Anyone doing full SSL decryption and inspection on their network?

[Peter Mancer]

Hello

I'm doing some consulting work for a school that is considering full SSL decryption and inspection.  I'm interested to know if any schools are doing this and if so what they are using and the issues that they had implementing it.

Thanks

Peter

[Keith Craig]

We were running this for a while. It gives you much better visibility of traffic going through the system - for instance differentiating different google services. However you need to setup intermediate certificates on the clients so that the filtering system can decrypt the packets. There is also a lot more processing load on the filter appliance. 

We decided in the end that the extra visibility saw not worth the extra work.

We are running content keeper for our filtering. They are based in Canberra so easy to get hold of them for support.

Keith Craig

Systems Administrator

Dilworth School

Mob: +64 21 541549

Office: +64 9 5231060 x843

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Patrick Dunford]

Any particular system you are planning to use?

We found issues with N4L's system and I would have difficulty recommending it.

[Peter Mancer]

Keith

Thanks for this.  My recommendation would have agreed with your experiences but it is always good to have a real school experience to refer to.  Possibly if we limit it to the primary campus only that currently only use school-owned devices that would reduce the challenges of certificate installation.

Kind regards 

Peter

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

[Peter Mancer]

Patrick

The school has a Watchguard firewall that will need to be replaced with a much gruntier (and expensive) model if this is to be implemented.  I would have considered a FortiGate as an option as well.  Thanks for your feedback on the N4L system.  We have not considered this as I have yet to find a school on a 500Mbps connection that is using their filtering without severe performance degradation through the proxy.  If there is one out there, I would love to hear from them.

Kind regards

Peter

On Tuesday, 1 November 2016 14:23:49 UTC+13, Patrick Dunford wrote:

Any particular system you are planning to use?

We found issues with N4L's system and I would have difficulty recommending it.

On 01/11/16 12:15, Peter Mancer wrote:

Hello

I'm doing some consulting work for a school that is considering full SSL decryption and inspection.  I'm interested to know if any schools are doing this and if so what they are using and the issues that they had implementing it.

Thanks

Peter

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

[Gerard MacManus]

Question: What do you consider severe performance degradation through the N4L filtering proxy?

Gerard

Peter

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Tracy Briscoe]

We have been running it, but have reduced the amount of full inspection we do due to the FortiGate 600C hitting memory limits.  Internet stats for the last 6 hours: 185Mbps average, peek 406Mbps. Active IPv4 Sessions: 13.39K average, 20.51k max.

 

For the certificates we run an offline root CA, with an intermediate CA certificate issued to the FortiGate.

 

There are two modes the FortiGate can working in, flow based and proxy based. We’ve been using proxy.  In flow based, the FortiGate can replace the certificate for a SSL session, but can’t add any additional certificates that are in the certificate chain, where as in proxy mode it can included include all certificates in the chain.  Therefore if you use flow based SSL inspection, clients will need both the root CA certificate and the intermediate Fortigate certificate, whereas using proxy mode the clients just need the root CA certificate.  Based on comments from another school, we’d probably have less memory problems if we swapped to the flow mode.

 

In regards to installing the certificates, we have written windows and android apps which: install the certificates, create desktop shortcuts to our Intranet and Moodle, and configures the wireless network (we use Dynamic PSK on our Ruckus BYOD network).  For Mac and iOS we have a webpage which generates a profile which does the same.  The apps / profiles are downloaded by users from an open provisioning SSID.

 

Regards

Tracy B

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

St Peter's School, Cambridge, New Zealand
Telephone: 647 827 9899 Fax: 647 827 9812
Website: www.stpeters.school.nz

Please consider the environment before printing this email

[Peter Mancer]

Gerard

The schools that discussed this with me reported that with the filtering on the speed of access to web sites was unacceptable and with it turned off all was OK.  

Kind regards

Peter

On Tuesday, 1 November 2016 15:02:33 UTC+13, Gerard MacManus wrote:

Question: What do you consider severe performance degradation through the N4L filtering proxy?

