Re: Inspecting encrypted traffic

[Alex Keller <axkeller () STANFORD EDU>]

Hi John,

Jim Cheetham provided sage advice on this front. Performing full packet inspection (selectively decrypted or not) is 
typically infeasible or ineffective at scale. The decryption advertised by PA (or anybody else) is only for encrypted 
streams where you have the means to terminate the connection at the perimeter, inspect it, then re-encrypt and send it 
down the wire (in other words it will only work for services you directly administrate).

You would likely benefit far more by focusing on the collection and analysis of connection data (netflows), not what is 
actually in the packets. We use Argus (http://qosient.com/argus/) but it looks like PAs have some netflow functionality 
built in. You might also check out Bro (https://www.bro.org) which is well established in the Hi-Ed community.

Good luck and please keep us posted.

Best,
Alex

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu<mailto:axkeller () stanford edu>
(650)736-6421


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
LaPrad
Sent: Tuesday, January 19, 2016 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Inspecting encrypted traffic

Hello all,

I'm looking into the possibility of decrypting and inspecting encrypted traffic to and from the Internet for viruses, 
malware etc.... Is anyone doing this? We have Palo Alto firewalls and they support decryption, inspection, 
re-encryption. I'm concerned about  privacy issues, could it impact compliance in any way, user acceptance.
I appreciate any feed back.

Thanks in advance for your time;

John LaPrad
Manager of Technical Services
Saginaw Valley State University
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>