nanog mailing list archives

RE: Securing Greenfield Service Provider Clients

From: Kevin Burke <kburke () burlingtontelecom com>
Date: Fri, 9 Oct 2020 20:09:13 +0000

Agreed DNS/IP reputation is still about the best.  Then move on with everything else we should be doing.

Decrypting the content would bring us to the next problem.  Malware is commonly encrypted to prevent AntiVirus from 
pattern matching or hash matching.

Decrypting the content always struck me as something that is better suited for spotting exfiltration.  Searching for 
known clear text similar to “FBI Classified” or a watermark in documents sounded like an attainable goal from SSL 
decryption.

Kevin Burke
802-540-0979
Burlington Telecom
200 Church St, Burlington, VT

From: NANOG <nanog-bounces+kburke=burlingtontelecom.com () nanog org> On Behalf Of Jared Geiger
Sent: Friday, October 9, 2020 3:45 PM
To: nanog () nanog org
Subject: Re: Securing Greenfield Service Provider Clients

WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening 
attachments, clicking links, or responding to this email.
DNS filtering might be an easier option to get most of the bad stuff with services like 9.9.9.9 and 1.1.1.2. Paid 
options like dnsfilter.com<http://dnsfilter.com> will give you better control. Cloudflare Gateway might also be an 
option.

On Fri, Oct 9, 2020 at 12:29 PM Christopher J. Wolff <cjwolff () nola gov<mailto:cjwolff () nola gov>> wrote:
Dear Nanog;

Hope everyone is getting ready for a good weekend.  I’m working on a greenfield service provider network and I’m 
running into a security challenge.  I hope the great minds here can help.

Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without 
detection and classification.

Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any 
other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from 
being downloaded to my users?

Have experience with Palo and Firepower but even these need the MITM approach.  I appreciate any advice anyone can 
provide.

Best,
CJ

Current thread:

Securing Greenfield Service Provider Clients Christopher J. Wolff (Oct 09)
- Re: Securing Greenfield Service Provider Clients Matt Harris (Oct 09)
- Re: Securing Greenfield Service Provider Clients Jared Geiger (Oct 09)
  - RE: Securing Greenfield Service Provider Clients Kevin Burke (Oct 09)
- Re: Securing Greenfield Service Provider Clients Matthias Luft via NANOG (Oct 09)
- Re: Securing Greenfield Service Provider Clients Baldur Norddahl (Oct 09)
- Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 09)
  - Re: Securing Greenfield Service Provider Clients Christopher J. Wolff (Oct 10)
    - Re: Securing Greenfield Service Provider Clients Ca By (Oct 10)
    - Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 11)
    - Re: Securing Greenfield Service Provider Clients Randy Bush (Oct 10)
    - Re: Securing Greenfield Service Provider Clients Curtis, Bruce via NANOG (Oct 11)
- Re: Securing Greenfield Service Provider Clients Billy Crook (Oct 09)
- Re: Securing Greenfield Service Provider Clients Garrett Skjelstad (Oct 11)