<div><div><div><br></div><div><br><div class="gmail_quote"></div></div></div><div><div dir="ltr" class="gmail_attr">On Sat, Oct 10, 2020 at 8:14 AM Christopher J. Wolff <<a href="mailto:cjwolff@nola.gov" target="_blank">cjwolff@nola.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<div>
<div>
<div style="direction:ltr">Dear Mr. Curtis and Nanog;</div>
<div><br>
</div>
<div style="direction:ltr">Thank you for your responses. Yes, I am investigating the feasibility of public internet access to help with Digital Divide issues in light of the COVID-19 pandemic as well as the challenges of security in this public application.</div>
<div><br>
</div>
<div style="direction:ltr">It’s relatively straightforward to segment East-West traffic; however, I’m not so sure about the case of North-South. I need to address this issue somehow in my assessment of risks in public networks.</div>
<div><br>
</div>
<div style="direction:ltr">I do *not* want to decrypt SSL traffic. But I would *like* to be able to have some black box with a subscription at the network edge prevent malware from being downloaded through the network.</div>
<div><br>
</div>
<div style="direction:ltr">My question was whether this is even possible in a public context. Secure DNS services would go a long way toward this goal.</div>
<div><br>
</div>
<div style="direction:ltr">Is it fair to say that an NGFW *must* decrypt SSL traffic in order to fully categorize for IPS/IDS prevention? </div>
<div><br>
</div>
<div style="direction:ltr">Thank you,</div>
<div style="direction:ltr">CJ<span id="m_6762746883143063775m_-8195865042805863586m_-4357999687316660068ms-outlook-ios-cursor"></span></div>
<div><br>
</div>
<div></div></div></div></div></blockquote><div dir="auto"><br></div><div dir="auto"><br></div></div></div><div><div dir="auto">Just my humble opinion, many network security devices in the middle decrease the overall network security. Especially if they fall into the category of NGFW, they do too much and end up blowing themselves up. </div><div dir="auto"><br></div><div dir="auto"><div><a href="https://www.google.com/amp/s/www.zdnet.com/google-amp/article/us-cyber-command-says-foreign-hackers-will-attempt-to-exploit-new-pan-os-security-bug/">https://www.google.com/amp/s/www.zdnet.com/google-amp/article/us-cyber-command-says-foreign-hackers-will-attempt-to-exploit-new-pan-os-security-bug/</a></div><br></div><div dir="auto"><div><a href="https://www.google.com/amp/s/www.bleepingcomputer.com/news/security/cisco-patches-asa-ftd-firewall-flaw-actively-exploited-by-hackers/amp/">https://www.google.com/amp/s/www.bleepingcomputer.com/news/security/cisco-patches-asa-ftd-firewall-flaw-actively-exploited-by-hackers/amp/</a></div><br></div><div dir="auto"><br></div><div dir="auto">Also, they are insanely priced and market to people based on fear. </div><div dir="auto"><br></div><div dir="auto">IPS / IDS only works if you have a full time team of folks willing to tune it. And, it is never worth it. Been the same way for 20 years. I was recently involved in an outage with an IPS rule taking an entire site off line. The fix was to stop doing IPS. </div><div dir="auto"><br></div><div dir="auto">The fact is, most modern systems (win10, iOS, Android) are very secure from a network stack and do not benefit from network based tools. Even windows Vista has a local firewall on by default. The real hacks that happen in the wild are phishing ... and no network based thing is going to stop that. You do see occasional nsa tools turned into wannacry style worms, but those only proliferate when SMB is enabled, and that is easily blocked with a router acl, and is a best practice below. </div><div dir="auto"><br></div><div dir="auto">For public internet access, please keep it simple. Please do not waste tax payer money on security snake oil. As mentioned, free dns services like 1.1.1.3 and <a href="https://cleanbrowsing.org">https://cleanbrowsing.org</a> go a long way</div><div dir="auto"><br></div><div dir="auto">Simple router ACLS are also good to shutdown back trafffic, take a hint from Comcast </div><div dir="auto"><br><div dir="auto"><a href="https://www.xfinity.com/support/articles/list-of-blocked-ports">https://www.xfinity.com/support/articles/list-of-blocked-ports</a></div></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Regards,</div><div dir="auto">CB</div><div dir="auto"><br></div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir="auto"><div><div><div><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div dir="auto">Get <a href="https://aka.ms/o0ukef" target="_blank">Outlook for iO</a></div>
