On Fri, Oct 9, 2020 at 2:27 PM Christopher J. Wolff <cjwolff@nola.gov> wrote:
Dear Nanog;
Hope everyone is getting ready for a good weekend. I’m working on a greenfield service provider network and I’m running into a security challenge. I hope the great minds here can help.
Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification.
Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users?
Have experience with Palo and Firepower but even these need the MITM approach. I appreciate any advice anyone can provide.
Do you really want to do this? Ask yourself not whether you want to protect your users from malicious content, but rather ask yourself do you want to expose all of their financial, medical, and other personal details to anyone who may have access (including potentially unauthorized access) to this system? As a service provider with a customer/user base that you do not directly control, the answer should almost certainly always be "no." It's one thing to implement this sort of snooping in an office/corporate environment: there you have direct control over systems to install MITM CA certificates, and the ability to set policies like "don't view personal websites or enter personal financial, medical, or other private details on a work computer outside of communicating with HR" or somesuch. Instead, I'd recommend distributing good anti-malware software that provides endpoint protection for their devices and teaching security best practices to your users. You can also block access to known-bad hosts and addresses either at your border via packet filtering, or via the recursive DNS servers that you feed to clients. This may have the unintended consequence of false positives resulting in additional support inquiries, but overall is much better than trying to MITM secure connections from your customer/user base. Good luck! Matt Harris|Infrastructure Lead Engineer 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver end-to-end IT solutions.