Security / February 11, 2017

The Power of Selective Decryption

Updated September 25, 2021. 

During Gigamon’s recent sales kickoff, I sat down with Global Security Strategist Ian Farquhar to talk about the trend toward stronger encryption and the pros and cons of the pending TLS 1.3 standard. As you’ll see, we also got to share exciting news about Gigamon’s new inline SSL Decryption functionality that addresses a corresponding need for selective decryption to gain visibility into encrypted traffic. Here are some of the highlights, but we invite you to watch our video series to learn more.

Right to Encrypt/Decrypt

In response to criticisms of TLS 1.2—most notably its latency and security flaws—the Internet Engineering Task Force (IETF) has been working to make TLS 1.3 both faster and more secure. The issue, however, is that while anticipated secrecy improvements may benefit open Internet connections, they could disrupt those teams who need to access that traffic for troubleshooting, compliance, and application performance management on enterprise networks.

No doubt, by eliminating everything but perfect forward secrecy (PFS)—which prevents passive interception and decryption of traffic—IETF will help diminish exploitation of Internet traffic. But at what cost? Unfortunately, the change will force organizations to have inline interception, which creates a much more complex architecture that adds latency and reduces reliability.

What might help? 1) non-PFS cipher suites (or “TLS Enterprise”) for data center use; and 2) mandated lawful intercept options to help law enforcement agencies defend against cybercrime.

Also, beyond data center teams, the impact of encryption standards extends to legal, compliance, and HR. Once organizations start to decrypt SSL/TLS, they can run into privacy and compliance challenges. For example, under HIPAA, it’s not possible to safely decrypt healthcare data. With PCI, organizations can’t store credit card information on a tool that could be audited; that data needs to remain separate and unencrypted. Under the EU Data Protection Directive, a certificate issued by Germany might not be decrypted while one coming from Russia, the U.S., or South America would be.

In these cases, whitelisting (i.e., don’t decrypt this) and blacklisting (i.e., decrypt this) become very important. A company won’t want to decrypt employee financial information, but if it suspects an employee is leaking information to a file storage site, it may decide to decrypt and send that traffic to a DLP tool. With the Gigamon Visibility Platform, whitelists and blacklists can be defined based on IP address, certificate status and metadata, URL categorization, domain name, and more. For compliance and legal officers, this selective and fine-grained decryption capability can ease the “all or nothing” concerns and let them choose what’s best based on company policies.

Growth of Encrypted Traffic

Encrypted traffic is growing by leaps and bounds. In fact, some believe it will soon be the default for all Internet communications. It makes sense. Not only are you protecting the data, but you’re ensuring that it hasn’t been modified in transit and that you’re connected to what you think you’re connected to. It’s a trend further driven by the cloud, with more and more Web applications, IoT, and various scanning and sensing devices proliferating across networks and using encrypted traffic.

For enterprises, however, there will be several challenges moving toward TLS 1.3. Take, for example, a company with a many-tiered infrastructure who needs to see traffic to manage application performance. If an application starts to misbehave, they need to understand which component needs fixing. With TLS 1.3 and PFS-only cipher suites, the problem is that they would need to put inline devices between every single tier, which, as mentioned previously, can reduce reliability, cause traffic bottlenecking, and add latency.

In this situation, it’s evident why passive decryption makes sense—and why moving TLS 1.3 to PFS-only does not.

Approaches to SSL Decryption

Several key challenges to SSL decryption are the rising costs attributed to adding more management and security tools and key management.

First, SSL decryption is computationally expensive and, though many tools can decrypt SSL, a tool-by-tool approach is neither wise nor cost-effective. Why take 30 – 80% of their performance power decrypting SSL if there’s a better solution? With the Gigamon Visibility Platform, SSL decryption is consolidated and performed in one centralized location, where it doesn’t put the computational burden on other tools like firewalls, IPS, etc.

Second, the more places you have a key, the more at risk that key is. From a management perspective, it makes more sense to have a key, again, in one centralized, highly protected location.

With the Gigamon Visibility Platform, organizations can decrypt SSL, perform application session filtering and look for specific strings inside a TCP session, and send only relevant information to the appropriate tools. The solution also provides automated resiliency with its inline bypass functionality, which can sense security tool availability and take action should a tool fail. For example, if a tool is detected to no longer be passing traffic, it could automatically be switched from inline to out of band, or vice versa. Or, if the tool is non-essential, it could be completely bypassed until it re-tests that it’s available and can be put back inline.

Enabling Security Tools

For highly compliance-regulated industries like healthcare, financial services, and government, TLS is the perfect protocol for protecting encrypted traffic. But it’s also a perfect place for threats to hide.

Federal government, in particular, has one of the worst threat landscapes with other nation states actively trying to compromise networks. Many advanced malware threats use encrypted command and control channels that can leverage social media and make it difficult to determine if, say, a Facebook page is legit or not. The only way to find out is to break SSL and see what’s inside. If you see legitimate human text, it’s probably a social media site; if you see a bunch of commands for malware, well . . . .

Bottom line: If you can’t see it, you can’t secure it.

There is and will never be one perfect security tool that handles everything. But if tool vendors say they can do everything except SSL and your traffic is 80% SSL, that means 1) their security tools can only see 20% of your traffic; and 2) you’re not secure.

The beauty of the Gigamon Visibility Platform, and its GigaSMART® traffic intelligence is that it’s agnostic. The SSL Decryption application decrypts SSL sessions once and then feeds the decrypted traffic to multiple tools simultaneously, whether inline or out-of-band. It complements and enhances all the necessary security tools—DLP, security analytics, IDS/IPS, firewalls, etc.—and gives them better visibility and control of the traffic they need in an easy-to-consume format so they can focus on threat detection and not waste cycles decrypting (if it’s even possible) SSL.

Back to top