Gerard

On Tue, Nov 1, 2016 at 2:47 PM, Peter Mancer <pe...@watchdog.net.nz> wrote:

Patrick

The school has a Watchguard firewall that will need to be replaced with a much gruntier (and expensive) model if this is to be implemented.  I would have considered a FortiGate as an option as well.  Thanks for your feedback on the N4L system.  We have not considered this as I have yet to find a school on a 500Mbps connection that is using their filtering without severe performance degradation through the proxy.  If there is one out there, I would love to hear from them.

Kind regards

Peter

On Tuesday, 1 November 2016 14:23:49 UTC+13, Patrick Dunford wrote:

Any particular system you are planning to use?

We found issues with N4L's system and I would have difficulty recommending it.

On 01/11/16 12:15, Peter Mancer wrote:

Hello

I'm doing some consulting work for a school that is considering full SSL decryption and inspection.  I'm interested to know if any schools are doing this and if so what they are using and the issues that they had implementing it.

Thanks

Peter

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Mancer]

Tracy

Thank you for the information.    That's a big load for a 600C so I can fully understand the memory issues, but those boxes are great workhorses.  It looks like a 'D' model should be on your shopping list.  The 600D is rated at up to 3.5Gbps throughput doing SSL inspection but FortiGate don't have figures on the 600C for a comparison.  However the 600D does about four times the session performance.

Do you limit the full inspection to certain policies only?

On Tuesday, 1 November 2016 15:46:30 UTC+13, Tracy Briscoe wrote:

We have been running it, but have reduced the amount of full inspection we do due to the FortiGate 600C hitting memory limits.  Internet stats for the last 6 hours: 185Mbps average, peek 406Mbps. Active IPv4 Sessions: 13.39K average, 20.51k max.

 

For the certificates we run an offline root CA, with an intermediate CA certificate issued to the FortiGate.

 

There are two modes the FortiGate can working in, flow based and proxy based. We’ve been using proxy.  In flow based, the FortiGate can replace the certificate for a SSL session, but can’t add any additional certificates that are in the certificate chain, where as in proxy mode it can included include all certificates in the chain.  Therefore if you use flow based SSL inspection, clients will need both the root CA certificate and the intermediate Fortigate certificate, whereas using proxy mode the clients just need the root CA certificate.  Based on comments from another school, we’d probably have less memory problems if we swapped to the flow mode.

 

In regards to installing the certificates, we have written windows and android apps which: install the certificates, create desktop shortcuts to our Intranet and Moodle, and configures the wireless network (we use Dynamic PSK on our Ruckus BYOD network).  For Mac and iOS we have a webpage which generates a profile which does the same.  The apps / profiles are downloaded by users from an open provisioning SSID.

 

Regards

Tracy B

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Peter Mancer
Sent: Tuesday, 1 November 2016 12:16 p.m.
To: Techies for schools <techies-f...@googlegroups.com>
Subject: [techies-for-schools] Anyone doing full SSL decryption and inspection on their network?

 

Hello

 

I'm doing some consulting work for a school that is considering full SSL decryption and inspection.  I'm interested to know if any schools are doing this and if so what they are using and the issues that they had implementing it.

 

Thanks

 

 

Peter

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Gerard MacManus]

Peter, we are a school with a 500gb connection with the n4l filtering running. We have very little issues. More with wifi than n4l connection.

Gerard MacManus

Hobsonville Point Secondary School

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[Peter Mancer]

Gerard

Thanks.  I'll feed that back.  I wonder if it was traffic related as the schools having problems had 1200 students or more.

Cheers

Peter

[Patrick Dunford]

I'm not aware of that but we have only supported one school using it for any length of time. However we have largely ditched the SSL inspection due to challenges.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[Tracy Briscoe]

We were running full inspection on all internet bound policies, with exclusions for categories like banking websites.

 

One program which we couldn’t get working was Skype (consumer version) – we ended up setting up one laptop with a static IP, and applied a policy allowing uninspected traffic from that. Skype for Business (formally called Lync) did work though the firewall.

A site which we had problems with was Premier League Pass / neulion.com.  They couldn’t be convinced not to send unencrypted http traffic over port 443, and as the Fortigate was expecting SSL traffic on that port, it was blocking it.

 

An international student stated that our firewall was harder to get round than the Great Firewall of China.

