Educause Security Discussion mailing list archives
Re: Query: internet browsing logs
From: "Scantlin, Aaron J." <ScantlinA () MISSOURI EDU>
Date: Thu, 11 Oct 2018 13:38:33 +0000
MU also uses a Firepower device in a manner Frank described. For malicious HTTP sites, we can block just the link we received or, if payloads appear to be user-specific, we can block the domain entirely. HTTPS blocking gets a little trickier; we have to use the the domain's SNI and block it at the DNS layer since we don't have a TLS inspection policy setup. Cloudflare's recent post about encrypting SNI has me concerned about this method we (and presumably a lot of Higher Ed institutions) use... I am all for increasing privacy, but concerned that this move might force orgs down the TLS inspection route... https://blog.cloudflare.com/esni/ [https://blog.cloudflare.com/content/images/2018/09/Cloudflare_esni-1.png]<https://blog.cloudflare.com/esni/> Encrypting SNI: Fixing One of the Core Internet Bugs<https://blog.cloudflare.com/esni/> blog.cloudflare.com Cloudflare launched on September 27, 2010. Since then, we've considered September 27th our birthday. This Thursday we'll be turning 8 years old. Ever since our first birthday, we've used the occasion to launch new products or services. Aaron J. Scantlin Security Analyst, Division of IT GSEC, GCFA University of Missouri, Columbia (W) +1-573-884-7555 (C) +1-573-424-0539 scantlina () missouri edu "Let he who hasn't accidentally rebooted their entire production environment cast the first stone." -mersh547 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton <bartonf () HUSSON EDU> Sent: Thursday, October 11, 2018 8:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Query: internet browsing logs Roshan, In order to capture the URL for https traffic, you have to Man-In-The-Middle the SSL session, which would also give you access to the contents. There are privacy and compliance concerns around that, as if you MITM everything, you will also see banking sessions, online shopping and credit card numbers, etc. We use Cisco Firepower, which will log the full HTTP url, and a hostname for HTTPS queries. Frank On Thu, Oct 11, 2018 at 9:23 AM Roshan Harneker <roshan.harneker () uct ac za<mailto:roshan.harneker () uct ac za>> wrote: Hi, We have a requirement to be able to collate internet browsing logs that will also be able to provide us with detail around URLs visited especially when forensic investigations are requested. We don’t have a requirement to view the website contents, just websites visited. In the past TMG was used as a proxy but since so much traffic is now SSL-based, I wanted to know what other universities are using to capture HTTP/HTTPS traffic information and being able to tie each URL visited to an identity. Regards, Roshan Roshan Harneker Senior Manager: Information and Cybersecurity Services Information & Communication Technology Services (ICTS) University of Cape Town Phone: 021 650 3658 roshan.harneker () uct ac za<mailto:roshan.harneker () uct ac za> https://csirt.uct.ac.za Disclaimer - University of Cape Town This email is subject to UCT policies and email disclaimer published on our website at http://www.uct.ac.za/main/email-disclaimer or obtainable from +27 21 650 9111. If this email is not related to the business of UCT, it is sent by the sender in an individual capacity. Please report security incidents or abuse via https://csirt.uct.ac.za/page/report-an-incident.php. -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Query: internet browsing logs Roshan Harneker (Oct 11)
- Re: [EXTERNAL] [SECURITY] Query: internet browsing logs Adam Maynard (Oct 11)
- Re: [EXTERNAL] [SECURITY] Query: internet browsing logs Ronald King (Oct 11)
- Re: [EXTERNAL] [SECURITY] Query: internet browsing logs Brian Epstein (Oct 11)
- Re: [EXTERNAL] [SECURITY] Query: internet browsing logs Ronald King (Oct 11)
- Re: Query: internet browsing logs Frank Barton (Oct 11)
- Re: Query: internet browsing logs Scantlin, Aaron J. (Oct 11)
- Re: Query: internet browsing logs Kevin Wilcox (Oct 11)
- Re: [EXTERNAL] [SECURITY] Query: internet browsing logs Adam Maynard (Oct 11)