Agreed DNS/IP reputation is still about the best. Then move on with everything else we should be doing. Decrypting the content would bring us to the next problem. Malware is commonly encrypted to prevent AntiVirus from pattern matching or hash matching. Decrypting the content always struck me as something that is better suited for spotting exfiltration. Searching for known clear text similar to “FBI Classified” or a watermark in documents sounded like an attainable goal from SSL decryption. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG <nanog-bounces+kburke=burlingtontelecom.com@nanog.org> On Behalf Of Jared Geiger Sent: Friday, October 9, 2020 3:45 PM To: nanog@nanog.org Subject: Re: Securing Greenfield Service Provider Clients WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. DNS filtering might be an easier option to get most of the bad stuff with services like 9.9.9.9 and 1.1.1.2. Paid options like dnsfilter.com<http://dnsfilter.com> will give you better control. Cloudflare Gateway might also be an option. On Fri, Oct 9, 2020 at 12:29 PM Christopher J. Wolff <cjwolff@nola.gov<mailto:cjwolff@nola.gov>> wrote: Dear Nanog; Hope everyone is getting ready for a good weekend. I’m working on a greenfield service provider network and I’m running into a security challenge. I hope the great minds here can help. Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification. Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users? Have experience with Palo and Firepower but even these need the MITM approach. I appreciate any advice anyone can provide. Best, CJ