 

Regards,

Tracy

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Peter Mancer
Sent: Tuesday, 1 November 2016 5:28 p.m.
To: Techies for schools <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] Anyone doing full SSL decryption and inspection on their network?

 

Tracy

 

Thank you for the information.    That's a big load for a 600C so I can fully understand the memory issues, but those boxes are great workhorses.  It looks like a 'D' model should be on your shopping list.  The 600D is rated at up to 3.5Gbps throughput doing SSL inspection but FortiGate don't have figures on the 600C for a comparison.  However the 600D does about four times the session performance.

 

Do you limit the full inspection to certain policies only?

On Tuesday, 1 November 2016 15:46:30 UTC+13, Tracy Briscoe wrote:

We have been running it, but have reduced the amount of full inspection we do due to the FortiGate 600C hitting memory limits.  Internet stats for the last 6 hours: 185Mbps average, peek 406Mbps. Active IPv4 Sessions: 13.39K average, 20.51k max.

 

For the certificates we run an offline root CA, with an intermediate CA certificate issued to the FortiGate.

 

There are two modes the FortiGate can working in, flow based and proxy based. We’ve been using proxy.  In flow based, the FortiGate can replace the certificate for a SSL session, but can’t add any additional certificates that are in the certificate chain, where as in proxy mode it can included include all certificates in the chain.  Therefore if you use flow based SSL inspection, clients will need both the root CA certificate and the intermediate Fortigate certificate, whereas using proxy mode the clients just need the root CA certificate.  Based on comments from another school, we’d probably have less memory problems if we swapped to the flow mode.

 

In regards to installing the certificates, we have written windows and android apps which: install the certificates, create desktop shortcuts to our Intranet and Moodle, and configures the wireless network (we use Dynamic PSK on our Ruckus BYOD network).  For Mac and iOS we have a webpage which generates a profile which does the same.  The apps / profiles are downloaded by users from an open provisioning SSID.

 

Regards

Tracy B

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Peter Mancer
Sent: Tuesday, 1 November 2016 12:16 p.m.
To: Techies for schools <techies-f...@googlegroups.com>
Subject: [techies-for-schools] Anyone doing full SSL decryption and inspection on their network?

 

Hello

 

I'm doing some consulting work for a school that is considering full SSL decryption and inspection.  I'm interested to know if any schools are doing this and if so what they are using and the issues that they had implementing it.

 

Thanks

 

 

Peter

 

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

[Sue Way]

We are an N4L school doing our own filtering using a Fortigate 600C.

We turned off SSL decryption and inspection due to the overheads in speed reduction and performance.

We have 1400 students and usually have 1800+ devices, many student have 2 devices, connected to wireless by 10am so the overheads just were not worth it.

Sue Way

IT Services Director

Wellington Girls' College

[ictdi...@kowhai.school.nz]

We have had been running it since we were SNUP'd almost 2 years ago on the  advise from our previous ICT contractor. It took a lot of work to get going and having to either push the certificate out or manually download and install it is a pain. My understanding of the in and outs of SSL inspection is not fantastic to be honest, but in terms of the needs of the school have I used that extra visibility? No. It was pitched that without it I could only see if students had gone to Google but I couldn't see what they searched for, with it I could see that they searched for 'sex' or 'porn'. Realistically we are going to trust in the N4L filter to restrict them getting to inappropriate material rather than looking at every request that is made. If there are issues we are almost always made aware of it by word of mouth rather that software based alerts or log trawling.There are so many other ways students can access inappropriate material (4g, bringing in on local devices etc) that its is hard to justify the complexity & issues SSL raises. 

Interestingly at the time N4L & our contractor looked to implement their own firewall/tracking solution but it was immature and wasn't a viable option. Fortigate was out of the picture due to cost - so we ended up with Linewise. Basically we need to be able to have a record of this person, went to this site at this time.

Our new contractor has advised against it and says that most of their other schools don't use it either. We will be removing SSL inspection shortly.

