I have a feeling most people are configuring their SW's incorrectly
I think most people have DPI enabled but don't have the SW certificate installed on the workstations (DPI Client) or on their Servers (DPI Server).
Also, I have spoke with support in the past and they would say to go to Firewall Settings - Advanced - Connections and change it to: DPI Connections (DPI services enabled with additional performance optimizations).
They would tell you to do that to actually get most of the advertised speed from the firewall.
So it's my understanding unless you install the certificates on all the workstations and/or servers DPI is doing absolutely nothing and eating up your ISP speed and firewall CPU. So you should have this settings checked: Maximum SPI Connections (DPI services disabled)
I have seen on reddit that DPI should be turned off everywhere, including firewall rules even if you have DPI disabled under DPI-SSL.
I just think this is a very misunderstood setting with SW's.
What is everyone's take on this?
Comments
DPI and DPI-SSL are different things. DPI is what gives you all the Next-Gen Firewall features and should be enabled if you want to utilize the security services.
DPI-SSL is broadening this to SSL encrypted traffic and requires a cert in each device. So it could be said that using DPI-SSL will make it possible to inspect 90+% of traffic, only using DPI about half if that and if you disable DPI altogether you aren't doing any deep packet inspection and only using the firewall as a packet filter.
If you would do that then there isn't much sense using a Next-Gen firewall at all and you could just use some open source packet filter firewall.
Turning on "performance optimizations" or "enhanced security" affects low risk threat inspection. More speed if you don't care about low risk threats.
Evidently :)
If you enable DPI-SSL on traffic for clients that don't trust your cert, it's not just going to silently fail, the users would be up in arms about getting certificate warnings everywhere and applications not working.
@SonicAdmin80 summarized it pretty well.
"I just think this is a very misunderstood setting with SW's"
The same can be said about any NGFW, as DPI and DPI-SSL are pretty much standard fare on all manufacturers.
People will read Reddit and not actually understand any of what they are doing, and put themselves in compromising situations…
DPI-SSL is becoming a no-no for more and more sites. As long as a browser does a one-way check (i.e. the client checks the validity of a certificate and is served up the certificate of the firewall, so it thinks it's ok) then it works fine. But more and more sites do a cross-check, where the remote site 'asks' the browser what certificate information it has received. And then the man-in-the-middle (the firewall) is caught and the connection is terminated. For those sites, you have to exclude them from DPI-SSL, making it easier for malware developers to get their crap delivered…..
I had a suspicion that something like this might be happening, performed by some WAF. Two customers reported issue with two different sites that randomly return 404 on different page elements [we can see this with web developer tools, network log]. Issue goes away once site is excluded from DPI-SSL.
DPI-SSL is on borrowed time.
I also feel like DPI-SSL might be more hassle than it's worth at this point, maybe stuff like endpoint protection and DNS filtering are easier to cover some of the same areas without all the management overhead with DPI-SSL.
The term for the cert 'cross-check' is certificate pinning. It's purpose is understandable from both the provider and client side, so its not going anywhere.
Yes, the big providers (MS, Google, Apple, etc.) will continue to pin their certs and thus be excluded from DPI-SSL. Its up to the company to decide if that is an acceptable risk and use their services, or not.
Not all endpoints have the ability to install 'endpoint protection', just the same as not all endpoints can import a third party cert and trust it.
As long as a companys policies state ALL IT-related risks should be minimized, than DPI-SSL isn't going anywhere either.
Different tools fill different needs.