Secure ICAP

ICAP is the protocol proxies use to talk to anti-malware engines for processing content the proxy is trying to serve from the internet. The ICAP standard itself was discussed in a previous post to this blog and can be used for both request and response objects. Typically request objects get scanned by DLP engines, while response objects get scanned by the anti-malware engines. Since ICAP is used over the network, it's possible if you are using the devices on a network that's open to everyone in your organization, that someone could capture packets on the network and examine the content that's being scanned.

Secure ICAP was created to address this concern. Secure ICAP is SSL encrypted ICAP and requires both the proxy and the system the anti-malware or DLP engine is running on to support Secure ICAP. The alternative to this of course is to put a spare network interface on the proxy and on the anti-malware/DLP system on a private network so that any data passed between the two systems is kept away from prying eyes. The requirement here of course is that you have spare network interfaces on your systems to use, to ensure this security.

When you don't have the option of a private network, Secure ICAP is nice option to have. SSL encryption will always add a little overhead to the processing on your proxy and on your anti-malware or DLP system, so be sure to take this into account before turning on this feature on your systems and proxies.