Educause Security Discussion mailing list archives

Re: Inspecting encrypted traffic

From: John LaPrad <jrl () SVSU EDU>
Date: Tue, 19 Jan 2016 17:24:19 -0500

Thanks, we have not committed to this yet, I'm just trying to consider all options. And, there are a lot of things to 
consider. 
We currently use PA's URL analysis and block traffic to and from known bad sites. But, not everything is known and 
malware can get in through an encrypted session. 

John 

----- Original Message -----

| From: "Alex Keller" <axkeller () stanford edu>
| To: "John LaPrad" <jrl () svsu edu>, SECURITY () LISTSERV EDUCAUSE EDU
| Sent: Tuesday, January 19, 2016 5:11:21 PM
| Subject: RE: Inspecting encrypted traffic

| Hi John,

| Jim Cheetham provided sage advice on this front. Performing full packet
| inspection (selectively decrypted or not) is typically infeasible or
| ineffective at scale. The decryption advertised by PA (or anybody else) is
| only for encrypted streams where you have the means to terminate the
| connection at the perimeter, inspect it, then re-encrypt and send it down
| the wire (in other words it will only work for services you directly
| administrate).

| You would likely benefit far more by focusing on the collection and analysis
| of connection data ( netflows ), not what is actually in the packets. We use
| Argus ( http://qosient.com/argus/ ) but it looks like PAs have some netflow
| functionality built in. You might also check out Bro (https://www.bro.org)
| which is well established in the Hi-Ed community.

| Good luck and please keep us posted.

| Best,

| Alex

| Alex Keller

| Stanford | Engineering

| Information Technology

| axkeller () stanford edu

| (650)736-6421

| From: The EDUCAUSE Security Constituent Group Listserv
| [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John LaPrad
| Sent: Tuesday, January 19, 2016 10:53 AM
| To: SECURITY () LISTSERV EDUCAUSE EDU
| Subject: [SECURITY] Inspecting encrypted traffic

| Hello all,

| I'm looking into the possibility of decrypting and inspecting encrypted
| traffic to and from the Internet for viruses, malware etc.... Is anyone
| doing this? We have Palo Alto firewalls and they support decryption,
| inspection, re-encryption. I'm concerned about privacy issues, could it
| impact compliance in any way, user acceptance.

| I appreciate any feed back.

| Thanks in advance for your time;

| John LaPrad

| Manager of Technical Services
| Saginaw Valley State University

| Phone: 989-964-7134
| jrl () svsu edu

Current thread:

Inspecting encrypted traffic John LaPrad (Jan 19)
- Re: Inspecting encrypted traffic Jim Cheetham (Jan 19)
- Re: Inspecting encrypted traffic Alex Keller (Jan 19)
  - Re: Inspecting encrypted traffic John LaPrad (Jan 19)
- Re: Inspecting encrypted traffic Brian Epstein (Jan 19)
  - Re: Inspecting encrypted traffic John LaPrad (Jan 20)
    - Re: Inspecting encrypted traffic Angelo Rodriguez (Jan 20)
    - Re: Inspecting encrypted traffic Jim Cheetham (Jan 20)
    - Re: Inspecting encrypted traffic Dexter Caldwell (Jan 20)
    - Re: Inspecting encrypted traffic Dexter Caldwell (Jan 20)
    - Re: Inspecting encrypted traffic Nathaniel Hall (Jan 20)
    - Re: Inspecting encrypted traffic Brian Epstein (Jan 20)
    - Re: Inspecting encrypted traffic John LaPrad (Jan 21)
    - Re: Inspecting encrypted traffic Michael Anderson (Jan 21)

(Thread continues...)