I'm wondering what others are doing to overcome the performance impacts of SSL Decryption and also question the value of inline SSL-Decrypt. We're thinking of enabling this on our PAN firewalls based on industry security trends, but depending on the % of traffic encrypted and cypher-suite used, you might see a 50-80% performance hit.
I've been thinking that since SSL Decryption only works for "managed endpoints" because you need to push a root cert to act as a CA, why not rely on agents on the managed endpoint for threat detection/prevention? Why do inline inspection when you have the ability to inspect traffic before it gets encrypted and hits the wire? Has anyone taken this approach and if so, which solutions are you using or have you considered? It looks like Microsoft ATP and Crowdstrike are some of the highest rated endpoint protection platforms. If you prevent people from disabling this service, why do inline inspection? How did this "alternative" to SSL Decrypt go down with security audits/certifications?
Also, has anyone looked at Nubeva? They do out-of-band inspection and claim to be able to deal with PFS for decryption through a lightweight agent. It's an interesting story which wouldn't require a refresh of our firewall infrastructure which is right-sized to deal with current workload/throughput but not deal with SSL Decrypt.
Please enlighten me on something that I may be missing. Is there a security gap worth mentioning that would make me want to spend 3x on my firewall infrastructure to enable SSL Decryption for internet destined traffic?
No comments:
Post a Comment