All the other network traffic was still visible; what happened to the Exchange traffic? The Exchange administrators told us that they had recently upgraded to Exchange 2010, which uses what is called opportunistic TLS to automatically encrypt all traffic between the Exchange server and our spam-filtering mail gateway, in the cloud. In addition, we are slowly migrating our on-premises Microsoft Exchange servers to Microsoft O365, a hosted Exchange environment that also encrypts traffic.
The problem is that our DLP monitors network traffic via a SPAN port and can't see encrypted traffic. I now have to deploy proxies to decrypt the SSL packets, pass the traffic to the DLP for inspection and then re-encrypt the traffic to its destination.
When I discussed this issue with my firewall engineer, he mentioned that our Palo Alto Network (PAN) firewalls could decrypt SSL traffic. That sounded like an easy and inexpensive way to inspect our traffic, but unfortunately, the PANs aren't ICAP-compatible. ICAP, which stands for Internet Content Adaptation Protocol, is the mechanism by which unencrypted SSL traffic is passed to our DLP for inspection. That means that I'm going to have to wait until 2013 to buy another tool, unless I can find a low-cost alternative.
One option we've been thinking about is Squid, which is an open-source proxy. But being open source, Squid doesn't come with any support, so it's not a long-term solution. The one thing that's certain is that we can't continue operating blind.
Join in the discussions about security! computerworld.com/blogs/security
Read more about security in Computerworld's Security Topic Center.