Extra Credit: DPI-SSL
Ten years ago, most internet traffic was “clear text” only, with SSL encrypted traffic reserved for shopping, banking, and the like. Today, nearly all traffic is encrypted. Since ignoring that traffic is not an option, setting up encrypted traffic scanning is imperative. DPI-SSL is tricky to deploy at the endpoints, and processor- and memory-intensive in the firewall. Because of this overhead, you’ll generally have to move up at least one notch in terms of firewall performance beyond what you’d normally need. But working without it is like installing a screen door on your submarine.
DPI-SSL technologies scan SSL traffic by executing a kind of “man-in-the-middle attack” in which the firewall decrypts, scans, and then re-encrypts traffic for delivery. If you had any question why this is so processor- and memory-intensive in the firewall, now you know.
Because the certificate no longer comes from the initial source, you also need to update the Windows certificate store to accept certificates from the firewall, which means working in Active Directory to create group policy objects and touching applications such as Firefox and others that don’t use that store. Some apps with “pinned certificates,” such as Dropbox, must be excluded. The bottom line is that implementing DPI-SSL is both a pain and painfully necessary.
Closing the Loop
You are ultimately responsible for securing your clients’ networks. This usually begins at the firewall and should start with a client interview. Using that information, you’ll configure the basics of LAN/WAN setup, DPI scanning, wireless security, SSL VPN connectivity, and one-time password functionality, as well as content, GeoIP, and botnet filtering. And don’t forget to turn on the heuristic scanning capabilities of your firewall to go beyond signature-based scans. To fully close the loop, you’ll need to deploy DPI-SSL to scan your encrypted traffic as well. Lots to do, so better get going.
JOSHUA LIBERMAN is president of Net Sciences Inc., a midsize network support firm offering systems integration and MSP services throughout New Mexico.
Image: SonicWall TZ Series