Plan a Staged, Prioritized Deployment
Deploying decryption can change the reachability of websites that users may be used to accessing if those sites are risky or don’t support your business. A staged rollout prepares the user population and tech support for changes, and enables you to test how the rollout affects applications.
Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your entire decryption deployment at one time. Test and ensure that decryption is working as planned and that users understand what you are doing and why. Rolling out decryption in this manner makes it easier to troubleshoot in case anything doesn’t work as expected and helps users adjust to the changes.
Educating stakeholders, employees, and other users such as contractors and partners is critical because decryption settings may change their ability to access some websites. Users should understand how to respond to situations in which previously reachable websites become unreachable and what information to give technical support. Support should understand what is being rolled out when and how to help users who encounter issues. Before you roll out decryption to the general population:
- Identify early adopters to help champion decryption and who will be able to help other employees who have questions during the full rollout. Enlist the help of department managers and help them understand the benefits of decrypting traffic.
- Set up proof-of-concept (POC) trials in each department with
early adopters and other employees who understand why decrypting
traffic is important. Educate POC participants about the changes
and how to contact technical support if they run into issues. In
this way, decryption POCs become an opportunity to work with technical
support to POC how to support decryption and to develop the most
painless method for supporting the general rollout. The interaction
between POC users and technical support also allows you to fine-tune
policies and how to communicate with users. POCs enable you to experiment with prioritizing what to decrypt first, so that when you phase in decryption in the general population, your POC experience helps you understand how to phase in decrypting different URL Categories. Measure the way decryption affects firewall CPU and memory utilization to help understand if the firewall sizing is correct or if you need to upgrade. POCs can also reveal applications that break decryption technically (decrypting them blocks their traffic) and need to be added to the Decryption Exclusion list.When you set up POCs, also set up a user group that can certify the operational readiness and procedures prior to the general rollout.
- Educate the user population before the general rollout, and plan to educate new users as they join the company. This is a critical phase of deploying decryption because the deployment may affect websites that users previously visited but are not safe, so those sites are no longer reachable. The POC experience helps identify the most important points to communicate.
- Phase in decryption. You can accomplish this several ways. You
can decrypt the highest priority traffic first (for example, the
URL Categories most likely to harbor malicious traffic, such as
gaming) and then decrypt more as you gain experience. Alternatively,
you can take a more conservative approach and decrypt the URL Categories
that don’t affect your business first (so if something goes wrong,
no issues occur that affect business), for example, news feeds.
In all cases, the best way to phase in decryption is to decrypt
a few URL Categories, take user feedback into account, run reports
to ensure that decryption is working as expected, and then gradually
decrypt a few more URL Categories and verify, and so on. Plan to
Exclusions to exclude sites from decryption if you can’t
decrypt them for technical reasons or because you choose not to
decrypt them.If you Enable Users to Opt Out of SSL Decryption (users see a response page that allows them either to opt out of decryption and end the session without going to the site or to proceed to the site and agree to have the traffic decrypted), educate them about what it is, why they’re seeing it, and what their options are.
- Create realistic deployment schedules that allow time to evaluate each stage of the rollout.
Place firewalls in positions where they can see all of the network traffic so that no encrypted traffic inadvertently gains access to your network because it bypasses the firewall.
Plan Your SSL Decryption Best Practice Deployment
Before you deploy decryption in your network, set goals, work with stakeholders to define what to decrypt, and plan a staged, prioritized deployment. ...
Prepare to Deploy Decryption
Proper preparation makes deploying decryption much easier and smoother because everyone from IT to executives to the user base is educated and ready for the ...
Work with Stakeholders to Develop a Decryption Deployment S...
To understand the traffic you should and should not decrypt, work with other invested groups, including finance, HR, IT, legal, and executives to ensure that ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...
You can’t protect yourself against threats you can’t see. Decrypt traffic to reveal encrypted threats so the firewall can protect your network against them. ...
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts inbound and outbound SSH sessions and ensures that attackers can’t use SSH to tunnel potentially malicious applications ...
Configure Server Certificate Verification for Undecrypted T...
Even though the traffic is encrypted, you can protect your network against sessions with expired certificates and untrusted issuers for traffic you choose not ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Enable Users to Opt Out of SSL Decryption
Allow users to choose whether they want to continue to a site for which traffic is decrypted or opt out and allow the firewall to ...