Feb 16 2019 01:22 PM
thoughts on this one greatly appreciated.
The challenge comes from information as provided by articles such as this one https://techcommunity.microsoft.com/t5/Office-365-Blog/Getting-the-best-connectivity-and-performance...
The step - Assess bypassing proxies, traffic inspection devices and duplicate security which is available in Office 365 is the concerning one.
So if we take a step back and analyse how this is reviewed by security architects.
The recommendation is that we bypass proxies and traffic inspection devices creates challenges around tenancy restriction
The crux of the matter is that going direct and not performing ANY inspection on traffic allowed go direct creates a massive hole and avenue for data leakage for any organisation.
An NGFW is typically an inline device that can operate as firewall, IPS, application control, url filtering etc. It can perform the SSL inspection inline in a way that cannot be bypassed. They can also have an integration with the Microsoft web service that provides all of the IP address updates automatically so that the gateways do not need to be manually updated whenever Microsoft changes/updated the IP addresses.
However, performing this inspection goes against what Microsoft recommends which means a possible large security hole will be created.
What is the right thing to do?
Feb 17 2019 09:14 AM
Recommendations are just that, they are not mandatory, neither they are designed to apply to 100% of the customers out there. Follow them as closely as possible but don't let them be a restriction and make the best decision for your specific requirements.