SSL decryption with ASA FirePOWER

deanwebb · June 08, 2017, 03:04:34 PM

It's not just Fin-Med-Gov-Oil that will want to shut down this sort of thing. We're dealing with highly sophisticated attackers targeting *everyone*, with the targets still thinking that a firewall takes care of everything.

Make an exception, that's where the action of bad actors will go. Get systems that can be used - without exception - and you have something better to work with. The problem will be in all the people asking for exceptions, all of which will present a valid business reason for the exception. Any one of those people asking for the exception can be an inside guy who sees this exception as his or her open door.

We go back to the guys getting exceptions for Microsoft and Google and Apple... and then other vendors... and then we get to someone that says there's a VPN that needs to be open for an outside partner and the cert won't work with the SSL man in the middle you have running... do we check to see if it actually breaks, or do we just take the guy's word at face value and make exception number 145?

Otanx · June 08, 2017, 04:54:29 PM

100% agree. Everyone is being attacked. I just think that outside of a few sectors the overhead of all the exceptions, the politics and legal concerns of spying on employees will make this all look too hard.

-Otanx

wintermute000 · June 08, 2017, 05:06:35 PM

Like Micro segmentation took over from intra zone firewalls, and endpoint based approach will probably take over IMO. I'm also curious how ZScaler etc do it.

Dieselboy · June 21, 2017, 08:06:47 AM

I'm looking at NAC

deanwebb · June 21, 2017, 08:15:31 AM

Quote from: Dieselboy on June 21, 2017, 08:06:47 AM
I'm looking at NAC

This is pertinent to my interests.

It's been on my list of things to implement since I started this job years ago.. Came up in a meeting this week. I've not been able to do much as I've been labbing bitlocker and filevault. I'm about done with that. Hope it never gives me problems!

Otanx · June 21, 2017, 09:15:39 AM

As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

deanwebb · June 21, 2017, 10:15:34 AM

Quote from: Otanx on June 21, 2017, 09:15:39 AM
As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

I'm thinking... netflow...

Dieselboy · June 22, 2017, 10:56:12 PM

Quote from: Otanx on June 21, 2017, 09:15:39 AM
As part of Cisco's big release yesterday they announced a new "Encrypted Traffic Analytics" See the link below. I think I have to admit defeat, and interception is dying.

https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1854555

-Otanx

Nice! That's good stats!

To add on to this thread, I've now been given the go ahead to buy something like FirePOWER for our remote office (didn't even need to do the POC funny route-map - yay!).

Should I be looking at something else other than firepower? I've seen it bagged often.

deanwebb · June 23, 2017, 10:48:55 AM

Palo Alto.

wintermute000 · June 23, 2017, 06:06:17 PM

If his boss cringes at the cost of riverbed support wait till he sees a Palo BOM

Sent from my Pixel C using Tapatalk

mlan · June 26, 2017, 03:03:53 PM

Quote from: wintermute000 on June 23, 2017, 06:06:17 PM
If his boss cringes at the cost of riverbed support wait till he sees a Palo BOM

Haha, $_$

Dieselboy · June 27, 2017, 03:15:42 AM

I've never even touched a Palo unit but I am keen to!

I'm still working out a BoM for our remote office but looks like a ASA 5506 would probably do the job. Cisco have mentioned their new 2100 firewalls which I know nothing about.

Would someone mind if they please share a Palo model number to get me started with research?

Dieselboy · June 27, 2017, 05:51:56 AM

Quote from: wintermute000 on June 23, 2017, 06:06:17 PM
If his boss cringes at the cost of riverbed support wait till he sees a Palo BOM

Sent from my Pixel C using Tapatalk

It's not so much the cost, but their support has been crap last year. One guy said to me he didn't know how to help me as he didn't know about the feature. In contrast, for another vendor they're about 30% of the cost and smash them with their engineers knowledge and support ethic. Obviously not Cisco.

wintermute000 · June 27, 2017, 06:12:28 AM

yeah palo support is rubbish.

The vendor you're talking about, wouldn't happen to start with F would it?

30% of the cost can't be checkpoint ROFL.

LynK · June 29, 2017, 02:10:35 PM

really?

I have had about 17 TAC calls in the past 3 months, all of which have been very knowledgeable, and very helpful. Between the weird issues, and this projects bizarre requirements we have needed they have been very good (8/10).

The issue with outbound decryption is their list is great for ~60-70% of the stuff, but it is the weird crap that gets you (looking at you adobe)