[Kevin Whelan]

great post,
we aren't using it but my thoughts were always that it was overkill and your post confirms everything I suspected
we are linewize as well after using watchguard which is same as fortigate for years and the extra complexity opening every damn port just created so much work and nobody ever looked at the logs anyway
Linewize is only let down by its poor vpn blocking and category filtering is very average but you can't have everything and the cost is a no brainer

[Landyn Frisby]

We are an N4L school with a 500Mbps connection using SSL inspection on our BYOD network only at this point. This is quite new for us and have only got connected this year to N4L.

Overall the connection itself copes well - speed has never been saturated. We turned on SSL inspection because of the use of VPN apps on student devices to get around the non-SSL filter. 

Some apps that I have come across that have had issues:

Whatsapp

Puffin Browser

Getting the cert onto end user devices is the biggest hurdle. It would be nice if there was a captive portal that helped the end user through the certificate install process.

Overall the Cisco Cloud Web Security (N4L filtering solution) is reasonable- can be pain to configure but it does cover what we have wanted to do so far. You also cannot compete with the price.

[Tim Harper]

Hi Landyn,

We make the N4L certificate available on our website for students, along with instructions on how to use it.  We also use the generic N4L certificate so if students go to another school that uses the same certificate then they don;t have to re-install it.  The certificate is valid for a few more years yet.  That seems better than creating a certificate just for us and when I visited another school (in Dunedin) last week the benefit was immediately clear to me as they used the same certificate. 

We allow access to eg Facebook outside of class time for everyone.  This encourages them to install the certificate - Facebook is in a category we inspect - and it is reasonably easy to do especially on OSX and iOS.  Windows is pretty straight forward too.

All our details are here:  http://www.mtaspiring.school.nz/mac-life/student-life/wireless

regards,

Tim Harper


Phone 03 443 5167 (messages cannot be left on this number)
Mobile 027 443 1236

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

--

[Landyn Frisby]

Hi Tim, fancy finding you on here :)

We have gone with virtually the same philosophy and allowed social media outside of teaching hours, this has encouraged even the most IT savvy students (who called us out on using a MIM attack) to install the cert to get facebook. The power facebook has is astonishing - people sell their sole to get on there....

I creatively named the cert "Access Certificate" to allude it is needed to access the internet. 

[Tim Harper]

Hi again Landyn

Yes I've heard people refer to this as MIM.  However my understanding of MIM is that using a certificate is not MIM.  MIM (according to the definition I know) does something different.  It is where the computer in the middle pretends to be the other computer to the other computer - ie appears to be the server to the client and the client to the server.  That is not the case when using a certificate.  There is no pretending and everything is out in the open - especially when you declare the categories that will be inspected (eg Social Media) and also tell them the categories that will not be inspected (eg banking.)

See:  https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Clearly nothing is being forged and this is valid.  It is honestly decrypting traffic with the full knowledge of the client computer.  Which gives the client computer a choice - either install it and get access or don't install it and don't get access.  Real MIM does not tell the client what is being done and users have no idea that their traffic can be read.

If you want to filter https sites fully then using a certificate is the only honest way I know of to do it.  If you don;t then you can either block or allow an https site but not do things like eg stop Facebook games yet allow access to other parts of Facebook.

the only thing I'd have done differently is called the cert by it's original N4L name as that would indicate clearly that the purpose was to allow access on the N4L connection only.  I'm assuming it is the same generic N4L cert - just renamed - so people could easily use their device on any N4L connection that uses the same cert despite it having a different name.

My own opinion is that it is all about education and transparency.  Tell people what you are doing and why you are doing it.  Combine that with good digital citizenship education and I believe you are on to a winner.

I do know others disagree with me on this definition of MIM- I guess I'll hear from them soon!

regards,

Tim Harper


Phone 03 443 5167 (messages cannot be left on this number)
Mobile 027 443 1236

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[gre...@staff.cbhs.school.nz]

Oh my.
Briefly (don't want to dilute this thread with off-topic-ness),

I see your viewpoint that - at a human level - there is no subterfuge if you choose to openly inform users regarding the whats and whys.

But at a software level, an SSL decrypt step is 101% MitM attack. The web filter must pretend to be {every secure host on the internet} to the school computer, and vice versa. The certificate is a trusted root (i.e. on par with verisign) to falsely prove to the school computer that the web filter is the host it thought it was communicating with. Both ends (unless they probe to see if something's afoot) believe there's a two-party trust relationship, not three-party.

