Securing Greenfield Service Provider Clients

• Previous message (by thread): Securing Greenfield Service Provider Clients
• Next message (by thread): Securing Greenfield Service Provider Clients
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Agreed DNS/IP reputation is still about the best.  Then move on with everything else we should be doing.

Decrypting the content would bring us to the next problem.  Malware is commonly encrypted to prevent AntiVirus from pattern matching or hash matching.

Decrypting the content always struck me as something that is better suited for spotting exfiltration.  Searching for known clear text similar to “FBI Classified” or a watermark in documents sounded like an attainable goal from SSL decryption.

Kevin Burke
802-540-0979
Burlington Telecom
200 Church St, Burlington, VT

From: NANOG <nanog-bounces+kburke=burlingtontelecom.com at nanog.org> On Behalf Of Jared Geiger
Sent: Friday, October 9, 2020 3:45 PM
To: nanog at nanog.org
Subject: Re: Securing Greenfield Service Provider Clients

WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.
DNS filtering might be an easier option to get most of the bad stuff with services like 9.9.9.9 and 1.1.1.2. Paid options like dnsfilter.com<http://dnsfilter.com> will give you better control. Cloudflare Gateway might also be an option.

On Fri, Oct 9, 2020 at 12:29 PM Christopher J. Wolff <cjwolff at nola.gov<mailto:cjwolff at nola.gov>> wrote:
Dear Nanog;

Hope everyone is getting ready for a good weekend.  I’m working on a greenfield service provider network and I’m running into a security challenge.  I hope the great minds here can help.

Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification.

Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users?

Have experience with Palo and Firepower but even these need the MITM approach.  I appreciate any advice anyone can provide.

Best,
CJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201009/97e23a94/attachment.html>

• Previous message (by thread): Securing Greenfield Service Provider Clients
• Next message (by thread): Securing Greenfield Service Provider Clients
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]