Re: Securing Greenfield Service Provider Clients

[Jared Geiger <jared () compuwizz net>]

DNS filtering might be an easier option to get most of the bad stuff with
services like 9.9.9.9 and 1.1.1.2. Paid options like dnsfilter.com will
give you better control. Cloudflare Gateway might also be an option.

On Fri, Oct 9, 2020 at 12:29 PM Christopher J. Wolff <cjwolff () nola gov>
wrote:

> Dear Nanog;
>
>
>
> Hope everyone is getting ready for a good weekend.  I’m working on a
> greenfield service provider network and I’m running into a security
> challenge.  I hope the great minds here can help.
>
>
>
> Since the majority of traffic is SSL/TLS, encrypted malicious content can
> pass through even an “NGFW” device without detection and classification.
>
>
>
> Without setting up SSL encrypt/decrypt through a MITM setup and handing
> certificates out to every client, is there any other software/hardware that
> can perform DPI and/or ssl analysis so I can prevent encrypted malicious
> content from being downloaded to my users?
>
>
>
> Have experience with Palo and Firepower but even these need the MITM
> approach.  I appreciate any advice anyone can provide.
>
>
>
> Best,
>
> CJ