All IDS or IPS appliances do this. Running something open source like Snort or Suricata? It's "MitMing" you, too. (More accurately "Man-on-the-Side'ing" for most installations, since they're typically IDS and not IPS, but I'm just using the same alarmist term you did to make my point.)
All "smart firewalls" (sometimes dubbed "nextgen firewalls" by marketing departments) do this. If your network uses firewalls from Palo Alto, that firewall is doing nearly the exact same things as this Fidelis appliance. Either most of the same features, or all of the same if you pay a little extra.
All proxies do this, except only for 80/443.
All host IDS agents do this as well.
>(and is already done, indirectly and efficiently by chrome for instance)
Chrome isn't going to detect your machine beaconing out via malware that's already installed. Chrome just has lists of bad URLs and URL paths. Chrome's security features certainly provide another useful layer of protection, but is not nearly sufficient as a malware or intrusion detection system by itself.
This article is FUD, in my opinion, for singling out just this specific appliance as if it's somehow more invasive than all the other gear on a typical large network. If you want to make an article about how packet inspection is bad in general, go ahead, but I think that war has been lost. If you're using someone else's network and computers, I don't think you should have a problem with a device checking the packets your computer sends and receives to see if they match specific regex or byte patterns.
It's true that a proprietary appliance is going to be a bit more blackbox with exactly how it processes traffic, compared to an open source solution, but often the signature lists themselves are accessible and configurable by the customer. Sometimes the actual signature content is visible as well.
Systems like these are absolutely necessary to help prevent breaches, as long as there are competent internal employees who can make full use of them. Perhaps an open source system will be a little bit better privacy-wise, on the off chance the proprietary solution you're using is secretly doing something malicious or sending sensitive traffic elsewhere on the Internet, though if it were, the scandal would likely greatly harm or ruin the company.
For bureaucrats in their cubicles, yes, this is normal corporate network management. You have no expectation of privacy at work; if you want that, go home.
As a student, though, the university is also your home ISP. And the public WiFi at the coffee shops, libraries, etc. In this context, reading your users' email is way less okay.
Don't think of UCB IT as the BigCo IT department, but as Comcast.
> This is how all network security appliances work.
This does not mean "network security appliances" are a good way to address security though. They're just something that companies peddling security products have successfully marketed to privacy insensitive corporate IT departments.
Many are snake oil or overhyped, but it's generally accepted by professionals that a proper IDS or IPS appliance is helpful as an additional layer. Those alone aren't nearly sufficient; many many layers are required. But they do add value.
You could make the same argument about anti-virus (IDS is really just network anti-virus), and while it's true, it's also true that it's a good idea to put AV on all your endpoints.
They might be accepted as helpful in some situations, but many security professionals would weigh the privacy against added help and recommend against them in this context.
Many, hopefully most, security professionals would also disagree with requiring AV on all endpoints.
(Industry practices generally aren't a good guideline, and many IT security professionals are incompetent and/or powerless to do anything besides babysit security products that just create work and increase complexity. Witness the prevalence of large corporate "intranets" with centralised firewalls, and soft chewy insides...)
>They might be accepted as helpful in some situations, but many security professionals would weigh the privacy against added help and recommend against them in this context.
I strongly disagree that there's any privacy loss. Internal IT staff could look at your browser history and traffic if they really want to anyway (and often they are required to in specific circumstances). Why is getting IDS alerts somehow worse than this?
I would have an issue with my ISP deploying a universal IDS, but it's a different story for my employer.
>Many, hopefully most, security professionals would also disagree with requiring AV on all endpoints.
There are certainly much better endpoint protection solutions, like whitelisting agents or virtualizing everything, but those are typically difficult to deploy in a large enterprise. Are you suggesting an enterprise should have no endpoint protection at all? If better anti-malware solutions aren't an option, you need something in the meantime. It'd be rather embarrassing if your entire network gets hit with a wormer circa 2005 because you have no AV and it slipped past your other controls.
I don't run AV on my home computers, but I am very glad it's deployed on my company's endpoints.
> I strongly disagree that there's any privacy loss. Internal IT staff could look at your browser history and traffic if they really want to anyway
They could, but then they would be doing naughty things (possibly breaking the law).
Also the relationship in academia between scientists/research groups and their host organization's administrative staff is often very different than the relationship between the typical corporate drone in an enterprise and the IT department.
In this case we see that the staff is revolting because of just this issue.
Re the "AV on all endpoints" question, I referring to possibilities outside the typical enterprise IT swamp. Increasingly endpoints aren't Windows PCs. Sometimes you don't have any of those.
What I call MITMing is decrypting the payload by impersonating the server (or the client if needed) often with the help of a corporate browser that have been instructed to trust this lie.
Most of network security appliances do not work like that, and merely listen the traffic (usually mirrored, no need to be in the middle).
Pretending that this is OK is like pretending that it is OK to send passwords in plain text because "only a bunch of competent professionals could intercept them".
Anyway, Google have proven that this practice can be detected on the server and I'm confident HSTS+such server side detection will make this practice nothing but a waste of money within a few years .
All IDS or IPS appliances do this. Running something open source like Snort or Suricata? It's "MitMing" you, too. (More accurately "Man-on-the-Side'ing" for most installations, since they're typically IDS and not IPS, but I'm just using the same alarmist term you did to make my point.)
All "smart firewalls" (sometimes dubbed "nextgen firewalls" by marketing departments) do this. If your network uses firewalls from Palo Alto, that firewall is doing nearly the exact same things as this Fidelis appliance. Either most of the same features, or all of the same if you pay a little extra.
All proxies do this, except only for 80/443.
All host IDS agents do this as well.
>(and is already done, indirectly and efficiently by chrome for instance)
Chrome isn't going to detect your machine beaconing out via malware that's already installed. Chrome just has lists of bad URLs and URL paths. Chrome's security features certainly provide another useful layer of protection, but is not nearly sufficient as a malware or intrusion detection system by itself.
This article is FUD, in my opinion, for singling out just this specific appliance as if it's somehow more invasive than all the other gear on a typical large network. If you want to make an article about how packet inspection is bad in general, go ahead, but I think that war has been lost. If you're using someone else's network and computers, I don't think you should have a problem with a device checking the packets your computer sends and receives to see if they match specific regex or byte patterns.
It's true that a proprietary appliance is going to be a bit more blackbox with exactly how it processes traffic, compared to an open source solution, but often the signature lists themselves are accessible and configurable by the customer. Sometimes the actual signature content is visible as well.
Systems like these are absolutely necessary to help prevent breaches, as long as there are competent internal employees who can make full use of them. Perhaps an open source system will be a little bit better privacy-wise, on the off chance the proprietary solution you're using is secretly doing something malicious or sending sensitive traffic elsewhere on the Internet, though if it were, the scandal would likely greatly harm or ruin the company.