- Ben.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Clayton Hubbard]

Hi Ben

I agree that the function is "Man in the middle" but don't agree with the attack word. An attack is related to malicious activity, is it not? This is consented process. (Trying not to create a philosophical discussion here)

Low tech - Another idea possible to distribute cert to non-managed devices, is to create a policy that shows the warning page if browse to a Website (i.e cert.myschool.school.nz). On the warning page, put a link to the cert and instructions to install.

In regards to security, it is also good to include other categories such as content delivery which will mean any malicious files will be blocked. Approx 60%+ is https traffic...

FYI - this is what The filtering does to protect privacy when inspecting SSL traffic. This describes what is not included in the the logs. Useful when dealing with queries.

Extract for CWS Guide

User privacy with HTTPS traffic

When inspecting HTTPS traffic it is possible to select only the specific traffic that should get decrypted for inspection. This can be based on certain categories or a list of domains. Users can also list specific hosts and domains that should be excluded from HTTPS inspection, or choose to decrypt only applications covered in the list of AVC applications for decryption.

Note also that when HTTPS traffic gets scanned CWS does not log the Path and Query attributes of the URL, only the Host will be logged. For example, if a user browses to Google and searches for “cisco cloud web security” and hits Enter, the full URL will be:

https://www.google.com/?gws_rd=ssl#q=cisco+cloud+web+security

That full URL can be broken down to these three attributes: ● Host: https://www.google.com

• ●  Path: ?gws_rd=ssl# (where on the site the user went to)

• ●  Query: q=cisco+cloud+web+security (what the user searched for)

  For privacy reasons CWS will log only the Host and not the Path nor the Query for HTTPS traffic that is inspected 

Clayton

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Clayton Hubbard
Senior Engineer
0220430155

[Patrick Dunford]

Actually, it is exactly MIM. In order to be able to decrypt SSL traffic the N4L server has to be in the middle of the SSL transaction. Therefore it is the "man in the middle".

When you connect to a secure site the transaction between you and the remote server (e.g. your bank) is secure and nothing can get into it.

To be able to intercept the communications so that the SSL interception can take place, the N4L server impersonates the remote server. It does this by splitting the transaction into two pieces: one piece between you and the N4L server, and the other piece is between the N4L server and the bank (or whoever). This works because the N4L server creates its own certficate that pretends to be the one from your bank.

The reason you have to install the certificate provided by N4L onto each device is that it says that the N4L server is a Trusted Root Certification Authority, which means it can issue certificates to the client, which pretend to be the real certificate issued by the secure website you are accessing. Next time you are on a secure website, have a look at the certificate; it will have been issued by N4L rather than Google or Verisign or one of the other SSL certificate providers.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[Pete Mundy]

+1 with Ben, Clayton and Patrick. The process is absolutely a MitM by technical definition.

I can somewhat empathise with Clayton's position about it not being an attack though, as the intention is not malicious and is consented (or at least it's supposed to be anyway; I wonder how many students actually read the fine print and really understand the true purpose of the 'access thingy' they had to install on their device to get online).

On a MitM side-note, are there any list subscribers who are at the big 2-day conference at the Michael Fowler Centre in Wellington this week?

Pete

On 18/11/2016, at 12:39 am, Patrick Dunford <kahuk...@gmail.com> wrote:

Actually, it is exactly MIM.

<snip>

On 17/11/2016, at 10:58 pm, Clayton Hubbard <clayton...@n4l.co.nz> wrote:

Hi Ben

I agree that the function is "Man in the middle" but don't agree with the attack word. 

<snip>

On Thursday, 17 November 2016, <gre...@staff.cbhs.school.nz> wrote:

<snip>

at a software level, an SSL decrypt step is 101% MitM attack.

<snip>

- Ben.

On Thursday, November 17, 2016 at 8:06:13 PM UTC+13, Tim Harper wrote:

Hi again Landyn

Yes I've heard people refer to this as MIM.  However my understanding of MIM is that using a certificate is not MIM.  MIM (according to the definition I know) does something different.

