Encrypted traffic sent through Secure Sockets Layer (SSL) /TLS Connections are decrypted at Firewall to inspect for malware threats. SSL.TLS Encryption is used to ensure confidentiality of data in transit. Due to the numerous types of threats, encrypted traffic must be inspected using monitoring tools that are capable of decrypting the data. However, amy of these monitoring tools degrade the performance and slow down data traffic. Usually, SSL/TLS Decryption is offloaded to maintain optimum performance of the system.
The firewall uses policy-based decryption to specify traffic that must be allowed or blocked. To decrypt the the traffic it uses certificates and keys to convert it into plain text. After inspection, the data traffic is re-encrypted as it exits the firewall.
SSL/TLS is security a protocol for establishing an encrypted channel between a client and sever. It ensures the integrity of confidential and private information that is to be transmitted without getting affected by tampering, eavesdropping or forgery. Further, an SSL certificate ensures the identity of a remote computer, and also proves the identity to a remote computer.
With SSL Decryption, a firewall is placed strategically to intercept initial messages, instead of allowing the end user’s message to go through undeterred. Both parties understand what is happening and that, it is necessary to stay secure.
Inbound SSL/TLS Decryption
A copy of web server’s certificate and key is imported to the firewell. A decryption policy is specified to inspect and control inbound SSL/TLS traffic. The firewall accesses, decrypts and inspects the inbound data traffic it detects and controls malware and other malicious application.
This policy can be used to decrypt and inspect TLS traffic from employees when they attempt to visit external websites. It can help block malware in files accessed by employee, for example, in attachments with malware when they access their personal email accounts.
Outbound SSL/TLS Decryption
Outbounding SSL/TLS Decryption also known as SSL Forward Proxy. The outbound TLS connections are proxied by the firewall. The outbound TLS Requests are intercepted by the firewall and then forwarded to the server. The Firewall acts a trusted third party using Forward Trust or Forward Untrust Certificates. Based on the Client’s Request, the server sends a certificate that is intercepted by the firewall. If the firewall trusts the server’s certificate then a copy of the certificate is created which is also signed by a Forward Trust Certificate and then sent to the client. However, if the server certificate is not trusted by the firewall then it signs it with a forward untrust certificate and sends it to client for authentication. The client receives a block page warning that the website is untrusted. The client can decide whether to continue or terminate the session. If the client authenticates the website, then an SSL/TLS session is established
Uses of SSL/TLS Decryption
- Block malware hidden in encrypted TLS traffic from entering the enterprise network.
- Detect and block intrusion attempts.
- Prevent data loss.
- Block confidential, sensitive enterprise data from being sent outside the network in unencrypted from.
- Enabling TLS Decryption and Encryption leads to dramatic decrease in performance.
- Offload SSL/TLS Decryption to Improve the performance of Monitoring Tools and the overall system.
- Prevents leakage of information.
- Monitor outgoing data.
- Theft, leakage of confidential enterprise data using TLS connections can be prevented.
- Efficient monitoring of cloud services.
- Overall better security control over data leaving the network.
While some of the above benefits can be considered as disadvantages, it is up to the company to determine how badly they want to keep data secure and to what lengths they are willing to go