I keep coming back to this Fortinet article:
Discussing how, with TLS 1.2, they can issue a MITM certificate to help monitor SSL traffic – vital for today’s network admin. But TLS 1.3 includes some end-to-end privacy options, as well as downgrade protection, meaning that some traffic may not be able to monitored at the firewall level.
There’s also interesting discussions around DNSSEC (encrypted DNS), especially as it’s gained notoriety for malware C&C operations.
So what’s best practice here?
A layered approach, including endpoint monitoring, least permissive access (e.g. allowlists / blocklists), will help mitigate risk while also enhancing privacy and security. (For example, PCI compliance for eCommerce requires strong certificates, and TLS 1.3).
For DNS, having a local DNS server (using DNSMasq, Pihole, or BIND9 for Windows domains) is invaluable, not only for performance, but threat mitigation, malware-over-ads blocking, and for visibility. (Then, of course, using DNSSEC both internally to prevent snooping – while being able to blackhole all port 53 traffic to get around custom DNS – and using Cloudflare’s public DNSSEC resolver for your forward resolver – is the best solution.)
And of course, if you’re me, and trying to access SQL 2008 servers using Azure Data Studio on Linux — you have to build OpenSSL to use now-deprecated encryption standards (I think it was SSL 3.0, or TLS 1.1, or similar).
There’s a lot of complexity with keeping up with changing encryption practices. We can help make sure your company is adequately protected and presenting a professional appearance (Why no HTTPS, Shopify? Techcrunch? Come on!).