HTTPS Inspection - TLS/SSL Decryption

PhilipDAth
Kind of a big deal

HTTPS Inspection - TLS/SSL Decryption

A while ago the "HTTPS Inspection" feature was announced.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection 

 

This appears to have moved from Alpha to Beta.  We are trialling it out on 15.21 - and it is now working reliably.  On an MX67 (with only a small number of test users) we are able to get 450Mb/s using speedtest.net.

 

So it is starting to look a bit more serious and usable for those interested.  Personally, we'll probably stick to using Cisco Umbrella for those actually wanting this capabilitity, but if you want a one box solution then it is now plausible.

15 REPLIES 15
CptnCrnch
Kind of a big deal

Though I'm sharing your views on Decryption, this is nevertheless great news! We definitely have some clients wanting to jump onto that wagon and your testing sounds as if this isn't going to be turning out as a disaster.

 

Guess it stillt has to be requested via support case?

Roska
A model citizen

Thanks for your interesting feedback @PhilipDAth 

Nash
Kind of a big deal

Interesting, so the potential throughput loss may be less awful than predicted? At least in environments with only a few users.

 

I'm also a fan of other methods, since intentional Mallories in the middle give me hives. We use Umbrella in my office and across several dozen client deployments representing hundreds of users. Small sample size, I know, but we've been very happy with the results.

 

Are you able to exempt any sites from the HTTPS inspection, or is this a binary setting?

Roska
A model citizen

A bit off topic but you here using ThreatGrid sub in addition to MXs with Advanced security and AMP enabled? I looked into the latest and found that Cisco has a new TG daily sample subscription pending in prelaunch hold. This seems to be more proper priced to SMB compared to the TG Cloud sub with at least 3 users on TG portal actually executing the files and anomalies that AMP does not know for sure.

PhilipDAth
Kind of a big deal

I've never used ThreatGrid so can't comment on that one.

After trying out TLS decryption for a week I've found the biggest issue is you can not whitelist domains that don't work.

 

We found several apps that provide end to end encryption no longer work - such as WhatsApp web.  Also the Cisco ASDM no longer worked.

Hey Philip, thank you for the follow up on the issue about the TLS decryption.

Can you clarify about the impossibility to whitelist domains and apps ? There this section (in bellow) in the documentation that you posted first, based on it, are you saying that it doesn't work ? or is something different ?

Thanks.

 

"""

  1. Configure Layer 3 and 7 whitelist options

    1. Navigate to the Security & SD-WAN > Threat Protection page.

    2. L3 whitelist: Specify source IPs of clients that should be exempt from HTTPS inspection. 
    3. L7 whitelist: Specify destination hostnames that should be exempt from HTTPS inspection. Use wild cards by prefixing the hostname entry with an asterisk. For example, *.example.com will match www.example.com .  

Note: The L3 and L7 whitelist configurations apply to all clients affected by HTTPS inspection, including those with inspection applied via group policy.

"""

PhilipDAth
Kind of a big deal

I never spotted that bit.  That should do it.

Now have Application Allow list for MX16+ firmware:Screen Shot 2021-08-25 at 2.50.14 PM.png

KarstenI
Kind of a big deal

I never expected that this comes a reality ...

Ok, have to change my mind on it. Especially as the Umbrella SIG package is quite expensive.

AI007
Meraki Employee

Critical note in the KB:

IMPORTANT: HTTPS inspection is still in development and in beta. This feature is in testing and not recommended for production networks. It might end up breaking certain existing features and impact network traffic adversely. Please refrain from utilizing this as a production solution.

 

TBee
Here to help

Hi Philip,

 

I have tried to follow the link you have provided, however, it's asking for a login that I don't appear to have.

 

My CCO login, Meraki Partner and Meraki Dashboard log in don't seem to be accepted.

 

Is this information stored in another loaction?

PhilipDAth
Kind of a big deal

It looks like the link has been removed.  I can't find it anywhere else.

So are Meraki still supporting HTTPS packet inspection? Is this still only available in Beta or is the being dropped in favor of directing HTTPS inspection to Cisco Umbrella Subscription service?

CptnCrnch
Kind of a big deal

I guess they've dropped it because of its implications (performance impact as well as functionality issues) in favor of Umbrella. At least that'd make perfect sense.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels