Network Monitor and Network Prevent- Differences and When to use what.

During my work with a lot of customer I keep hearing the following questions very often: -

What is the difference between Network Monitor and Network Prevent?

Do I need both Network Monitor and Network Prevent?

Can I have Network Monitor and Network Prevent together?

So I decided to write an article on this. Lets start with what is the technical difference between a Network Monitor and Network Prevent.

Network Monitor is technically a sniffer which parses the incoming packets (mirrored or tapped) for content based on polices you create. It cannot do any preventive action.

Network Prevent for SMTP is a streaming SMTP proxy which acts as an intermediary between the upstream MTA (like an Microsoft Exchange Edge) and an downstream MTA (like Symantec Mail Gateway) when deployed in Forwarding Mode. It may also be deployed in a reflect mode where it will return the email to the sending MTA. Irrespective of the deployment ,it just relays SMTP commands(and data) between these two MTAs and is not a true SMTP proxy or MTA. It looks for content based on the polices you have created. Due to its placement it can block or modify SMTP conversations.

Network Prevent for Web acts as an ICAP server. It parses the ICAP traffic it received for content based on polices and has several ICAP responses at its disposal including block. It relies on the proxy to send it traffic for inspection.

Now that we have seen the technical differences, lets move on to who needs what and when.

Network Monitor is needed in the following scenarios even when there is Network Prevent in the environmen: -

• To monitor email traffic not routed via email gateways covered by Network Prevent
• To monitor web traffic not routed via web proxies covered by Network Prevent
• To monitor email and web traffic related to email gateway and web traffic that cannot be integrated with DLP due to various technical reasons
• IM, P2P Traffic, file copies.
• Any other interesting clear text TCP/IP traffic through custom protocols
• To quickly deploy DLP passively in an environmen by the time you design and work on Network Prevent
• To do a risk analysis to create a case for DLP or otherwise
• To monitor rogue email and web traffic

Network Prevent (Email Prevent and Web Prevent) is needed in the following scenarios even if there is a network monitor: -

• To have block/quarantine capability for email and web traffic.
• To monitor encrypted email and web traffic.

In a practical scenario a Network Monitor can be deployed to exclude traffic from email and web gateways covered by Network Prevent to provide added security and cover some of the risks discussed earlier. So any organization can have both Network Monitor and Network Prevent. However organizations where the risks like rogue email and web traffic, and non email/web traffic are adequately covered by other controls or are acceptable may decide not to deploy Network Monitor along with Network Prevent.