Educause Security Discussion mailing list archives
Re: Inspecting encrypted traffic
From: Alex Keller <axkeller () STANFORD EDU>
Date: Tue, 19 Jan 2016 22:11:21 +0000
Hi John, Jim Cheetham provided sage advice on this front. Performing full packet inspection (selectively decrypted or not) is typically infeasible or ineffective at scale. The decryption advertised by PA (or anybody else) is only for encrypted streams where you have the means to terminate the connection at the perimeter, inspect it, then re-encrypt and send it down the wire (in other words it will only work for services you directly administrate). You would likely benefit far more by focusing on the collection and analysis of connection data (netflows), not what is actually in the packets. We use Argus (http://qosient.com/argus/) but it looks like PAs have some netflow functionality built in. You might also check out Bro (https://www.bro.org) which is well established in the Hi-Ed community. Good luck and please keep us posted. Best, Alex Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu<mailto:axkeller () stanford edu> (650)736-6421 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John LaPrad Sent: Tuesday, January 19, 2016 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Inspecting encrypted traffic Hello all, I'm looking into the possibility of decrypting and inspecting encrypted traffic to and from the Internet for viruses, malware etc.... Is anyone doing this? We have Palo Alto firewalls and they support decryption, inspection, re-encryption. I'm concerned about privacy issues, could it impact compliance in any way, user acceptance. I appreciate any feed back. Thanks in advance for your time; John LaPrad Manager of Technical Services Saginaw Valley State University Phone: 989-964-7134 jrl () svsu edu<mailto:jrl () svsu edu>
Current thread:
- Inspecting encrypted traffic John LaPrad (Jan 19)
- Re: Inspecting encrypted traffic Jim Cheetham (Jan 19)
- Re: Inspecting encrypted traffic Alex Keller (Jan 19)
- Re: Inspecting encrypted traffic John LaPrad (Jan 19)
- Re: Inspecting encrypted traffic Brian Epstein (Jan 19)
- Re: Inspecting encrypted traffic John LaPrad (Jan 20)
- Re: Inspecting encrypted traffic Angelo Rodriguez (Jan 20)
- Re: Inspecting encrypted traffic Jim Cheetham (Jan 20)
- Re: Inspecting encrypted traffic Dexter Caldwell (Jan 20)
- Re: Inspecting encrypted traffic Dexter Caldwell (Jan 20)
- Re: Inspecting encrypted traffic Nathaniel Hall (Jan 20)
- Re: Inspecting encrypted traffic John LaPrad (Jan 20)
- Re: Inspecting encrypted traffic Brian Epstein (Jan 20)
- Re: Inspecting encrypted traffic John LaPrad (Jan 21)