ScanSafe offering?

Was just forwarded (by my manager) this page from Cisco:

Cisco ScanSafe Cloud Web Security - Products & Services - Cisco Systems

Looks like Cisco bought ScanSafe and added their services. Looks interesting... send everything outbound, and redirect all remote access / vpn, to the ScanSafe cloud, for them to analyze the traffic for malware.

Anyone looked at this yet? I like being able to hand stuff off... especially vulnerability stuff like viruses/adware/spyware/etc/etc/etc. However, if having a couple Cisco 4240 IPS's has taught me anything, it's that when you run a web prescence / data center, you need to have some measure of control, as internal developers occassionally code something that creates a false positive. I have probably, in the last three years, had to disable a dozen rules that impacted business... due to the poor coding habits of our developers.

I wonder what would happen with an out-sourced / cloud-based solution as this one.

Anyone used ScanSafe? or know someone who has?

Find more posts tagged with

Comments

instant000

As I remember it, anything that proxies SSL traffic has to be performing a man-in-the-middle attack on the traffic.

If you provide this service on site, then you have a greater measure of control over this than if you let this service be provided by someone off-site.

Now, if the SSL proxy technology has advanced beyond this point, then please educate me, so that I know better.

unclerico

No, you're correct. It's the principles of PKI. The sender will get the receivers public key and use it to encrypt the traffic. The receiver will apply its private key to decrypt the traffic. The only way a device that is not the actual destination could do that is if it does a MIM attack. The proxy hosts will have an in-built CA and will generate certificates on the fly. Once you have trusted the root cert being supplied by the proxy device you will initiate the SSL connection with the proxy, the proxy will decrypt the traffic, analyze it, and will take action on it according to your policies. If the traffic is in profile the proxy will initiate an SSL connection to the original destination. it is quite simple and a very good reason why all browsers will bring up a security warning if the certificate being presented is not trusted because that's how MIM attacks are carried out.