Meraki

Community

Roadmap for SSL Deep Packet Inspection

KrisWithaK
Conversationalist
‎Jul 18 2019 12:43 PM
‎Jul 18 2019 12:43 PM

Roadmap for SSL Deep Packet Inspection

I'm reading reports stating that as much as 72% of Internet traffic is SSL encrypted.  Aside from just having an effective endpoint security solution, deep packet inspection at the edge is a critical function of modern firewalls.  Where does the release of hardware and OS supporting DPI on the Meraki platform sit on the product roadmap?

 

Thank you!

0 Kudos
7 Replies 7
jdsilva
Kind of a big deal
‎Jul 18 2019 12:57 PM
‎Jul 18 2019 12:57 PM

You mean this: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection  ??

 

It's in beta now. Call support and request it be enabled.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
KrisWithaK
Conversationalist
‎Jul 23 2019 12:37 PM
‎Jul 23 2019 12:37 PM

This is great.  I imagine that turning this on severely impacts performance as it does with every firewall.  It makes me wonder if Meraki has some higher-performance MX models coming out to meet that challenge in the enterprise. 

0 Kudos
In response to KrisWithaK
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 23 2019 12:40 PM
‎Jul 23 2019 12:40 PM

>I imagine that turning this on severely impacts performance as it does with every firewall.

 

Basically you take a 90% performance hit.  It turns a 1Gb/s MX into a 100Mb/s MX.

 

You can use group policy to selectively apply it to only certain clients to alievaite this somewhat.

 

This is the instructions for configuring TLS decryption.

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection

0 Kudos
In response to PhilipDAth
KrisWithaK
Conversationalist
‎Jul 23 2019 12:58 PM
‎Jul 23 2019 12:58 PM

Thanks, Philip.  I work in telecommunications, and we sell a lot of Meraki.  I am finding a serious lack of DPI support here, and I am hoping to soon have an option for my more security-conscious customers.  And hey, if they have information that important to protect, they will have the budget for a bigger firewall, so hopefully Meraki will follow the official release with something north of the MX450.

0 Kudos
jillescas
Conversationalist
‎Jul 18 2019 1:56 PM
‎Jul 18 2019 1:56 PM

You can call support to enable beta caracteristics.

 

greetings.

0 Kudos
In response to jillescas
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Jul 18 2019 3:58 PM
‎Jul 18 2019 3:58 PM

DPI SSL is fast becoming an issue. The problem I see is by inspecting SSL traffic you are actually breaking what SSL was designed for which was to be encrypted traffic.

 

I would have also thought more than 90% of internet traffic would be SSL TBH.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 18 2019 5:21 PM
‎Jul 18 2019 5:21 PM

@KrisWithaK wrote:

I'm reading reports stating that as much as 72% of Internet traffic is SSL encrypted.  Aside from just having an effective endpoint security solution, deep packet inspection at the edge is a critical function of modern firewalls.  Where does the release of hardware and OS supporting DPI on the Meraki platform sit on the product roadmap?

 

I don't agree with you about the important of TLS deep packet inspection.  I explained why here:

https://community.meraki.com/t5/Security-SD-WAN/MX-HTTPS-Inspection-Coming/m-p/45872/highlight/true#...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.