Blog | Niagara Networks | Page {{ current_page_num }}

SecOps Blind sighted!?

Written by André Vink | November 24, 2020

Privacy, both in the physical and online world, is one of the things most people value dearly. With the inevitable shift from physical locations and facilities offered by financial institutions, retail stores and government to an online environment, secure communications and transactions are becoming indispensable.

Many people mistakenly assume that as long as the connection is encrypted, they’re safe from an attack; this couldn’t be further from the truth. This includes cyber criminals and other bad actors who use encryption to hide their malicious activities.

SSL or more correct, its successor, TLS encryption has become the defacto standard and is widely adopted by the industry, not only for web connections but also for other protocols such as email and many others. In 2014 Google started including encryption as a ranking factor for search results, websites using encrypted (HTTPS) connections are ranked higher than websites using plain HTTP. As a result this has led to significantly higher deployments of encrypted connections.

Obtaining a certificate was still considered to be a tedious process involving high costs, manual intervention and a certificate issuer. For many lesser important services encryption was seen as a step too far. This all changed with the introduction of ‘Let’s Encrypt’ in 2016 as a Certificate Authority issuing free, short lived certificates, with automated certificate renewal. Free, easy to implement, secured connections became available for everyone, regardless their intentions good or bad. Finally, recent web browser versions have started to aggressively warn users about, or even deny contacting insecure websites.

One of the side effects of the transition to encrypted transport connections is the inability of enterprises to inspect traffic to and from the internet for malicious content or data exfiltration using traditional methods. Encryption creates dark space and blind spots that cybercriminals use to hide their activities from security teams. Cybercriminals are increasingly hiding their malicious activities inside encrypted traffic. The 2018 Annual Cybersecurity Report from Cisco showed that 70% of malware collected took advantage of encrypted network traffic. Equally important is the recent relocation of employees to home offices due to the Covid-19 virus.

Remote working not only created new privacy challenges (personal information that was until recently only available inside the organization is now available in employees’ homes) but the connection between the home and the organization became another threat vector. As a result employees are working in uncontrolled environments and home security measures can’t stand up to the advanced infiltration methods used by cyber criminals making it easy for them to deploy and distribute RATs (Remote Access Trojans) through the employee’s computer into their company network.

Solving Catch22  

User’s data can be effectively protected and made invisible to prying eyes, encryption helps protect valuable data, but also makes it challenging to investigate threats. A typical catch22 situation. The obvious answer here is to decrypt the traffic, but that introduces its own challenges and may create security and privacy concerns. Security teams need the ability to decrypt traffic for analysis without violating privacy regulations or making the data more vulnerable to theft or exploitation.

Niagara Networks’ Open Visibility Platform (OVP), available on the N2 modular Packet Broker series enables advanced SSL/TLS decryption for SSL 3.0 and all TLS versions including TLS 1.3 and support DOIM (Decrypt Once, Inspect Many) deployments.
The Open Visibility Platform provides three decryption methods optimized for these specific use cases

 

Passive Out-of-Band decryption

For the older encryption methods using non-ephemeral keys available in SSL 3.0, TLS 1.0/1.1 and a few in TLS 1.2,  passive decryption is performed on a copy of the encrypted traffic.

Since the decryption is outside the traffic flow there is no latency or processing impact on the traffic flow.

 

 

 

Active Out-of-Band decryption

In this implementation, the SSL Visibility Engine is included inline, which allows it to decrypt and then re-encrypt the traffic so that it can be passed onto the next device in the network. A copy of the decrypted traffic is forwarded to the  security device for analysis and reporting.  Because the SSL Visibility Appliance is inline encrypting and decrypting the traffic, this implementation has more in common with Active SSL deployments.

 

 

Active Inline decryption

 Active SSL deployments are referred to as Man in the Middle (MITM) implementations because they act as a middlem

an in SSL network communication. In this type of implementation, the SSL Visibility Engine and active security device are connected inline, which means they are a core part of the network and traffic must pass through them before moving onto the next device.

 

 

Decrypt Once, Inspect Many

DOIM can be implemented in different ways depending on the decryption method used. In both passive and active
Out-of-Band decryption scenarios, the decrypted traffic
can be forwarded to multiple inspection tools.

All inspection tools receive their own copy of the decrypted traffic which can have filters applied before the traffic is forwarded to the appliance. In active Inline deployments service chaining is the typical method to forward the traffic from one Inline appliance to the other.

 

The Niagara Networks packet broker supports virtual bypass segments with heartbeat checking. These virtual bypass segments enable chaining of multiple Inline security appliances with availability checking of each of the connected appliances. If for any reason an Inline appliance fails, the virtual bypass segment will remove the failed appliance from the chain thereby restoring the connectivity of the entire chain.

Finally, decryption can be combined with data masking to hide personal identifiable information (PII), both available under the Open Visibility Intelligence part of OVP.

To ensure decrypted data is not visible outside the packet broker, decryption can be combined with Open Visibility Virtualization which enables running 3rd party applications like Intrusion detection and prevention systems as well as next generation firewalls as an integrated service available on the network packet broker.