Increase Network Visibility with SSL Decryption

Jose Anes By: Jose Anes April 04, 2019

Why SSL Decryption?

The growing adoption of protocols to secure Internet traffic, including Secure Socket Layer (SSL) and Transport Layer Security (TLS), is, paradoxically, giving cybercriminals a way to evade network defenses.  For example, Gartner Group predicts that, through 2019, more than 80 percent of enterprises' web traffic will be encrypted and that during 2019, more than 50%of new malware campaigns will use various forms of encryption to conceal delivery, and to conceal ongoing communications, including data exfiltration.

Internet security teams are in consensus that to defend enterprise networks and corporate information from threat actors they require full network visibility across in-place security tools; for example, next-generation firewalls (NGFW), Data Loss Prevention (DLP), Intrusion Prevention Systems (IPS), and Unified Threat Management (UTM), as the proliferation of encryption has impeded the scrutiny they once had into enterprise network traffic.  By implementing high-performance, unified SSL decryption, SSL connections can be inspected at line-rate by such tools to ensure they do not contain threats or other undesirable traffic.

Utilizing centralized SSL decryption has several additional important benefits. It allows the return-on-investment of each tool to be optimized through the elimination of the decryption overhead allowing each tool to operate at maximum performance. In addition, it enables the enterprise network to function as an end-to-end security sensor that detects, contains and prevents emerging, sophisticated security threats.

SSL Decryption Deployment Options

A range of options exists for SSL decryption to decrypt traffic including next-generation firewalls, SSL visibility appliances, and network packet brokers (NPBs). The optimum choice for SSL decryption depends on which selection enables maximum protection with the minimum operating expense or maximum ROI for cybersecurity.

At a top level, the straightforward option would seem to be to perform SSL decryption on existing Next-Generation Firewalls (NGFWs) many of which now include SSL decryption a security feature. However, on closer examination, most of the benefits of doing so turn out to be elusive. The performance demanding SSL decryption dramatically reduces the capacity of NGFW security devices. That means IT organizations need to acquire, deploy and manage additional costly NGFW systems – on occasion many more. Specifically, the 2018 NGFW SSL/TLS Security and Performance Test found that SSL decryption overhead had a severe performance impact on NGFW systems, including on average 92% connection degradation, 672% latency rise, and 60% throughput drop.

SSL visibility appliances decrypt network traffic and forward it to other network security tools, such as NGFW, DLP, and IPS systems, for inspection. The challenge that these systems present is increased CapEx and OpEx. In addition to the acquisition cost, an SSL appliance turns out to be yet another application-specific device in the enterprise network that needs to be administered and upgraded, with a configuration and ruleset wholly unlike other security devices. More significantly, SSL decryption appliances provide a restricted option for performance enhancement short of a forklift of the complete solution.

SSL Decryption in Network Packet Broker (NPB)

By integrating SSL decryption capabilities into the NPB-enabled network visibility layer, it's possible to meet the above-referenced performance and ROI challenges. Integrating SSL decryption capabilities through deploying optimized traffic acceleration hardware modules within an NPB is effortless and simpler than the other options and it carries no performance impact for SSL decryption on other NPB functions.

In addition, the NPB is designed to forward traffic requiring inspection to the range of in-place security tools. This means that the NPB can provide a centralized SSL decryption function for network security tools out-of-the-box. The NPB can also maintain the isolation of clear-text traffic, while delivering highly resilient security processing with load-balancing of tools and fail-open behavior.

Decrypted traffic can potentially be seen by anyone with access to network monitoring tools, and this is particularly problematic for monitoring data stored in DLPs, logs, and other databases, as it often violates regulatory compliance mandates. Once again, NPBs can help, by masking data that doesn't need to be exposed. In short, SSL-enabled NPBs can decrypt network data, aggregate it and filter it, apply data masking as needed and only then distribute it to the proper security and monitoring tools for analysis.

The Impact of TLS 1.3 on Network Visibility

In March 2018, the Internet Engineering Task Force (IETF) approved the TLS 1.3 specification. While the new TLS version has a number of enhancements from a security standpoint, adoption of the new standard has generated concerns as TLS 1.3 requires the use of Perfect Forward Secrecy (PFS).

An adversary may record encrypted traffic of users with a website which is protected by TLS and after some elapsed time of such recording, manage to steal the private key from the website’s server. In this case, it is possible for the adversary to decrypt all TLS connections that were previously recorded as well as future communications. PFS has been designed to address this vulnerability.

With PFS, even if attackers retrieve the private key of a certificate, they are unable to decrypt communication from the past or future communications.  When PFS keys are used, the session key is exclusively generated from both client and server information. The practical effect of PFS is that traffic captured in the past cannot be decrypted if someone is able to obtain the server key.

SSL Decryption

Fig. 1 With PFS, unique session keys are generated using both client and server information.

The challenge that PFS presents is that PFS handshakes are incompatible with the decryption capabilities in network monitoring tools which analyze network traffic. This means that IT operations and security teams cannot use such monitoring tools to detect security attacks, address performance issues, or plan for capacity expansion. Enterprises depend on delivering a high-performance, predictable and seamless experience for their customers, so this is not just an IT Operations or security challenge, it’s also a potential revenue concern.

The good news for Niagara Networks’ customers is that the optional Packetron module for Niagara N2 network packet broker series not only has the capability to decrypt TLS streams but also offers full support for Packet Forward Secrecy (PFS) sessions. That means that Packetron provides a unified TLS decryption capability including support for TLS 1.3 for in-place network security and monitoring tools.

In the future, you can expect a relentless increase in SSL 1.3 deployment using Perfect Forward Secrecy (PFS). If you want your IT teams to continue to have robust security with complete visibility into the future, schedule a consultation with a Niagara Networks visibility expert today.

New call-to-action