Re: Inspecting encrypted traffic

[Jim Cheetham <jim.cheetham () OTAGO AC NZ>]

Excerpts from John LaPrad's message of 2016-01-20 07:53:24 +1300:
> I'm looking into the possibility of decrypting and inspecting encrypted traffic to and from the Internet for viruses, 
> malware etc.... Is anyone doing this? We have Palo Alto firewalls and they support decryption, inspection, 
> re-encryption. I'm concerned about privacy issues, could it impact compliance in any way, user acceptance. 
> I appreciate any feed back. 

I'd push back on technical issues; it's effectively impossible to
inspect all traffic, and each year the amount on un-inspectable traffic
will rise, often sharply.

Just because a vendor says they can "decrypt traffic" doesn't mean that
they are correct. Have them tell you what traffic they can't decrypt :-)
Have them tell you what applications won't work when they deploy their
interception. MITM is an attack, not a service.

So, if you accept that content inspection itself isn't going to work, look
at other technologies like site reputation, DNS query analysis and of
course end-point security/AV.

-- 
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham () otago ac nz    ☏ +64 3 470 4670    ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

Attachment: signature.asc
Description: