An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?
A common obstacle for decrypting traffic from guest devices is that guest devices may not trust the CA certificate used for the forward trust certificate. As guest devices are not managed by the organization, they might not have the certificate authority (CA) certificates installed that are necessary to trust the organization's forward trust certificate, thus preventing successful decryption of their traffic.
https://live.paloaltonetworks.com/t5/general-topics/decrypt-guest-network-traffic/td-p/119388
for germany it is 100% C !
Definitely A but yeah, C could absolutely be true depending on the laws in the region the firewall is in.
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
I would say answer is A, Guests will be accepting the Policy/Guidelines of using yr Internet, so not really an obsticle Similarly to BYOD devices, enterprises don’t control guest devices. If you allow guest devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect guest users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Include the process in your company’s privacy and computer usage policy.
C: Prepare updated legal and HR computer usage policies to distribute to all employees, contractors, partners, guests, and any other network users so that when you roll out decryption, users understand their data can be decrypted and scanned for threats.
I think is C, you could use a root certificate, like one from Godaddy and the guest device will trust it.
Not really clear here, it seems it could be A or C https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment