Mexico Data Loss Prevention User Group

Hi,

I have 2 detection servers Network Monitor 15.1 in 2 different core switches but checking the incidents HTTPS are generated without having the HTTPS protocol enabled, someone can explain me why it generates this type of incidents or within this new version it already detects the encrypted traffic HTTPS Network Monitor natively.

Thanks and regards.

Hi Lothar,

 

As HTTPS is encrypted I can't see anyway of this being monitored unless DLP was provided the key for each connection, could you provide a screenshot example of the incidents being raised?

 

This sounds more like a policy is triggering something incorrectly; for example reporting on encrypted traffic which would create an incident for every HTTPS request leaving the network,

 

Thanks

Hi Lothar,

DLP Network Monitor does not monitor HTTPS protocol without another product like Symantec SSL Visibility that send the traffic unencrypted. Could you tell us what DLP detection server you already have registered on the Enforce server? If you have DLP Endpoint detection server, you could see HTTPS incidents.

 

Ronald is correct—that you’d need a device to provide DLP NetMon with a decrypted feed in order to monitor truely encrypted HTTPS traffic. If you’re seeing “https” on the NetMon and it appears to be plaintext within Enforce vs. encrypted false positive gibberish, then perhaps there’s a misconfigured app out there thinking that it’s sending HTTPS but instead sending plain text HTTP...

Ronald is correct—that you’d need a device to provide DLP NetMon with a decrypted feed in order to monitor truely encrypted HTTPS traffic. If you’re seeing “https” on the NetMon and it appears to be plaintext within Enforce vs. encrypted false positive gibberish, then perhaps there’s a misconfigured app out there thinking that it’s sending HTTPS but instead sending plain text HTTP...