Re: Securing Greenfield Service Provider Clients

[Curtis, Bruce via NANOG]

If you search for this phrase 

        During 2020 more than fifty percent of new malware campaigns will use 
various forms of encryption and obfuscation to conceal delivery, and to conceal 
ongoing communications, including data exfiltration.

you will find lots of vendors of decryption have the phrase from Gartner 
mentioned prominently on their web site.


I don’t think TLS decryption would be viable in our university environment.

Your email address indicates that you are in a government environment and if so 
you might have more control over devices and could have a better chance of 
making decryption work.
On the other hand if you have more control over devices a better choice might 
be to spend your resources on implementing whitelisting rather than decryption.

Keep in mind that if you implement decryption your decryption device is in 
scope for PCI and subject to the various PCI duding and logging requirements.



Attackers abuse Google DNS over HTTPS to download malware

https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/


More general and as focused on decryption but I recommend you watch these 
sessions from RSA conferences.

https://www.youtube.com/watch?v=d90Ov6QM1jE

https://www.youtube.com/watch?v=qzI-N0p9hFk


And also the NIST draft on Zero Trust Architecture.  The document is mainly 
about Zero Trust but does briefly mention decryption.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

https://csrc.nist.gov/publications/detail/sp/800-207/final




> On Oct 9, 2020, at 2:09 PM, Christopher J. Wolff <cjwo...@nola.gov> wrote:
> 
> Dear Nanog;
>  
> Hope everyone is getting ready for a good weekend.  I’m working on a 
> greenfield service provider network and I’m running into a security 
> challenge.  I hope the great minds here can help.
>  
> Since the majority of traffic is SSL/TLS, encrypted malicious content can 
> pass through even an “NGFW” device without detection and classification.
>  
> Without setting up SSL encrypt/decrypt through a MITM setup and handing 
> certificates out to every client, is there any other software/hardware that 
> can perform DPI and/or ssl analysis so I can prevent encrypted malicious 
> content from being downloaded to my users?
>  
> Have experience with Palo and Firepower but even these need the MITM 
> approach.  I appreciate any advice anyone can provide.
>  
> Best,
> CJ

Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.cur...@ndsu.edu