Data Loss Prevention

 View Only

  • 1.  Network Monitor vs network Prevent

    Posted Aug 21, 2012 02:04 PM

    We have Vontu network monitor component  deployed but i am kinda confused on its difference with network prevent module because looks like the network monitor module is not able to capture any https traffic , only works on http . I called symantec support ant they told me i need license network prevent component to capture https .The thing is we dont need any action like block on users https traffic ,just capture them is fine . 



  • 2.  RE: Network Monitor vs network Prevent

    Broadcom Employee
    Posted Aug 21, 2012 02:19 PM

    yep, network monitor does not check https.



  • 3.  RE: Network Monitor vs network Prevent

    Posted Aug 21, 2012 02:28 PM

    In order to intercept HTTPS you need an ICAP stream from a supported proxy (or use endpoint plugins).  The network monitor just sees raw traffic.

     

     



  • 4.  RE: Network Monitor vs network Prevent

    Posted Aug 21, 2012 03:38 PM

    as Jsneed said any icap proxy will work, but there is a list of what protcols are covered this is on page 902 of the admin guide. I suggest all of our clients use Blue Coat SG as it covers http https ftp over http and ftp proxy. it will also work with the tablet server if you want to use that option later.

     

    network can do more then just https also take a look as you can also look for aim, man, yahoo, telnet, smtp traffic also .

     



  • 5.  RE: Network Monitor vs network Prevent

    Posted Aug 23, 2012 04:33 PM

    jsneed and stumnro are correct. To add onto what was said, the key feature you are looking for is an ICAP compliant proxy that does SSL decryption. The requirement to see HTTPS traffic, is that we need to be supplied the decrypted traffic through the proxy itself. We don't natively decrypt the HTTPS traffic ourselves, but with said proxies we can read the traffic in the clear. Implementing a transparent HTTPS proxy isn't quite a simple drop in place appliance approach, but it does give the organization some great insight into the traffic for inspection with DLP.



  • 6.  RE: Network Monitor vs network Prevent

    Posted Aug 24, 2012 01:00 AM

    the blue coat SG will do ask you are asking, this is probally the best option in my opinion out there. SWG, webwasher and TMG will do HTTPS also along with websense v series. The question comes down to is do you want to block ftp also? If this is the case this i believes leaves you with 2 options blue coat or web washer. if you have any more questions drop me a line.



  • 7.  RE: Network Monitor vs network Prevent

    Posted Aug 31, 2012 12:01 AM

    Any HTTPS intercepting proxy can provide you with non-encrypted HTTP stream over an ICAP interface. You can then use an ICAP based capture server to save your streams.