cancel
Showing results for 
Search instead for 
Did you mean: 

MX HTTPS Inspection Coming ...

Kind of a big deal

MX HTTPS Inspection Coming ...

Starting with 15.11 a closed beta of HTTPS inspection has been released.  Their is now public documentation about this feature.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection

14 REPLIES 14
Kind of a big deal

Re: MX HTTPS Inspection Coming ...

Interesting! Thanks for the share Philip.

 

Have you heard anything about the performance impact of enabling it?

Kind of a big deal

Re: MX HTTPS Inspection Coming ...

No I don't know the performance impact.  I'm trying to get myself onto the beta program.  Being a close beta I'm not sure, but I asked if I could talk about this in public and was told yes and the documentation is publically posted.

 

 

I'm generally not a fan of SSL inspection - because it is a lot of work to deploy and breaks things.

 

You need to load a certificate onto the MX (or any device that does TLS inspection), and then load that certificate as a trusted root certificate onto every device sending traffic via that MX.  For some mobile devices that is a real pig of a job.

You end up creating more VLANs, so you can inspect some types of devices and avoid others because they are too much work - or you create huge bypass/whitelist rules.

 

Then you get sites (like www.google.com) that specifically check that the certificate returned is Google's, and will report a security problem.  So you end up telling the browser to ignore this, and the user has worse protection when they are out of your office, or you start whitelisting things all over the place.

 

Then you get issues with new versions of server software offering newer encryption and TLS versions faster than the SSL inspection engine is updated, breaking things.  For example, this TLS inspection feature only supports TLSv1.2.  So if you went to a web site that only offered TLSv1.3 (not likely at this stage) it would break.

 

 

With Cisco Firepower you can say only TLS inspect sites with a "rank" below a certain value.  Then it ignores high ranking sites like Google, Office 365, etc - and only pays attention to low ranked sites (far more likely to be used for malware).  This also relieves a lot of load off the device, as the bulk of your traffic tends to be to high ranking sites (the very defination of high rank).

Head in the Cloud

Re: MX HTTPS Inspection Coming ...


@PhilipDAth wrote:

No I don't know the performance impact.  I'm trying to get myself onto the beta program.  Being a close beta I'm not sure, but I asked if I could talk about this in public and was told yes and the documentation is publically posted.

 

 

I'm generally not a fan of SSL inspection - because it is a lot of work to deploy and breaks things.

 

You need to load a certificate onto the MX (or any device that does TLS inspection), and then load that certificate as a trusted root certificate onto every device sending traffic via that MX.  For some mobile devices that is a real pig of a job.

You end up creating more VLANs, so you can inspect some types of devices and avoid others because they are too much work - or you create huge bypass/whitelist rules.

 

Then you get sites (like www.google.com) that specifically check that the certificate returned is Google's, and will report a security problem.  So you end up telling the browser to ignore this, and the user has worse protection when they are out of your office, or you start whitelisting things all over the place.

 

Then you get issues with new versions of server software offering newer encryption and TLS versions faster than the SSL inspection engine is updated, breaking things.  For example, this TLS inspection feature only supports TLSv1.2.  So if you went to a web site that only offered TLSv1.3 (not likely at this stage) it would break.

 

 

With Cisco Firepower you can say only TLS inspect sites with a "rank" below a certain value.  Then it ignores high ranking sites like Google, Office 365, etc - and only pays attention to low ranked sites (far more likely to be used for malware).  This also relieves a lot of load off the device, as the bulk of your traffic tends to be to high ranking sites (the very defination of high rank).


That's a good breakdown, @PhilipDAth As a reseller, I just look forward to it so it checks the box as something competitors currently do, but Meraki does not..

Highlighted
Getting noticed

Re: MX HTTPS Inspection Coming ...

doc says 85-90% throughput drop, yikes, no thanks.

A model citizen

Re: MX HTTPS Inspection Coming ...


@Adam2104 wrote:

doc says 85-90% throughput drop, yikes, no thanks.


OMG...

 

Throughput

The additional overhead of decrypting and inspecting client traffic significantly reduces the security appliance’s throughput capabilities. A reduction of 85-90% vs stateful firewall throughput spec may be seen. For example, an MX250 capable of 4 Gbps stateful firewall throughput may achieve 600 Mbps with HTTPS inspection enabled.

Kind of a big deal

Re: MX HTTPS Inspection Coming ...

Endpoint security, people! The network is the wrong place to do this.

Getting noticed

Re: MX HTTPS Inspection Coming ...

Finally! I can't wait to try the beta.

Getting noticed

Re: MX HTTPS Inspection Coming ...

This is normally only used to get a decent blocking page out there for https traffic.

However I think Umbrella is a better way to go about this.

 

Maybe if you go to a public IP instead of an allowed DNS could the inspection be used to check that?

Here to help

Re: MX HTTPS Inspection Coming ...

Has anybody tested it with MX67? thank you

Here to help

Re: MX HTTPS Inspection Coming ...

That throughput...

 

I'm just going to nope out of this... ty.

Here to help

Re: MX HTTPS Inspection Coming ...

The Doc does note that you can whitelist via L3 and L7 rules to exempt them from inspections. Though what you say Firepower can do is smarter though.
Here to help

Re: MX HTTPS Inspection Coming ...

after a month of waiting the support finally enabled the ssl inspection. now my question is what kind of certificate I need to upload? I created the root certificate with the private key using openssl uploaded it but it doesnt work - no https page loads.

Kind of a big deal

Re: MX HTTPS Inspection Coming ...

I had the same problem.  I think it is broken in the current 15.x release.

Here to help

Re: MX HTTPS Inspection Coming ...

after upgrading to the newest Beta it works somehow. The problem is that the webpage doesnt load completely. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.