On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > I think what Yoav is referring to by detecting BOTS within the > network, is really so called advance persistent threat (APT) actors > that are moving around the internal network leveraging existing access > rights of compromised accounts and privilege escalation > vulnerabilities. These might be detectable with 'visibility'. > Patterns and behavior might be used to detect the APT use case whether > or not encryption protects the stream, but it is more difficult.
Yes, they might, however, the best place for malware detection is on the edge (which is out of scope for "in the Datacenter" type connections) and the endpoint, where an agent is able to run that does not need to 'break in' to the TLS session. Yes, the Fenter draft talks about how malware endpoints can be anywhere in the network, and that they can delete logs as a reason to require out of band network decryption. However, if "breaking TLS" becomes an effective malware mitigation means, more malware makers may move to using app-level encryption (as some already have). Therefore, the conclusion we can draw is that malware is not a reasonable reason requiring this enhanced "visibility". -carl
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
