[177413] in North American Network Operators' Group
Re: HTTPS redirects to HTTP for monitoring
daemon@ATHENA.MIT.EDU (William Herrin)
Sun Jan 18 12:35:37 2015
X-Original-To: nanog@nanog.org
X-Really-To: <nanog@nanog.org>
In-Reply-To: <CAPiURgX9jGFQMvVcW2ON1gnUkG1yEF2=n6AqfS9U6HjJu_vWdA@mail.gmail.com>
From: William Herrin <bill@herrin.us>
Date: Sun, 18 Jan 2015 12:35:02 -0500
To: Grant Ridder <shortdudey123@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Jan 18, 2015 at 7:29 AM, Grant Ridder <shortdudey123@gmail.com> wrote:
> I wanted to see what opinions and thoughts were out there. What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things? personal use?
> enterprise enterprise?
Hi Grant,
Fidelis Security (part of GD) does this for USG customers. Good guys
with a strong, scalable product.
http://www.fidelissecurity.com/
Basically, all internal web browsers get a custom CA which
authenticates a re-signing cert. HTTPS traffic is decrypted by an IDS
agent, examined and then re-encrypted with the resigning cert.
You have to decide for yourself whether you really want to examine
your users' HTTPS traffic. It does create a rather hostile work
environment for the folks you're playing big brother to. Not quite
camera-in-the-men's-room hostile but hostile enough to deter quality
staff from seeking and maintaining employment.
Regards,
Bill Herrin
--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?
