nanog mailing list archives
Re: Securing Greenfield Service Provider Clients
From: Garrett Skjelstad <garrett () skjelstad org>
Date: Sun, 11 Oct 2020 06:40:36 -0700
If this is really greenfield, consider taking a tenant approach to your egress traffic handling, you mentioned a "black box with subscription", then consider making that blackbox/traffic path be only available to whatever tenant subscribes to the service, and if they want the SSL/MITM decryption, then their local IT team (or yours) can handle the certificate management and risk of doing such a thing. Then all you need to worry about is managing the egress per tenant, which can all be maintained separately from whatever services you're wrapping up into that security service package. Keep in mind your 80/20s :) -Garrett On Fri, Oct 9, 2020 at 12:28 PM Christopher J. Wolff <cjwolff () nola gov> wrote:
Dear Nanog; Hope everyone is getting ready for a good weekend. I’m working on a greenfield service provider network and I’m running into a security challenge. I hope the great minds here can help. Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification. Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being downloaded to my users? Have experience with Palo and Firepower but even these need the MITM approach. I appreciate any advice anyone can provide. Best, CJ
Current thread:
- RE: Securing Greenfield Service Provider Clients, (continued)
- RE: Securing Greenfield Service Provider Clients Kevin Burke (Oct 09)
- Re: Securing Greenfield Service Provider Clients Matthias Luft via NANOG (Oct 09)
- Re: Securing Greenfield Service Provider Clients Baldur Norddahl (Oct 09)
- Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 09)
- Re: Securing Greenfield Service Provider Clients Christopher J. Wolff (Oct 10)
- Re: Securing Greenfield Service Provider Clients Ca By (Oct 10)
- Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 11)
- Re: Securing Greenfield Service Provider Clients Randy Bush (Oct 10)
- Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 11)
- Re: Securing Greenfield Service Provider Clients Christopher J. Wolff (Oct 10)
- Re: Securing Greenfield Service Provider Clients Billy Crook (Oct 09)
- Re: Securing Greenfield Service Provider Clients Garrett Skjelstad (Oct 11)