Well - I'm back from my Sukkot vacation and I see that the raw material for the blog is just piling up - so where do we start? Let's start by bashing Web and mail proxies.
The temptation to use an application layer proxy for filtering outgoing content is just too great.
You don't have to worry about sniffing traffic, reconstructing sessions and you can always build your content monitoring and filtering application on an existing proxy server (like Microsoft ISA server) or use ICAP to take a stream from someone else.
I've recently been looking closer at commercial CMF/Internet Leakage Prevention/Extrusion Prevention products like Port Authoriy Technologies that use Web and mail proxies. The results are not encouraging and should be a warning light to potential customers to temper the hype from investors and product-manager/marketing types.
Any proxy-based system, will have three major shortcomings when compared with a Layer 2 content interception systems:
1. If you use forward proxies for mail and HTTP, then by design, your product cannot monitor non-proxied traffic – which characteristically is 20-30% of all outgoing network traffic. The customer doesn’t know what data is actually leaking since a proxy lacks visibility. Based on live operations at some of my customers, a typical implementation starts with a list of 10-20 IP addresses that are authorized to bypass the mail and Web proxy servers; however, within 48 hours of operation, the number blossoms by a factor of 10x or more..
2. A forward proxy only monitors outgoing traffic – in other words if a user extrudes sensitive data using an HTTP GET (by placing the sensitive data in the query string); the proxy is incapable of identifying the event and cannot mitigate the threat. Think about using AJAX and a Web Proxy for Cross-Domain XMLHttpRequest Calls; the browser GET's a page, then does a XMLHttpRequest to the server, the server then forwards your data anywhere it likes - making the fancy 6 figure Internet Leakage Prevention appliance totally worthless since it doesn't process GET requests, only POSTs.
3. Transparent proxies like Port Authority or Blue Coat require that all traffic is authenticated Microsoft Windows network users. This means that it cannot monitor Linux / Unix/ AS400 networks and cannot monitor rogue users on the network such as custom spyware.
I suppose - you might say - they don't "GET" it....
