Mexico Data Loss Prevention User Group

 View Only
  • 1.  Can HTTPS be monitored with Network Monitor 15.1?

    Posted Nov 20, 2018 10:50 AM

    Hi,

    I have 2 detection servers Network Monitor 15.1 in 2 different core switches but checking the incidents HTTPS are generated without having the HTTPS protocol enabled, someone can explain me why it generates this type of incidents or within this new version it already detects the encrypted traffic HTTPS Network Monitor natively.

    Thanks and regards.



  • 2.  RE: Can HTTPS be monitored with Network Monitor 15.1?

    Posted Nov 21, 2018 03:41 AM

    Hi Lothar,

     

    As HTTPS is encrypted I can't see anyway of this being monitored unless DLP was provided the key for each connection, could you provide a screenshot example of the incidents being raised?

     

    This sounds more like a policy is triggering something incorrectly; for example reporting on encrypted traffic which would create an incident for every HTTPS request leaving the network,

     

    Thanks



  • 3.  RE: Can HTTPS be monitored with Network Monitor 15.1?

    Posted Nov 23, 2018 12:00 PM

    Hi Lothar,

    DLP Network Monitor does not monitor HTTPS protocol without another product like Symantec SSL Visibility that send the traffic unencrypted. Could you tell us what DLP detection server you already have registered on the Enforce server? If you have DLP Endpoint detection server, you could see HTTPS incidents.

     



  • 4.  RE: Can HTTPS be monitored with Network Monitor 15.1?

    Posted Nov 23, 2018 02:14 PM
    Ronald is correct—that you’d need a device to provide DLP NetMon with a decrypted feed in order to monitor truely encrypted HTTPS traffic. If you’re seeing “https” on the NetMon and it appears to be plaintext within Enforce vs. encrypted false positive gibberish, then perhaps there’s a misconfigured app out there thinking that it’s sending HTTPS but instead sending plain text HTTP...


  • 5.  RE: Can HTTPS be monitored with Network Monitor 15.1?

    Posted Nov 23, 2018 02:14 PM
    Ronald is correct—that you’d need a device to provide DLP NetMon with a decrypted feed in order to monitor truely encrypted HTTPS traffic. If you’re seeing “https” on the NetMon and it appears to be plaintext within Enforce vs. encrypted false positive gibberish, then perhaps there’s a misconfigured app out there thinking that it’s sending HTTPS but instead sending plain text HTTP...