Completely agree. This is really essential and it makes a mockery of many of the features that the MX line claims it can do.

- The advertised "Intrusion Prevention/IDS" feature (powered by SNORT) can't prevent any exploits from SSL enabled servers.

- Neither can the anti-malware feature (the MX will happily let you download a virus executable from an SSL enabled website

- The google search filtering doesn't work as they have moved to SSL.

- The "URL logging" feature (in beta) is completely unable to show the URLs for SSL websites. So we can't even view a history of a users google searches.

The majority of the web uses SSL now, and the MX appliance is therefore not fit for the purposes it advertises.

I've not heard anything about SSL Intercepting Proxy servers stopping working with a new version of TLS, do you have a link or some more information on that?

Interesting link.

I found that Symantec is selling a security appliance that can decrypt the draft standard of TLS 1.3, so the measures must still allow some implementations of MITM: https://www.symantec.com/theme/secure-decryption

I disagree with the assumption that because TLS 1.3 exists that this isn't worth looking into. Many big websites, e.g. PayPal have only just moved over to TLS 1.2 this year, which can be proxied. TLS 1.2 is not due to be depreciated at any point in the immediate future. Plus an SSL Proxy could be implemented with the existing transparent proxy software that the MX already runs on (squid), with some configuration changes.

I feel there is a huge missed opportunity here. The Meraki Systems Manager agent could massively simplify the deployment of a trusted SSL certificate to the client PCs and devices. It could be a complete security solution, at the moment it has a giant hole of 50% of the web through the middle of it (and growing).

I think the Symantec article you highlight is a little light on detail, on precisely what it can do (and what it can't). Fundamentally, if clients are required to fully verify the chain of trust, certificate-wise, with the target server (which is one of the TLS1.3 pre-reqs, as I understand it) then support for new TLS 1.3 cipher suites alone will not solve the conundrum. Of course, the adoption rate of TLS1.3 is always open to debate.

@GreenMan - It is making some pretty specific claims on this link:
https://www.symantec.com/products/ssl-visibility-appliance

"Enable the secure inspection of TLS 1.3 encrypted traffic"
"Enables the inspection of all ports and protocols of traffic including TLS 1.3 draft versions 18 - 21"

@BlakeRichardson - The Fortigate routers I linked to were $900 and $1800, so it is possible to get SSL inspection on products that are comparable in cost to the Meraki MX Security Appliances.

---

@ccnewmeraki wrote:

TLS 1.2 is not due to be depreciated at any point in the immediate future.

---

That isn't what depreciated means.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

GreenMan IT seems like every other vendor has some sort of HTTPS decryption. Sophos XG, SonicWall, Fortinet even Cisco ASA 5506-X with FirePower all seem to be able to do this. As more traffic becomes SSL if I want to be honst to customers on features I think I have to point them back to the ASA line vs MX. With new products due out soon has there been any update on decryption?

It's clearly a typo for the word "deprecated."

@BlakeRichardson By 'cost' do you mean price or performance?

Fortigate's entry-level NGFW 115 firewall range achieve throughput of 100 Mbps with SSL Inspection on low end Intel Atom CPUs:
https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_appliances_specs_en.pdf

Their NGFW 321 doesn't specify the CPU used but it has a lower power draw than a Meraki MX84 and it achieves 150 Mbps throughput with SSL Inspection enabled.
https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_ngfw_300_series_en.pdf

@ccnewmeraki Sorry I was meaning price not performance. One firewall I manage has a DPI SSL maximum throughout of 1Gbps so for most people that would be more than enough.