SSL is always a conundrum for the typical security and network administrator in an enterprise network. SSL is a good thing, in that keeps private data private, but it's a bad thing, when you've got corporate policies against sending out confidential information (even on secured connections).
End-users who are given access to the internet from work, can be protected from internet threats and have corporate policy enforced by sending them through a proxy, but what happens when they try to access a SSL encrypted site? Often a proxy will bypass SSL encrypted sites, unless you've got an SSL proxy capability installed on your proxy. If you're bypassing SSL, that means you have no visibility or protection when an end-user visits an SSL encrypted website. As previously discussed an SSL-encrypted site, or well-known site, is no guarantee that the website is free of malware or viruses. Many well-known sites are getting infected with malware and drive-by download threats.
With respect to visibility, without an SSL proxy, you will not have any knowledge or accountability when company confidential documents leave the corporate network through a secure web transaction.
If you do have an SSL proxy, you get protection from malware, and you have the capability of doing DLP (Data Leakage Protection) on secure connections to prevent loss of confidential data. The downside of this, is if any end-users are transacting personal business over secure connections, an SSL proxy will store that personal information in its cache. So, if you do implement an SSL proxy, you will need a splash page or acceptance page warning your end-users that SSL is intercepted and inspected and recommend they do not transact personal web affairs at work.
So do the pros outweigh the cons for implementing an SSL-intercept proxy? We believe so. It's not worth the risk of getting a drive-by virus or malware from an SSL encrypted session, and the only downside of an SSL proxy is making sure your end-users are aware of the implications when they access personal information across SSL-encrypted sites.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment