What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

stupid question, I know, but honestly: what is the benefit of the Xstream protection when you decide not to break TLS sessions at all (besides mail filtering)?

Will someone earn any higher protection level with all these features activated without breaking TLS in comparison to a base licence?

I am asking because when I look around (ca. 100 and more customers, even at enterprise level), nobodoy, really nobody does TLS decryption in any case but for testing purposes. There are a lot of reasons against: privacy breach (admins may read passwords of users in clear text) and simply because many things won't work anymore because lots of (web) applications rely just on working https connections. Things get more and more complicated.

So on one hand every manufactor praises zero-trust, xstream, total protection, 360 degree of comfort or whatever term came to your mind, but what does it help in reality when you are able only to inspect unsecured connections? How much do you raise your security level? In percentage maybe: 5, 10, 25 or even 42%?

I can read and read whitepapers and watch demos: It will not get to my mind, what is the purpose of buying all these features, when nobody make use of it?

Some help and clarification would be really appreciated.

Added TAGs
[edited by: emmosophos at 4:54 PM (GMT -7) on 3 Nov 2023]
  • I tried to address some of those questions in the FAQ that LuCar linked to.

    I am on the dev team and I deal with escalations, so I know know the sales side and what average customers do. However I know a reasonable percentage of our customers do HTTPS decryption because I see it if I need to go onto their boxes. I don't know how many, but a good portion. The most common reason I hear about for not decrypting is the able to deploy the Certificate Authority to BYOD devices. Compatibility with sites mostly works out of the box and really is just a pain for the first week as people get things up and running.

    As to your original question please understand this is only my off-the-cuff opinion. If you do not do HTTPS scanning:
    - website blocking due to category or domain name fully works, including known malware sites (5% worse)
    - antivirus scanning is only HTTP (90% worse)
    - zero day protection is only HTTP (90% worse)
    - ATP (Advanced Threat Protection) of callhomes is lower but still good (25% worse)
    - IPS and App control is lower but still good (25% worse)

    If you were asking specifically about whether you should buy a bigger license (eg with Zero Day Protection) remember that even though you've lowered the usefulness in web by not doing decryption, you still get it for email.

  • We have been using HTTPS decryption for almost 2 years without any problem. We have to exclude TV and devices where we cant install certificates.

    Banking site and some software updates need to be excluded from scanning.Overall DPI works and improved a lot.

Reply Children
No Data