"...while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected. According to Equifax officials, the misconfiguration was due to an expired digital certificate. The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period...."
So with that being said, how high is the risk of NOT doing decryption? We have IPS's within a few areas of the environment, but none are doing decryption. Is this a common configuration (doing decryption) by most companies? What solutions are most recommended?
I have read/heard that decryption devices are very CPU intensive (obviously), so something like cisco firepower based decryption (a VM or a module inside the firewall) would cause a lot of headache due to latency because of the processing resources it would consume. Same thing for even SOME hardware based IPSs.
I advocate to decrypt, but some others say its not worth the resources.
Thoughts?
No comments:
Post a Comment