In the past this decision was easy. There was little risk to bypassing SSL sites on your proxy, and most administrators didn't want to deal with the implication of proxying SSL connections, so SSL was for the most part bypassed in forward proxy deployments.
As SSL becomes more prevalent on the web, the need for inspection of SSL content has become much more important. Public webmail sites are quickly moving towards the implementation of SSL, and the ability send out confidential company data over SSL is more likely now than ever. In addition with the amount of malware on internet sites, the possibility of downloading a piece of malware onto the corporate network from a secure site is a true risk.
With this knowledge, using a proxy to terminate SSL connections and inspect the contents of the information coming and going from the corporate network seems to make a lot of sense. Luckily many proxies offer this ability today, and some partner with DLP/ILP (Data and Information Leak Protection) companies to inspect outgoing content for company confidential materials.
The major concern with proxying SSL connections and inspecting content is where this may conflict with existing privacy laws or corporate privacy policy. This is where the ability of the proxy to be able to set granular policy is critical. In addition the proxy should offer authentication and coaching pages that warn the user not to go to sensitive sites (like banking or health) if there's a concern of having that information inspected. Alternatively those sites could just be blocked or bypassed. The really astute administrator will work with their HR department to decide which policy is best for their organization.
Implementing an SSL proxy will of course take some education of the end-users on what to expect with SSL certificates, and the warnings their internet browsers will generate. We'll discuss certificates, and other security issues in a future blog article.
No comments:
Post a Comment