Cost of End-To-End Encryption (Lack of Intrusion Detection / Prevention in Encrypted Traffic)
End-to-end encryption has its cost. Intrusion Detection and Prevention Systems (IDS and IPS) are unable to analyze encrypted traffic and attack vectors may get through the iDS / IPS if the traffic is in an encrypted format. Encryption should be maintained as close to the Destination Server as possible. Once the traffic is in a secure site, the traffic can be decrypted for analysis by Firewalls, IDS and IPS devices before they reach their Destination Servers.
IDS and IPS devices by themselves are incapable of decrypting and re-encrypting traffic. Until this technology is developed, there is a risk of data sniffing at the last mile where the IDS / IPS is setup. But this risk could be significantly lower than the risk of malicious traffic reaching your destination servers. The risk of data sniffing could be further reduced by securing the DC, segregating the last mile communication into separate VLAN and turning off port mirroring for the VLANs concerned.