Securing Greenfield Service Provider Clients
Matt Harris
matt at netfire.net
Fri Oct 9 19:39:53 UTC 2020
On Fri, Oct 9, 2020 at 2:27 PM Christopher J. Wolff <cjwolff at nola.gov>
wrote:
> Dear Nanog;
>
>
>
> Hope everyone is getting ready for a good weekend. I’m working on a
> greenfield service provider network and I’m running into a security
> challenge. I hope the great minds here can help.
>
>
>
> Since the majority of traffic is SSL/TLS, encrypted malicious content can
> pass through even an “NGFW” device without detection and classification.
>
>
>
> Without setting up SSL encrypt/decrypt through a MITM setup and handing
> certificates out to every client, is there any other software/hardware that
> can perform DPI and/or ssl analysis so I can prevent encrypted malicious
> content from being downloaded to my users?
>
>
>
> Have experience with Palo and Firepower but even these need the MITM
> approach. I appreciate any advice anyone can provide.
>
Do you really want to do this? Ask yourself not whether you want to protect
your users from malicious content, but rather ask yourself do you want to
expose all of their financial, medical, and other personal details to
anyone who may have access (including potentially unauthorized access) to
this system? As a service provider with a customer/user base that you do
not directly control, the answer should almost certainly always be "no."
It's one thing to implement this sort of snooping in an office/corporate
environment: there you have direct control over systems to install MITM CA
certificates, and the ability to set policies like "don't view personal
websites or enter personal financial, medical, or other private details on
a work computer outside of communicating with HR" or somesuch.
Instead, I'd recommend distributing good anti-malware software that
provides endpoint protection for their devices and teaching security best
practices to your users. You can also block access to known-bad hosts and
addresses either at your border via packet filtering, or via the recursive
DNS servers that you feed to clients. This may have the unintended
consequence of false positives resulting in additional support inquiries,
but overall is much better than trying to MITM secure connections from your
customer/user base.
Good luck!
Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201009/44be11f3/attachment.html>
More information about the NANOG
mailing list