There is no question that SSL Inspection is both incredibly resource intensive and that its implementation comes with a painful initial transition and tweaking period where you work out exceptions and such. With that said, when was an important network security function implemented that wasn't a complete pain to put into place? The bottom line is that if you are not inspecting SSL traffic, and it contains malware, that malware will make it to your environment. Then you have to ask yourself if you have invested in an endpoint AV strategy that has a high enough success rate to keep you from allowing a big malware problem into your network. Are you willing to let your users see whatever embedded videos they want to see on their favorite sites? Without full inspection, that's what you're going to allow unless you're running a straight whitelisting strategy. As far as mobile devices go, if you're running those on the same VLAN as your desktop and laptop environment, you've got bigger problems. The idea here is not to run deep packet inspection for every bit of your traffic, but just the devices that carry your critical information (desktops, laptops, servers, etc.). In summary, no one is a fan of implementing deep packet inspection, but sticking your head into the mud won't keep your business from suffering from the lack of a proper security strategy for your entire attack surface.
... View more
