topic Re: Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD in Network Security

Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD

Carlos T — Thu, 18 May 2023 13:33:08 GMT

Hi,

We see "Encrypted Visibility Engine" (EVE) on the FTD is supposed to replace the SSL Decryption feature.

Our requirement is to fully detect and block malware over encrypted traffic (HTTPS).

At the present time (May 2023) is safe to use EVE instead of SSL Decryption on new implementations of FTD? Im using FTD 7.2

On release 7.2. If we enable only EVE and NOT SSL decryption, is it correct that the IPS and File and malware blocking rules don't work (block) malware traffic over the encrypted https traffic?

Thanks,

Re: Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD

Marvin Rhoads — Mon, 22 May 2023 17:18:15 GMT

EVE does not replace SSL decryption. Instead it gives some ability to inspect an SSL/TLS-protected flow by discerning what it can from things like the SSL handshake. That's very different from decrypting and inspecting the encrypted payload.

Re: Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD

Carlos T — Mon, 29 May 2023 13:10:50 GMT

Thanks Marvin, so just to be 100% clear, at the present time (May 2023), if we want to have a safe and secure environment, we should keep using SSL decryption for malware detection and blocking and IPS filtering. Is this correct?

I understand that if we have only EVE, but NOT SSL decryption, we are still at risk of passing malware or the IPS engine not detecting malicious connections on HTTPs traffic. Do you agree with this?

Thanks,

Re: Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD

Marvin Rhoads — Mon, 29 May 2023 13:16:15 GMT

With respect to perimeter firewall settings, you are correct.

However, the perimeter firewall is only one of several means to protect against malware. Endpoint security, email security and other methods can be used to avoid and deny malware incursions as well.