You know why I want to do SSL inspection? So that my current IPS/AV-enabled UTM firewall works on 99+% of the traffic it sees (both inbound and outbound) instead of roughly 75% to 80%. We are replacing it soon with hardware that will be capable of handling the increased load. I'm with you on the technology -vs- behavior issue, but our use case has very little to do with behavior and everything to do with defense.
On Tue, Oct 14, 2014 at 3:27 PM, Kennedy, Jim <[email protected]> wrote: > SSL Inspection is not simple. You are basically going to use your filter > to pull off a man in the middle attack on your desktops. So every client > will have to have a cert from that filter that trusts your filter. So the > windows boxes in your domain will be easy. But Iphones, androids, > chromebooks and byod will have to download that cert and install it and > trust it. > > > > Double check the Windows CA cert idea, many filters won’t take them for > SSL inspection….they will only work with their own self generated cert. > > > > Remind the powers that be that youtube blocking is not a CIPA/Erate > requirement. So the blocking it must be a behavior issue, the students are > sucking up your bandwidth, or they are goofing off. Those are behavioral > issues that are seldom solved by technology. And that their attempt to > solve it via technology is going to create a nightmare, for them. You too > but they will be more concerned about their nightmare. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Matthew W. Ross > *Sent:* Tuesday, October 14, 2014 3:17 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Windows CA Server > > > > Short answer: We don't _need_ this. Not yet, anyways. > > > > Slightly longer answer: The powers that be are asking for me to block > Youtube for some students, allow Youtube for Schools for the rest, and > unfiltered Youtube for staff. It's possible with our current filter, but to > get the best results (including https:// access to youtube, which is > often the default) is to have SSL inspection. > > > > I'd like to have SSL inspection anyways, as many sites are going to > SSL/TLS encryption anyways... some without the option to for regular http > access... The only other option is to configure a proxy instead of the > current transparent proxy setup we have now. We have done that in the past, > with mixed results. > > The various responses I've received so far have halted my test deployment, > as I'm now trying to fully understand the enormity of this. I'm a fan of > keeping it simple, so we will wait and see what solution works best for us. > > > > > > --Matt Ross > Ephrata School District > > Brian Desmond <[email protected]> , 10/14/2014 9:00 AM: > > *I’d ask the question of why you need a CA for this?* > > > > *Thanks,* > > *Brian Desmond* > > *[email protected] <[email protected]>* > > > > *w – 312.625.1438 <312.625.1438> | c – 312.731.3132 <312.731.3132>* > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Matthew W. Ross > *Sent:* Monday, October 13, 2014 5:58 PM > *To:* [email protected] > *Subject:* [NTSysADM] Windows CA Server > > > > We have been happily getting by without doing SSL inspection on our > content filter. Now, it seems that we may need to take that next step. > > > > I'm making a windows CA server on our VMWare cluster now. > > > > Before I get too deep, any "gotchas" I should be looking for? Looking into > this, it looks like I might be diving right into the deep end. Time for a > lot of reading... > > > > > > --Matt Ross > Ephrata School District >
