Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
9
Helpful
3
Replies

Encrypted Visibility Engine (EVE) vs SSL Decryption on FTD

Go to solution
Carlos T
Level 1
Level 1

‎05-18-2023 06:33 AM

Hi, 

We see "Encrypted Visibility Engine" (EVE) on the FTD is supposed to replace the SSL Decryption feature.

Our requirement is to fully detect and block malware over encrypted traffic (HTTPS). 

At the present time (May 2023) is safe to use EVE instead of SSL Decryption on new implementations of FTD? Im using FTD 7.2

 

On release 7.2. If we enable only EVE and NOT SSL decryption, is it correct that the IPS and File and malware blocking rules don't work (block) malware traffic over the encrypted https traffic?

 

Thanks,

CT

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Carlos T

‎05-29-2023 06:16 AM

With respect to perimeter firewall settings, you are correct.

However, the perimeter firewall is only one of several means to protect against malware. Endpoint security, email security and other methods can be used to avoid and deny malware incursions as well.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-22-2023 10:18 AM

EVE  does not replace SSL decryption. Instead it gives some ability to inspect an SSL/TLS-protected flow by discerning what it can from things like the SSL handshake. That's very different from decrypting and inspecting the encrypted payload.

Go to solution
Carlos T
Level 1
Level 1

‎05-29-2023 06:10 AM

Thanks Marvin, so just to be 100% clear, at the present time (May 2023), if we want to have a safe and secure environment, we should keep using SSL decryption for malware detection and blocking and IPS filtering. Is this correct?

 

I understand that if we have only EVE, but NOT SSL decryption, we are still at risk of passing malware or the IPS engine not detecting malicious connections on HTTPs traffic. Do you agree with this?

 

Thanks,

CT

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Carlos T

‎05-29-2023 06:16 AM

With respect to perimeter firewall settings, you are correct.

However, the perimeter firewall is only one of several means to protect against malware. Endpoint security, email security and other methods can be used to avoid and deny malware incursions as well.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card