What is SSL/TLS Decryption?
Encrypted traffic sent through Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) connections are decrypted at a Firewall to inspect for malware threats. SSL/TLS Encryption is used to ensure confidentiality of data in transit. Due to the numerous types of threats, encrypted traffic must be inspected using monitoring tools that are capable of decrypting the data. However, many of these monitoring tools degrade the performance and slow down data traffic. Usually, SSL/TLS Decryption is offloaded to maintain optimum performance of the system. The Firewall uses policy-based decryption to specify traffic that must be allowed or blocked. To decrypt the traffic it uses certificates and keys to convert it into plain text. After inspection, the data traffic is re-encrypted as it exits the Firewall.
About Secure Socket Layer/ Transport Layer Security
SSL/TLS is a security protocol for establishing an encrypted link (channel) between a client and a server. It ensures the integrity of confidential, private information that is to be transmitted without getting affected by tampering, eavesdropping or forgery. Further, an SSL certificate ensures the identity of a remote computer, and also proves the identity to a remote computer.
With SSL Decryption, a firewall is placed strategically to intercept initial messages instead of allowing the end user’s message to go through undeterred. Both parties understand what is happening and that it is necessary to stay secure.
Inbound SSL/TLS Decryption
A copy of web server’s certificate and key is imported to the firewall. A decryption policy is specified to inspect and control inbound SSL/TLS traffic. The firewall accesses, decrypts and inspects the inbound data traffic. The decrypted packet data are forwarded to the web server without any changes done. As the firewall inspects the data traffic it detects and controls malware and other malicious applications.
Outbound SSL/TLS Decryption (SSL Forward Proxy)
In Outbound SSL/TLS Decryption (also known as SSL Forward Proxy), the outbound TLS connections are proxied by the firewall. The outbound TLS requests are intercepted by the firewall and then forwarded to the server. The firewall acts a trusted third party using Forward Trust or Forward Untrust certificates. Based on the client’s request, the server sends a certificate that is intercepted by the firewall. If the firewall trusts the server’s certificate then a copy of the certificate is created which is also signed by a Forward Trust certificate and then sent to the client. However, if the server certificate is not trusted by the firewall then it signs it with a Forward Untrust certificate and sends it to the client for authentication. The client receives a block page warning that the website is untrusted. The client can decide whether to continue or terminate the session. If the client authenticates the website, then an SSL/TLS session is established.
The firewall functions as a trusted forward proxy, and whenever it receives traffic from the server it decrypts it, applies security policies for inspection, re-encrypts it and then forwards it to the client. Exceptions may also be defined to exclude specific applications.
Outbound SSL/TLS Decryption policy can be used to decrypt and inspect TLS traffic from employees when they attempt to visit external websites. It can help block malware in files accessed by employees, for example, in attachments with malware when they access their personal emails accounts.
Key Applications of SSL/TLS Decryption
- Block malware hidden in encrypted TLS traffic from entering the enterprise network.
- Detect and block intrusion attempts.
- Prevent data loss. Block confidential, sensitive enterprise data from being sent outside the network in encrypted form.
- Decrypt traffic based on rules specified in policies. Exceptions can be configured to allow or block specific data traffic or applications.
- Offload SSL/TLS Decryption to Improve the Performance of the Monitoring Tool and the overall system.
Features and Benefits of SSL/TLS Decryption
- Enabling TLS decryption and encryption leads to dramatic decrease in performance
- Blocks malware attacks and provides better security against SSL Sniffing
- Prevents leakage of information
- Monitor outgoing data
- Malware hidden within SSL can have drastic consequences. Employees may access personal email, and the attachments within may have malware.
- Theft, leakage of confidential enterprise data using TLS connections can be prevented
- It helps ensure authentication as well as monitor performance of applications.
- Efficient monitoring of cloud services
- Though SSL decryption puts a heavy strain on network resources, SSL Offloading helps enjoy its benefits.
- Overall better security – Good control over data leaving the network
While some of the above benefits can be considered disadvantages, it is up to the company to determine how badly they want to keep data secure and to what lengths they are willing to go. For example, employees who are checking their emails or browsing the web on their lunch hour could have their network traffic monitored, even if they aren’t doing anything untoward. However, as long as employees are aware that this will happen, there shouldn’t be any problems. Contact us today to learn more about our product.