Configuring decryption, some gray categories and experiences
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring decryption, some gray categories and experiences

L2 Linker

So I guess I'm just curious what the overall opinion of multiple people is regarding decryption and how well they take into account local laws, etc.
I get decrypting traffic can be a major step up in security and basically unlocks a lot of potential in a shiny expensive new firewall. however there's always of course some debate.

so baseline:

I live in a region where we can decrypt traffic( but the user has to have a disclaimer somewhere that his traffic can/will be decrypted) apart from certain types of traffic we can't decrypt:

financial (due to personal bankaccount and what not)
government (due to private info like an equivalent of social security number, passport id, etc)
health and medicine (due to personal medical records, info, etc.)

fairly straightforward. however upon inspecting all possible palo alto web categories there are 2 which may be somewhat of a gray area:

stock advice and tools  (stock advice not so much, however tools I understand as apps to buy/trade stocks, etc

I checked one site I use myself for stock trades. however that one is classified as financial. I'm however not confident that the url category for every stock trading tool would be classified as financial.)

cryptocurrency (same as the tools. it's basically a subcategory of financial for me... I checked with the sites like coinbase, bittrex, etc.. that's cryptocurrency)

 

finding this above then got me thinking. do any of you manage/configure a firewall in a region with similar policies. and if so what do you do?

Do you opt to decrypt a bit too much rather then take the safe route and decrypt less?

regarding legal what do you think your responsibility is? eg: inform end-customer/company there are limitations but let their legal decide (apart from blatant illegal request like yes decrypt financial as well for us) or do somewhat intense research yourself?

have any of you ever gotten in trouble or been addressed regarding a decryption policy you set up, or gave the instruction to set up?

what's your opinion on this?

 

 

 

 

1 REPLY 1

L4 Transporter

I can't answer most of your questions but you may inform the users if they are being decrypted by using the Opt Out page https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLQCA0 .

 

Also it is better not to decrypt financial and healthcare.

 

Another advice is to use the Geolocation to control from which region what to decrypt https://live.paloaltonetworks.com/t5/blogs/geolocation-and-geoblocking/ba-p/315433 as they have different requirements.

 

 

 

Even for sites you don't decrypt use a decryption profile to block bad SSL certs and so on:

 

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/no-decrypti...

 

 

 

A final note that the SSL decryption is heavy and you may need to optimize by for example configuring the emulated cert key to be max 1024 and this will make SSL decryption to be less stressful but do this if needed.

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificate-management/configure-the-key-s...

 

 

 

Also for issues with SSL handshakes:

 

https://live.paloaltonetworks.com/t5/general-topics/seeing-user-data-by-pcap-and-ssl-decryption/td-p...

 

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/enhanced-ssl-d...

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!