 <snip>

[Kevin Whelan]

I guess attack is a harsh word when you have physically let someone install a certificate.

My issue is the end user doesn't understand this in any way just knows that if they install this **everything will work
So you are teaching them to wildly accept any user cert that any malicious person could use
there are plenty of non approved IOS appstores for example that use this certificate approach as well by getting you to install a profile
and they then have complete control over your phone and or your data

I think teaching people to click/install  on anything is just crazy advice because they don't understand

I'd be really interested in what you do with the extra data you now have, how much time it takes to review, how much extra discipline you find you have to enforce,
were struggling reviewing the logs we have now and with private 4g data connections your never going to stop someone really determined anyway
Our boys only school, users have basically matured and settled down from their early trying to get past everything attitude and on the whole apart from a few vpns are pretty harmless
my early approach of being super in control has also relaxed more and the boys know the consequences of being caught,we catch more by blabbing peers than logging

[Mike Etheridge]

I agree with Kevin on what we are normalising if we get the students to allow the MIM. Further, I am horrified by the one certificate/multiple sites scenario described.

Mike

[Patrick Dunford]

yeah, look at SuperFish and a few other examples that come to mind!

our experience of CCWS was basically a lot of work and a lot of compatibility issues - in the end we just gave up - the school closes in 4 weeks!

--

[Sam McNeill]

This old chestnut again hey!

I totally see both sides of the argument and we have a security appliance that is more than capable of doing full DPI but we choose not to.

We also have a very seamless way of deploying the certificates if we wanted to as we use ClouthPath for on boarding - adding an additional cert would be as transparent or opaque to the end user as we wanted it to be.

Ironically, I agree that education is be the best policy here, however I think that from a student's perspective the education and "take home message" might be two different things. 

By this I mean if they are being told be a school "it's ok to install this certificate because it allows us to track certain traffic etc" ... you can bet your bottom dollar they probably stopped listening and heard "It's ok to install this certificate ...." and clicked "ok" at that point to proceed with the install. The next time they are using public wifi and up pops an alert that says "install this certificate to proceed" the likelihood that they think back to the school environment where they were told it was ok to install certificates is, in my opinion at least, very very high.

Therefore, I think we run the risk of encouraging poor personal security practices for our students by telling them "it's ok to do this here, but don't do it somewhere else" ....

FWIW - in the five years I've been in this role we have provided detailed browsing and access logs dozens of times. Not once have we been asked for more detailed information than what we provided because it was deemed insufficient to address the student behaviour. Now I concede we may have just been lucky or whatever over that five years, but it has at least let me be reasonably comfortable in my own conscience at least, that DPI was not necessary and that we have not been sending mixed messages from a security PoV to our students.

Cheers

Sam

[Jeremy Nees]

Definitely two sides to the discussion, and both have valid points. 

As stated there are security considerations around having users install certificates, and how this process is managed to mitigate potential downsides. There are also growing security considerations for performing SSL inspection. Https is creating a growing blindspot from a security standpoint, as is recognised by leading security vendors:

http://www.zdnet.com/article/malware-disguised-by-ssl-traffic-spikes-over-the-last-year/

Also increasingly web reputation is less useful to block these threats as CDN's and adverts inserted into higher web-rep sites, are being used more often to hide attacks. 

http://www.cso.com.au/article/605219/can-good-encryption-double-edged-sword-security-australia/

This isn't to make an argument for SSL inspection, but just to share some of the trends and use cases we are seeing globally. As always it is a trade off on both security, but also practicality, privacy and effort. 

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Jeremy Nees

Chief Operating Officer

The Network for Learning Ltd

M +64 21 919 220  DDI +64 9 972 1676  P 0800 LEARNING

A Suite 306, Geyser Building, 100 Parnell Road, Parnell, Auckland 1052

A PO Box 37118, Parnell, Auckland 1151  n4l.co.nz

[Patrick Dunford]

I would hope people are educated on the perils of public wifi in general, or looking at the source of any certificate. Unfortunately we have been told that have a secure certificate on a website means it is legit and secure - clearly not always the case with SSL interception / MITM becoming more common.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.