Having SSL Inspection has been always a matter of IT and Organisation fight.
In an architecture project, the only objection to my design was SSL Inspection and I had to bring some convincing reasons for that; I then decided to pen a brief note over at about Networks! blog, and this steemit note is a repost of the original post there.
First of all, without SSL Inspection, basically there is zero visibility into what's happening inside an encrypted traffic like HTTPS, SMTPS, POP3S, etc. Just imagine an attacker popping a machine, tunneling command and control via a HTTPS tunnel. Or an unfortunate employee, exposing confidential data by uploading them to some random cloud service... 0 visibility!
Second business driver I can think of is related to Data Loss Prevention; If a breach is detected tomorrow, there's hardly any ways to detect what has been lost.
Benefits aside, a noteworthy drawback to SSL Inspection would be administrative overhead; you should distribute the CA cert to all nodes. That being said, in case of a Directory environment like Microsoft AD, it's not a big deal, although Linux machines or some browsers need special configuration; beside, some web applications have to be excluded from inspection, mainly the ones utilizing Java.
Not really a drawback, but the administrators should be liable and trusted as they can easily intercept the traffic, unencrypted. This not only applies to the Proxy admins, but to a Mail admin, System admin, etc; which makes it an HR matter.
Note that any product which does MITM has the opportunity to expose data, and so its admins.
Here, you have to see the tradeoff; I believe the gained visibility worths it!
Sometimes CxOs might say that SSL is sacred! Yes, it is, but they have to decide how sacred they want SSL to be versus how interested they are in what information might be leaving the environment without authorization; or how much malware command and control (C&C) they might want quietly going out via SSL without being torn open for inspection.
Note that you have to design a way that all egress web traffic (both users and servers) must be enforced to go through the proxy, otherwise the whole proxy plan is pointless. Besides, you have to follow some practices:
- Know the business and business processes and demands. Every sector has its own limitations or requirements where might be against SSL inspection.
- Plan some whitelisting policies to disable inspection in specific cases where needed.
- Know your traffic and the percentage of encrypted requests.
- Make sure that your appliance supports the amount of traffic; SSL Inspection means decrypting the connection, inspecting it and then re-encrypting it.
P.S. Yes, my drawing skills are awful! :)
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.linkedin.com/pulse/why-ssl-inspection-needed-mohammad-moghaddas?articleId=6157873334999670784
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
✅ @moghaddas, I gave you an upvote on your first post! Please give me a follow and I will give you a follow in return!
Please also take a moment to read this post regarding bad behavior on Steemit.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations @moghaddas! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit