sun, 18 Jan 2015 05:41:49 -0700
From: kendrick eastes <keastes@gmail.com>
To: Grant Ridder <shortdudey123@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Jan 18, 2015 at 5:29 AM, Grant Ridder <shortdudey123@gmail.com>
wrote:
> Hi Everyone,
>
> I wanted to see what opinions and thoughts were out there. What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things? personal use?
> enterprise enterprise?
>
> It looks like Websense might do decryption (
> http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes does
> some sort of session hijack to redirect to non-ssl (atleast for Google) (
> https://twitter.com/CovenantEyes/status/451382865914105856).
>
> Thoughts on having a product that decrypts SSL traffic internally vs one
> that doesn't allow SSL to start with?
>
> -Grant
>
Admittedly I've only been on the user side of things for this, but IMO for
cases like this MITM > striping. if your users need to access anything
outside your intranet (google apps comes to mind right away, any kind of
outsourced web-based training, etc) that requires SSL to function would be
broken by stripping, but with MITMing the connection and having your
internal certs set up properly, it won't even blip.
that being said, squid can be configured to transparently decrypt and
reencrypt the session. (http://wiki.squid-cache.org/Features/SslBump)
