cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Di_Junior
Silver

Check Point HTTPS Inspection Concerns

Dear Mates

We wish to enable https inspection on our environment, but there are some privacy concerns. Thats why I am writing this post to get some feedback from the community. I am not worried about how it is done, I am would like to know if answers to the questions below:

  1. If I access for example hotmail.com, is it possible to see the user credentials (username and password) on the logs?
  2. Is the inspected information stored on the gateway ? for how long? or the information is no longer visible after the inspection is done by the gateway?

There is currently a need to get https inspection working, but I need to have answers to questions that may be raised at the C level. We intend to start with the Outbout Inspection first.

Thanks in advance

0 Kudos
5 Replies
Danny
Pearl

Re: Check Point HTTPS Inspection Concerns

1 - No user credentials are shown in the logs.

2 - You can't see the decrypted information on the gateway and it's not stored at all, only handled by the processes during inspection.

Di_Junior
Silver

Re: Check Point HTTPS Inspection Concerns

Thanks @Danny

That is great, this feedback gives me a peace of mind.

However, sk108202 says: The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in a log.

Any comments on that.
0 Kudos
Admin
Admin

Re: Check Point HTTPS Inspection Concerns

Whatever data you can see today for unencrypted traffic, you'll be able to see for encrypted traffic.
For example, if you're using App Control/URL Filtering, you'll be able to see the full HTTPS URLs that people surf to in the logs.
It won't log things like usernames/passwords or other PII unless you're specifically looking for certain things with DLP and/or Content Awareness.
0 Kudos
Highlighted

Re: Check Point HTTPS Inspection Concerns

It would be nice to have a statement from Check Point on how the clear text data is protected while doing HTTPS Inspection, I guess that at some point is ""accessible"" in memory at least for some daemons.

Having said that and knowing Check Point philosophy I'm pretty sure that it's not accessible by users.

In the end it all depends on your C level of psychosis (AKA risk tolerance). If we speak about risk, not having HTTPS Inspection is far more riskier than worrying about credential sniffing in a hardened OS that performs that function. 

Remember that you can bypass various categories.

___

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Admin
Admin

Re: Check Point HTTPS Inspection Concerns

There is one situation where the cleartext of an HTTPS connection is definitely accessible: when using the Mirror and Decrypt function in R80.20+.
This will "mirror" all traffic (including decrypted HTTPS traffic) to a specific port on the device.
This is needed to enable other devices to log the contents of specific traffic, which certain regulatory frameworks require.

Obviously, if a nefarious person has access to your Security Gateway, whether it's doing this or not, you've got much bigger issues to worry about.
0 Kudos