</div></div></blockquote></div><div><div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir="auto">
<hr style="display:inline-block;width:98%"> <div id="m_6762746883143063775m_-8195865042805863586m_-4357999687316660068divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><b style="font-family:Calibri,sans-serif">From:</b> Curtis, Bruce <<a href="mailto:bruce.curtis@ndsu.edu" style="font-family:Calibri,sans-serif" target="_blank">bruce.curtis@ndsu.edu</a>><br>
<b style="font-family:Calibri,sans-serif">Sent:</b> Friday, October 9, 2020 5:23:45 PM<br>
<b style="font-family:Calibri,sans-serif">To:</b> Christopher J. Wolff <<a href="mailto:cjwolff@nola.gov" style="font-family:Calibri,sans-serif" target="_blank">cjwolff@nola.gov</a>><br>
<b style="font-family:Calibri,sans-serif">Cc:</b> <a href="mailto:nanog@nanog.org" style="font-family:Calibri,sans-serif" target="_blank">nanog@nanog.org</a> <<a href="mailto:nanog@nanog.org" style="font-family:Calibri,sans-serif" target="_blank">nanog@nanog.org</a>><br>
<b style="font-family:Calibri,sans-serif">Subject:</b> Re: Securing Greenfield Service Provider Clients</font>
<div> </div>
</div>
<div><font size="2" style="color:rgb(0,0,0)"><span style="font-size:11pt">
<div>EMAIL FROM EXTERNAL SENDER: DO NOT click links, or open attachments, if sender is unknown, or the message seems suspicious in any way. DO NOT provide your user ID or password. If you believe that this is a phishing attempt please forward
this message to <a href="mailto:phishing@nola.gov" target="_blank">phishing@nola.gov</a></div></span></font></div></div><div><div><font size="2" style="color:rgb(0,0,0)"><span style="font-size:11pt"><div><br>
<br>
<br>
If you search for this phrase<br>
<br>
During 2020 more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.<br>
<br>
you will find lots of vendors of decryption have the phrase from Gartner mentioned prominently on their web site.<br>
<br>
<br>
I don’t think TLS decryption would be viable in our university environment.<br>
<br>
Your email address indicates that you are in a government environment and if so you might have more control over devices and could have a better chance of making decryption work.<br>
On the other hand if you have more control over devices a better choice might be to spend your resources on implementing whitelisting rather than decryption.<br>
<br>
Keep in mind that if you implement decryption your decryption device is in scope for PCI and subject to the various PCI duding and logging requirements.<br>
<br>
<br>
<br>
Attackers abuse Google DNS over HTTPS to download malware<br>
<br>
<a href="https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/" target="_blank">https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/</a><br>
<br>
<br>
More general and as focused on decryption but I recommend you watch these sessions from RSA conferences.<br>
<br>
<a href="https://www.youtube.com/watch?v=d90Ov6QM1jE" target="_blank">https://www.youtube.com/watch?v=d90Ov6QM1jE</a><br>
<br>
<a href="https://www.youtube.com/watch?v=qzI-N0p9hFk" target="_blank">https://www.youtube.com/watch?v=qzI-N0p9hFk</a><br>
<br>
<br>
And also the NIST draft on Zero Trust Architecture. The document is mainly about Zero Trust but does briefly mention decryption.<br>
<br>
<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf</a><br>
<br>
<a href="https://csrc.nist.gov/publications/detail/sp/800-207/final" target="_blank">https://csrc.nist.gov/publications/detail/sp/800-207/final</a><br>
<br>
<br>
<br>
<br>
> On Oct 9, 2020, at 2:09 PM, Christopher J. Wolff <<a href="mailto:cjwolff@nola.gov" target="_blank">cjwolff@nola.gov</a>> wrote:<br>
><br>
> Dear Nanog;<br>
><br>
> Hope everyone is getting ready for a good weekend. I’m working on a greenfield service provider network and I’m running into a security challenge. I hope the great minds here can help.<br>
><br>
> Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification.<br>
><br>
> Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my
users?<br>
><br>
> Have experience with Palo and Firepower but even these need the MITM approach. I appreciate any advice anyone can provide.<br>
><br>
> Best,<br>
> CJ<br>
<br>
Bruce Curtis<br>
Network Engineer / Information Technology<br>
NORTH DAKOTA STATE UNIVERSITY<br>
phone: 701.231.8527<br>
<a href="mailto:bruce.curtis@ndsu.edu" target="_blank">bruce.curtis@ndsu.edu</a><br>
<br>
</div>
</span></font></div>
</div>
</blockquote></div></div>
</div>
</div>