Are you really suggesting decrypting customer traffic? In most parts of the world that act falls in one of two categories: it is either required by law or it is illegal. 

Offer your customers a good virus scanner to install instead.

Regards 

Baldur 


fre. 9. okt. 2020 21.27 skrev Christopher J. Wolff <cjwolff@nola.gov>:

Dear Nanog;

 

Hope everyone is getting ready for a good weekend.  I’m working on a greenfield service provider network and I’m running into a security challenge.  I hope the great minds here can help.

 

Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification.

 

Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users?

 

Have experience with Palo and Firepower but even these need the MITM approach.  I appreciate any advice anyone can provide.

 

Best,

CJ