Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 9
  • 803

When should companies use SSL Inspection?

Hi professionals,

There seems to be some controversy around whether or not SSL Inspection should be used by businesses. 

What is your opinion - should they be used, and if so when? Conversely, what are the reasons for not using SSL inspection?

PeerSpot user
10 Answers
Bruce Bennett - PeerSpot reviewer
Sr. Systems Analyst at a manufacturing company with 5,001-10,000 employees
Real User
Jun 22, 2020

I am a proponent of SSL inspection, as long as you have another function/service that is evaluating that traffic like URL filtering or DLP. The biggest reason I have seen is that all sites are going to https, so there is no granularity for URL filtering unless you are doing SSL inspection. Most URL filtering can categorize based on the full URI, but without SSL inspection you will only see the base. Example, without SSL your services will only see "www.itcentralstation.com" going to this page. With SSL inspection you will see the full URL, "www.itcentralstation.com/questions/when-should-companies-use-ssl-inspection?...", giving the URL filtering service more information to categorize. Another good example are blog sites. without the SSL inspection, all the blogs look the same, with inspection the ones that you want to block can be identified.

Where not to use SSL inspection, in personal related destinations like health, banking and sites that fall into similar HIPA and PII categories. 

One thing you will run into with SSL inspection is that some sites, especially security related sites, will have issues with the "man in the middle" generally used for SSL inspection, so you will run into issues where you have to bypass sites like this as well.

Search for a product comparison in Data Loss Prevention (DLP)
Security Manager at a transportation company with 1,001-5,000 employees
Real User
Aug 16, 2021

SSL inspection requires high firewall resources, the use depends on what your objectives are. E.g., the SSL inspection is a must on WAF or Layer-7 IPS to protect inbound traffic to your servers,if you need very granular access control for your user to the Internet.  

On the other hand, explicit proxy deployment can achieve the URL/URI filtering purpose without SSL inspection for client outbound traffic protection. While SSL inspection is useless for layer-4 only firewall/IPS and webserver running TLS 1.3, DLP/sandbox in endpoint seems to be more effective than the network approach, because the delay in scan result will timeout the network connection. 

Consider SSL inspection on specific traffic types: it can save cost and settle the internal controversy. 

Supervisor of IT Infrastructure & Cybersecurity at a comms service provider with 51-200 employees
Top 5Leaderboard
Jan 5, 2021

As more Internet traffic is encrypted each day at some point the majority of Internet traffic will be encrypted. SSL inspection is needed when a business needs to audit what their users are doing on the Internet. Cost and complexity are the largest reasons to not perform SSL inspection, especially on the network edge.

I'm not a huge proponent of performing SSL inspection at the network edge. Most solutions performance levels drops off the face of the planet when enabled and it is complex to setup and maintain. I think the better solution for SSL inspection is to perform it on endpoint devices. This will be cheaper and less complex overall and provide SSL inspection on laptops even when they are not in the office.

Chief Technology Officer at a tech services company with 51-200 employees
Jun 22, 2020

SSL Inspection is great for corporate/organizational security as it allows you visibility into the traffic going across the network. It can also break access to some sites as it is technically a man-in-the-middle. (Anything requiring certificate authentication.) If you're going to do it, you really need a login banner for your systems that advises users that their activities are being monitored. You'll also need to install certificates on people's PC's. This won't work for guest users. I wouldn't store decrypted content though as you will have to safeguard that data as it will contain sensitive information. (Is it really worth the risk?)

Senior Pre-sales consultant at Businesscom BV
Top 10
Jun 30, 2020

In general, there are some vulnerabilities in SSL that you should try to mitigate whenever possible. SSL inspection should help indeed.

Luis Apodaca - PeerSpot reviewer
IT Support and Network Admin at Escuela Carlos Pereyra
Top 5
Jun 23, 2020

These days you should use it no matter if you are a home user, it is about security, and it will be easier each time to have leaked on your personal or professional info, a serious IT guy always should say you should use it.

