Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Query: internet browsing logs

From: "Scantlin, Aaron J." <ScantlinA () MISSOURI EDU>
Date: Thu, 11 Oct 2018 13:38:33 +0000
MU also uses a Firepower device in a manner Frank described.  For malicious HTTP sites, we can block just the link we 
received or, if payloads appear to be user-specific, we can block the domain entirely.  HTTPS blocking gets a little 
trickier; we have to use the the domain's SNI and block it at the DNS layer since we don't have a TLS inspection policy 
setup.


Cloudflare's recent post about encrypting SNI has me concerned about this method we (and presumably a lot of Higher Ed 
institutions) use... I am all for increasing privacy, but concerned that this move might force orgs down the TLS 
inspection route...


https://blog.cloudflare.com/esni/

[https://blog.cloudflare.com/content/images/2018/09/Cloudflare_esni-1.png]<https://blog.cloudflare.com/esni/>

Encrypting SNI: Fixing One of the Core Internet Bugs<https://blog.cloudflare.com/esni/>
blog.cloudflare.com
Cloudflare launched on September 27, 2010. Since then, we've considered September 27th our birthday. This Thursday 
we'll be turning 8 years old. Ever since our first birthday, we've used the occasion to launch new products or services.




Aaron J. Scantlin
Security Analyst, Division of IT
GSEC, GCFA
University of Missouri, Columbia
(W) +1-573-884-7555
(C)   +1-573-424-0539
scantlina () missouri edu

"Let he who hasn't accidentally rebooted their entire production environment cast the first stone." -mersh547



________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton 
<bartonf () HUSSON EDU>
Sent: Thursday, October 11, 2018 8:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Query: internet browsing logs

Roshan, In order to capture the URL for https traffic, you have to Man-In-The-Middle the SSL session, which would also 
give you access to the contents. There are privacy and compliance concerns around that, as if you MITM everything, you 
will also see banking sessions, online shopping and credit card numbers, etc.

We use Cisco Firepower, which will log the full HTTP url, and a hostname for HTTPS queries.

Frank

On Thu, Oct 11, 2018 at 9:23 AM Roshan Harneker <roshan.harneker () uct ac za<mailto:roshan.harneker () uct ac za>> 
wrote:
Hi,

We have a requirement to be able to collate internet browsing logs that will also be able to provide us with detail 
around URLs visited especially when forensic investigations are requested. We don’t have a requirement to view the 
website contents, just websites visited. In the past TMG was used as a proxy but since so much traffic is now 
SSL-based, I wanted to know what other universities are using to capture HTTP/HTTPS traffic information and being able 
to tie each URL visited to an identity.

Regards,
Roshan

Roshan Harneker
Senior Manager: Information and Cybersecurity Services
Information & Communication Technology Services (ICTS)
University of Cape Town
Phone: 021 650 3658
roshan.harneker () uct ac za<mailto:roshan.harneker () uct ac za>
https://csirt.uct.ac.za

Disclaimer - University of Cape Town This email is subject to UCT policies and email disclaimer published on our 
website at http://www.uct.ac.za/main/email-disclaimer or obtainable from +27 21 650 9111. If this email is not related 
to the business of UCT, it is sent by the sender in an individual capacity. Please report security incidents or abuse 
via https://csirt.uct.ac.za/page/report-an-incident.php.


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
Previous By Date Next
Previous By Thread Next

Current thread: