How TLS/SSL Protects Against Exploitation and Enhances Visibility

Yigal Amram By: Yigal Amram September 09, 2019

Over the last few years, encryption has become one of the highest priorities for cybersecurity improvements. As important as it is to have strong password policies, advanced firewalls, and secure storage arrays, encryption gives you protection from attackers who would otherwise intercept your data in transit. 

From a business user perspective, encryption means web browsing and application usage is completely secure. But just because up to 96% of traffic through Google is encrypted, and that more than 50% of enterprise traffic is encrypted doesn’t mean data breaches have subsided.

The reality is that encryption works both ways. It can certainly help hide your traffic from unauthorized users, but it can also help attackers hide their malware from your cybersecurity infrastructure.

Without SSL decryption built into your network visibility layer, attackers could take advantage of encrypted traffic to exploit your vulnerabilities.

Why SSL Decryption Is Necessary for Security

The whole purpose of SSL/TLS encryption is to convert data packets into code that can only be decrypted by the intended recipient. Key algorithms ensure SSL and TLS maximize privacy without impacting performance.

There’s just one problem—the many network security and monitoring tools you’ve deployed across your visibility layer aren’t designed to inspect encrypted traffic. Even if you have dedicated TLS and SSL decryption tools in place, they typically aren’t capable of keeping pace with such high volumes of encrypted traffic. 

That’s why, according to Zscaler, malicious content delivered through SSL/TLS has spiked significantly since  2017. Without SSL decryption sitting between links on your network, attackers can capitalize on blind spots in your network visibility in a variety of ways, including:

  • Web Exploits: Attackers have found ways to infect TLS/SSL certificate providers, labeling malicious websites with HTTPS support to make it seem like your browsing is protected. The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) vulnerability was one example of how attackers could exploit users with seemingly secure websites. These web exploits can also come in the form of infected advertising on otherwise protected websites.
  • Phishing: Because most network security tools can’t support SSL decryption at scale, attackers are able to sneak phishing schemes into SSL/TLS protected-websites. Supporting encrypted traffic across your network won’t properly secure your data if phishing schemes give attackers permission to sneak malware through to core systems. 
  • Command and Control: Encryption enables attackers to hide malware and infect your network, giving them access to exploit your business through a command and control (C&C) server. These servers can be used to store stolen data or download new commands, which supports advanced persistent threats (APTs) by facilitating lateral movement in your network.

When you deploy SSL decryption between critical links on your network and on critical traffic in your network, you can uncover malicious packets used to launch attacks like the ones listed here. The real question is how you go about doing that.

Choosing a TLS/SSL Decryption Deployment Option

The biggest challenge when deploying TLS/SSL decryption is finding the balance between performance and cost efficiency. We discussed this topic in a previous article on the SSL decryption but it’s worth reviewing. 

Often it would appear that the easiest way to implement TLS decryption is to take advantage of next-gen firewalls (NGFWs) with this feature built in. Although this would technically give you TLS decryption, it’s far from the optimal option. Activating TLS decryption often degrades NGFW performance significantly. You need your NGFWs to run at peak performance to carry out traditional firewall functionality, deep packet inspection, and intrusion prevention. When NGFWs are bogged down with TLS decryption demands, you sacrifice the performance of typical NGFW functions while also reducing TLS/SSL visibility. 

Rather than trying to force existing security and monitoring tools to carry out TLS decryption, your best approach to balancing performance and cost efficiency is to build this functionality into your network visibility layer. 

With the right network packet brokers (NPBs), you can maintain the integrity of critical links while also maximizing the performance of TLS decryption tools. You’re able to maintain the security of encrypted packets, decrypt in transit to detect malicious activity, and load balance accordingly to ensure no networking tools are oversubscribed..

Deploying SSL Decryption with an Intelligent Visibility Layer

Not all NPBs come outfitted with TLS/SSL decryption capabilities. But with the Packetron module on the Niagara N2 network packet broker, you can decrypt SSL/TLS streams while fully supporting Perfect Forward Secrecy sessions

The Packetron difference is all about building your path to an intelligence visibility layer. This packet acceleration module gives you:

  • Scalable performance with up to 320Gbps processing for different applications, per visibility node
  • De-coupled software architecture to make changes without impacting the host NPB
  • Intuitive configuration that gives you control over packet flows to support inline and out-of-band tools
  • Advanced deduplication capabilities to maximize the efficiency of network security and monitoring tools

Each of these benefits gives you the ability to maximize the ROI on both active and passive SSL decryption deployments. However, your approach to deploying TLS/SSL decryption through your Packetron-enabled NPBs can make all the difference in both network protection and performance. 

Our network visibility experts are here to find you the best possible ways to deploy SSL decryption in your visibility layer. Reach out today and find out how we can help you get the most out of SSL decryption and keep emerging threats at bay.

New call-to-action