Find out what your peers are saying about CoSoSys, Broadcom, Forcepoint and others in Data Loss Prevention (DLP). Updated: November 2022.
653,584 professionals have used our research since 2012.
robofl - PeerSpot reviewer
Jun 23, 2020

I used to be against this but leaning the other way now since just about every site is encrypted.  I think some sites need to be avoided like banking, credit card processing, payroll, etc.  Management, and especially the Accounting Dept needs to be in the loop.

Technical Manager, NOC at TEXUM JORDAN
Jun 23, 2020

SSL Inspection or HTTPS Inspection is the process of intercepting SSL encrypted internet communication between the client and the server. The interception can be done between the server and the client and vice-versa, SSL Inspection intends to filter out dangerous content, such as malware. This inspection is also called Deep SSL Inspection or Full SSL Inspection. It allows the user to do web and email filtering, antivirus scanning, etc.SSL inspection not only protects you from attacks that use HTTPS, but also from other commonly used SSL-encrypted protocols, such as SMTPS, POP3S, IMAPS, and FTPS.

Jun 23, 2020

We don't use it yet - but I am exploring my options here. I believe its the only way to identify exactly whats coming into the workspace

Stuart Berman - PeerSpot reviewer
CTO at a tech company with 11-50 employees
Real User
Top 10
Jun 22, 2020

For large companies SSL Inspection is often problematic, especially with the release of TLS 1.3 which is resistant to man in the middle attacks which is what SSL Inspection is in essence. The financial services industry fought long and hard to prevent the TLS 1.3 standard from blocking MiTM attacks since they depend heavily on it. The solution for TLS 1.3 is to use large terminating proxies to terminate the connections on either side of the conversation on PCs they wholly control. 

A better approach is to scan for content prior to (or after) encryption which means a host agent on your users' machines.

Overall, i believe SSL Inspection is a losing battle as more sites adopt TLS 1.3 and more sites will break as the result of trying to use that technology unless you need to tightly control all communications. Consider the culture of companies that allow people to bring their own machines (BYOD) and are more collaborative in nature with guest/partner/vendor machines allowed on their networks. Does you company value stringent security or security that does not get in the way?

