Hoping some of the McAfee staff could lay out the truth behind SSL interception? As I'm introducting this product there's quite a bit of hesitation around letting it become a subordinate CA to our AD Enterprise CA, as well as the actual decrypting and encrypting of HTTP traffic.
From past experience with other proxies it was not possible to see the unecrypted SSL with a sniff or log reader because that all happens either at the NIC level (after decryption and then re-encryption happens or the logs don't show deep enough into layer 7. Therotecially could someone get at the unencrypted info, say through a memory dump?
Basically am I right in telling the users that their SSL is safe from an abusive admin? And on top of that does McAfee recommend disabling SSL for categories like banking and webmail?
Coincidently enough, I had this same conversation with a large bank today. Some of the topics discussed included these, and some of this is my editorialization, of course.
By default with MWG, decrypted traffic is never put back on the wire. Decrypted content is not stored on the disks. Logs can optionally be encrypted on-box, so even the IP, Usernames and URLs are never written in the clear. It makes reporting a pain, but possible.
As a general rule most users will bypass decryption on Banking/Finance, Health, Stocks and a handful of whitelisted sites. But I don't recommend bypassing decryption on webmail. It is a primary vector of infection/leakage.
Typically, there should be an acceptable use policy that spells out the terms of using your network. Create the understanding that you can be watched. Big warning pages when you go to an SSL site with an 'Agree' button to consent to monitoring can be used. I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer. They let the users go to Social Networking sites, but they have informed consent. Is there really privacy on the internet? If there is something you don't want discovered, don't do it. I told my kids when they were 10 & 12 not to expect anything you do on the internet to be considered private, because somewhere, somehow it can be seen by someone. Then I showed them Ethereal (at the time) traces of their AIM messages with their friends to prove it. It's 10+ years later and they still remember that lesson.
The problem of an abusive admin is a carbon-based problem, not a silicon-based one. Separation of functional duties, configuration auditing and strict change control policies help reduce the potential of abuse. Most organizations have these mitigating controls in place to watch the watchers.
It's clearly up to your policy if you want to do it or not. Weigh the risk and benefits. And trust but verify what the admins are doing.
...Just my humble opinion.Message was edited by: Erik Elsasser on 9/23/10 9:59:05 PM CDT
regarding your statement:
"I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer."
Could You please give me a hint on how to accomplish such task, I would really appreciate.
First create your own image to insert at the top of the page. A JPG, GIF or PNG should suffice. Upload it to the img/ directory where the block pages are. In this example, my image name is monitor.jpg.
Then you have rules that open the HTML tags and insert the <img> tag right after the <body> tag.
You should probably restrict this rule set to only a few categories that you want to warn against, not everything you are proxying. If you want to warn on everything, you should just have a welcome page display once at the beginning of the day instead.
|User Defined Properties|
Here is some of the output I tested:
Message was edited by: Erik Elsasser on 12/28/10 10:22:54 AM CST