Re: Securing the Perimeter
Our (USDoD) data center did not allow end to end encryption, as they required (and used) the capability to scan all traffic entering or leaving the premises. This started after a remote user's account was compromised and used to upload malware that, as I understood it, affected a major application quite seriously. Those of us already using SSH to internal hosts were not forced immediately to stop, partly because telnet and ftp were disallowed on principle, but ultimately had to switch to out-of-band access using a VPN that terminated at a premise gateway.
In an ideal situation, multiple factor authentication and end-to-end encryption may be suitable, but situations usually are less than ideal. DISA centers typically support thousands of external users and systems, not all of them subject to DoD control.