SSL decryption with ASA FirePOWER

Started by Dieselboy, May 31, 2017, 07:21:10 AM

Previous topic - Next topic

deanwebb

It's not just Fin-Med-Gov-Oil that will want to shut down this sort of thing. We're dealing with highly sophisticated attackers targeting *everyone*, with the targets still thinking that a firewall takes care of everything.

Make an exception, that's where the action of bad actors will go. Get systems that can be used - without exception - and you have something better to work with. The problem will be in all the people asking for exceptions, all of which will present a valid business reason for the exception. Any one of those people asking for the exception can be an inside guy who sees this exception as his or her open door.

We go back to the guys getting exceptions for Microsoft and Google and Apple... and then other vendors... and then we get to someone that says there's a VPN that needs to be open for an outside partner and the cert won't work with the SSL man in the middle you have running... do we check to see if it actually breaks, or do we just take the guy's word at face value and make exception number 145?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

100% agree. Everyone is being attacked. I just think that outside of a few sectors the overhead of all the exceptions, the politics and legal concerns of spying on employees will make this all look too hard.

-Otanx

wintermute000

Like Micro segmentation took over from intra zone firewalls, and endpoint based approach will probably take over IMO. I'm also curious how ZScaler etc do it.

Dieselboy


deanwebb

#34
Quote from: Dieselboy on June 21, 2017, 08:06:47 AM
I'm looking at NAC  :mrgreen: :XD:

This is pertinent to my interests.

It's been on my list of things to implement since I started this job years ago.. Came up in a meeting this week. I've not been able to do much as I've been labbing bitlocker and filevault. I'm about done with that. Hope it never gives me problems!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

deanwebb

Quote from: Otanx on June 21, 2017, 09:15:39 AM
As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

I'm thinking... netflow...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Quote from: Otanx on June 21, 2017, 09:15:39 AM
As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

Nice! That's good stats!

To add on to this thread, I've now been given the go ahead to buy something like FirePOWER for our remote office (didn't even need to do the POC funny route-map - yay!).

Should I be looking at something else other than firepower? I've seen it bagged often.

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

If his boss cringes at the cost of  riverbed support wait till he sees a Palo BOM

Sent from my Pixel C using Tapatalk


mlan

Quote from: wintermute000 on June 23, 2017, 06:06:17 PM
If his boss cringes at the cost of  riverbed support wait till he sees a Palo BOM

Haha, $_$

Dieselboy

I've never even touched a Palo unit but I am keen to!

I'm still working out a BoM for our remote office but looks like a ASA 5506 would probably do the job. Cisco have mentioned their new 2100 firewalls which I know nothing about.

Would someone mind if they please share a Palo model number to get me started with research?

Dieselboy

Quote from: wintermute000 on June 23, 2017, 06:06:17 PM
If his boss cringes at the cost of  riverbed support wait till he sees a Palo BOM

Sent from my Pixel C using Tapatalk

It's not so much the cost, but their support has been crap last year. One guy said to me he didn't know how to help me as he didn't know about the feature. In contrast, for another vendor they're about 30% of the cost and smash them with their engineers knowledge and support ethic. Obviously not Cisco.

wintermute000

yeah palo support is rubbish.

The vendor you're talking about, wouldn't happen to start with F would it?

30% of the cost can't be checkpoint ROFL.

LynK

#44
really?

I have had about 17 TAC calls in the past 3 months, all of which have been very knowledgeable, and very helpful. Between the weird issues, and this projects bizarre requirements we have needed they have been very good (8/10).

The issue with outbound decryption is their list is great for ~60-70% of the stuff, but it is the weird crap that gets you (looking at you adobe)
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"