(no title)
dobin | 2 years ago
* Data leakage policy (DLP; insider threat, data exfiltration)
* Malware scanning
* Domain blocking (Gambling, Malware)
* Other detection mechanisms (C2)
* Logging and auditing for forensic investigations
* Hunting generally
I dont see how this breaks security, and of course you also didnt elaborate on why it should be. Assumed TLS MitM is implemented reasonably correctly.
Dont worry tho, zero trust will expose the company laptops again to all the malicious shit out there.
acdha|2 years ago
You’re training users to ignore certificate errors – yes, even if you think you’re not – and you’re putting in a critical piece of infrastructure which is now able to view or forge traffic everywhere. Every vendor has a history of security vulnerabilities and you also need to put in robust administrative controls very few places are actually competent enough to implement, or now you have the risk that your security operators are one phish or act of malice away from damaging the company (better hope nobody in security is ever part of a harassment claim).
On the plus side, they’re only marginally effective at the sales points you mentioned. They’ll stop the sales guys from hitting sports betting sites, but attackers have been routinely bypassing these systems since the turn of the century so much of what you’re doing is taking on one of the most expensive challenges in the field to stop the least sophisticated attackers.
If you’re concerned about things like DLP, you should be focused on things like sandboxing and fine-grained access control long before doing SSL interception.
ta1243|2 years ago
ngrilly|2 years ago
Doing this breaks the end-to-end encryption and mutual authentication that is the key benefit of modern cryptography. The security measures implemented in modern web browsers are significantly more advanced and up-to-date than what systems like Zscaler are offering, for example in terms of rejecting deprecated protocols, or enabling better and more secure protocols like QUIC. By using something like Zscaler, you're introducing a single point of failure and a high value target for hackers.
unethical_ban|2 years ago
A competent org and good mitm device will have trusted internal root certs on all endpoints, so cert errors are not a problem. The proxy can be set to passthrough or block sites with cert errors (expired, invalid), so there isn't any "bad habits training" of users clicking through cert errors. Several vendors today support TLS 1.3 decryption.
I don't know what you mean by SPOF for a proxy: they are no more a SPOF than any properly redundant network hop.
A proxy doesn't break encryption. Endpoints trust the mitm.
Now, I think that someday the protocols of the web such as quic will get so locked down that the only feasible threat prevention will be heuristic analysis of network traffic, and running all threat scanning on endpoints (with some future OS that has secure methods of stopping malicious network or executables before said traffic leaves some quarantine).
I'm a network guy, not an endpoint guy.
Bluecobra|2 years ago
Not everyone in a company is savvy or hard at work. Randy in accounting might spend spend an hour or more a day browsing the internet and scooping up ads and be enticed to download something to help speed up their PC which turns out to be ransomware.
fsniper|2 years ago
Is MITM ever the answer?
Stealing a valid communication channel and identity theft of remote servers is in fact break basic internet security practices.