Related Questions
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Nov 23, 2022
Hi infosec pros, How are these two terms different? What modern tools and techniques should you use to protect each data?
2 out of 6 answers
Mar 2, 2022
Data protection at rest - data storage has encryption applied, at the OS, Container, or DB level.  a bad actor cannot defeat the security controls and read the data by accessing copying the drive, container, or other storage  Data protection in transit - data being transported "outside" of, or between, trusted home environment(s) has encryption applied, such as an SSL tunnel, VPN, or IPSec-enabled route.  "trusted" in this definition is wherever the data is stored, or processed, and assumes that such an environment has sufficient controls to block 3rd party access.  Data protection in use (even though you didn't ask :) )  - data is encrypted or otherwise protected (such as pseudo anonymization for privacy data) while being processed, within an application or service (e.g. AWS Lambda).  the intent is that malicious software with access to the service/process RAM or temp storage cannot discover meaningful data through that access.
PatrickWheaton - PeerSpot reviewer
IT Consultant & Trainer at ReallySimpleTech, Inc.
Mar 4, 2022
"Data protection at rest" means when it is stored on the hard drive, tape backup, USB dongle, external drive, or anything where the data is stored to be retrieved later it is encrypted.  However, when you access that data to use the file it is unencrypted so that it can be utilized.   "Encryption in transit" means that as you transfer a file from one drive to another, Email, FTP, etc. it is also encrypted so that it can not be intercepted while being moved.   I use Microsoft BitLocker full disk encryption for local storage and IPSEC between my computers at home. When connecting externally I use SSL, HTTPS VPN. I use Outlook for email and connect to Office 365 using IMAP/SMTP using SSL encryption protocols.   Thanks, Patrick
BaijuShah - PeerSpot reviewer
CEO at Ebiashara Africa Limited
Feb 1, 2022
Hello peers, We would like to monitor users' machines. Which monitoring solution would you recommend for an enterprise and why?  I appreciate the help.
2 out of 8 answers
it_user297231 - PeerSpot reviewer
Independent Consultant at a tech services company
Jan 10, 2022
https://logsystem.pl/en/ Ask this guy https://www.linkedin.com/in/to...
Managing Director at a tech services company with 1-10 employees
Jan 10, 2022
Well, I suppose it really depends on the reason you ask the question. Is it because you've been bitten by issues in the past?Is it because you have business users complaining or management wondering about user productivity?Is it because of teleworking and the recent workplace changes?I'm not sure the answers would be the same in every case you see or at least the tools and methods could differ depending on your priorities.If your role is measured on not having issues at all then you should ensure you have a BAM solution that's supported by several aspects of monitoring such as APM, BSM and ITSM. APM constantly captures the user experience and measures specific metrics such as round trip time, connectivity time, response time, transaction rates, queue lengths so you have a good idea of what they're experiencing and what may cause that to degrade. Set up properly with synthetic probes it can provide early warning of issues or degradation that will lead to them well before anyone raises a callBSM should consume APM measures to correlate down the food chain and help identify the root cause. Dependency mapping is worthwhile for that, but if you consume SP services then you won't always easily get access to information that of what's gone or is going wrong. When other entities' services can degrade yours, then I'd recommend providing them with a Business value dashboard that shows that issues are coming from them and their impact on your business. It will help to find responsible providers and also negotiate penalties.But penalties aren't going to help you in your service delivery. Your business users will still bicker at you no matter how much you penalise the SPs you contract with.So you may need to monitor several SP's services and have the means to quickly switch i.e. you act as a broker finding and switching between services sometimes automatically. Thus monitoring those SPs and cloud services is going to be a must if your business depends on them. It's not always easy. One of our customers queried us to see if we could improve the visibility of issues concerning virtual services his IT was responsible for. Issues with Microsoft Teams, Sharepoint and other vendors' services weren't easy to diagnose. We were able to research that and find ways to query Microsoft Azure services and correlate service reports with his own IT resources to see if issues were his, Microsoft's network SPs or something or the user's device.  Yes, these users were complaining that their devices dropped calls, were slow, had dropouts, couldn't access data and had slow synchronization. Does it sound familiar? You "could" decide that you want to collect the user machine logs files. Be careful, if you've seen Microsoft event logs - you'll know that those OS's generate tons of data.  You'll never have the time to search them all. Yes, Splunk or Elastic Search and similar tools can search but you'll need to know what you're looking for. Best practice-based search algorithms and templates usually come at a fair price. Don't be lulled into a false sense of security, if you consider those solutions ask for detailed references and try to speak to the people concerned.  In most cases, we've seen they'll tell you that it soon becomes very expensive both in terms of storage and other resources to make it work, but also in expertise and time taken to set up the searches properly. If you can leverage others' experience quickly and inexpensively then do so, otherwise be on your guard Even in this day and age with high speed and most reliable networks, don't let some people say monitoring isn't useful anymore. And don't be fooled into thinking there's a miracle solution to monitor users' machines.  Choose wisely, and seriously consider open source solutions, they're well proven, secure, reliable, scalable, not expensive, yes they can be time-consuming to implement choose a partner wisely to assist. Your original question asks for software solution recommendations. I've made some above but I won't elaborate more as I have never seen two customers with the same environment, priorities and legacy. There's really no silver bullet no ideal tool but there are some which when composed properly can approach that.  So, my final word of advice is to spend a little time specifying a set of use cases which if satisfied would approach that perfection. Then shortlist tools and consultants that can show how a tool stack and associated processes can approach it. Don't believe anyone who tells you EVERYTHING is possible.
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! Top Security Orchestration Automation and Response (SOAR) Solutions Top 8 Data Loss Prevention (DL...
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 25, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Data Loss Prevention (DLP) Tools t...
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Community Spotlight #15
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (ques...
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 25, 2022
Top 8 Data Loss Prevention (DLP) Tools 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
Download Free Report
Download our free Data Loss Prevention (DLP) Report and find out what your peers are saying about CoSoSys, Broadcom, Forcepoint, and more! Updated: November 2022.
653,584 professionals have used our research since 2012.