Enterprise Threat Protector Proxy

In addition to identifying and mitigating DNS threats, you can also use Enterprise Threat Protector (ETP) to protect an enterprise network from threats that target HTTP or HTTPS traffic.

Akamai ETP Proxy analyzes suspicious HTTP or HTTPS traffic. Besides examining the domain, the proxy examines the full URL of the request to identify threats. If your enterprise is licensed for ETP Advanced Threat, you can perform payload analysis. ETP payload analysis uses malware scanners to determine which websites are safe to access.

You can enable this feature in a policy configuration. To enable the proxy, see Enable ETP Proxy.

  • Before enabling ETP Proxy, make sure that you deploy trusted certificate authority (CA) certificates in your network devices, such as guest computers or mobile phones.
  • If your organization has separate networks for guest and managed devices, configure those networks as two separate locations in ETP. This ensures that each network’s traffic is mapped to a different public IP address. You can then enable ETP Proxy in the network with managed devices and leave ETP Proxy disabled in the network with guest devices.

Network Flow of ETP Proxy

This graphic illustrates how the proxy functions in a network:

When enabled, the corporate resolver forwards requests to ETP. Requests are forwarded to the ETP network in the closest geographical region. Based on the configured policy, if the assigned action is Block, Classify, or Monitor, ETP DNS directs requests to ETP Proxy. The IP address of the ETP proxy server is then cached in the resolver and all suspicious traffic is forwarded to the proxy.

You configure the ETP proxy to function in one of these modes:

  • Detection Mode. Applies when an administrator selects the Monitor action. This policy action does not block traffic. However, events and alerts are generated for a security event.
  • Prevention Mode. Applies when an administrator selects a Block action. This policy action blocks an identified threat.

When ETP Threat Intelligence suspects that a domain contains suspicious URLs, all domain traffic is sent to ETP Proxy. However, only specific URLs are blocked, monitored, or analyzed in accordance with the established policy. If a website is not a suspected threat or its category is assigned the Allowed action, it bypasses the proxy. For example, in the graphic above, the safe website is not inspected by the ETP proxy and the request is resolved.

A number of checks are performed to determine how suspicious traffic is handled:

  • ETP confirms that the request comes from an IP address that is registered as a location for your organization. If the IP address is unknown, the request is dropped.
  • If the IP address is known, the destination port is checked to confirm that port 443 or 80 is used. If these ports are not used, traffic is dropped.
  • For port 443, the Transport Layer Security (TLS) Server Name Identification (SNI) value is extracted and ETP connects to the origin server with that hostname.
  • For port 80, traffic is likely HTTP. ETP extracts the hostname from the Host header in the HTTP request.
  • If the hostname cannot be extracted or identified, the end user is shown an error page.

The following conditions apply:

  • The proxy acts as a man-in-the-middle to intercept TLS/SSL traffic. An ETP super administrator generates an Akamai certificate or a certificate signed by their company’s Certificate Authority (CA). An IT or Desktop administrator deploys the certificate across the enterprise network. This is necessary to establish trust between the client (browser) and the proxy, and further allows Akamai to create a short-lived, dynamically generated certificate that is used to communicate with the destination server. For more information, see ETP Proxy as a TLS intermediary.
  • ETP Proxy inspects the URL path of the requests and checks if a URL is a known threat. If it is a threat, the threat is handled based on the policy action that is assigned to the threat category, either Malware, C&C, or Phishing. The ETP proxy then forwards the request to the origin server and returns the payload to the client.
    Note: To prevent the inspection of specific domains (for example, a known web site), ETP administrators can configure a custom list and assign the Allow policy action.
  • Some limitations apply to traffic that’s forwarded to ETP Proxy. For a list of limitations or unsupported features, see Limitations of ETP Proxy.
  • If your network already contains an on-premise proxy, the ETP proxy can work with the internal proxy without requiring significant changes to your network. For more information, see Support of an on-premise HTTP forward proxy.
  • The ETP Dashboard, Event Analysis and Activity pages allow ETP administrators to review and analyze HTTP or HTTPS threat events, ETP Proxy and network activity, threat events, and AUP events. On the Event Analysis page, an ETP administrator can update the established policies and if necessary, allow blocked traffic by adding a URL to the Allow quick list.
Note: When a company uses a VPN to secure communications between a field office and company headquarters, the company headquarters is typically configured as a location in the policy. If the field office is also configured as a separate location in the policy, ensure that the policy associated with these locations do not have conflicting settings.