SSL INSPECTION

SSL
Inspection

SSL inspection (or to give it it’s correct name TLS) is the process of decrypting traffic as it travels through the firewall allowing that traffic to be inspected and correctly evaluated, as a feature it is often switched on when a device has been freshly commissioned but then quickly switched back off as things start to break on an alarmingly rapid basis.

Palo Alto Networks encourages the use of SSL inspection in production networks because of the security aspect, we do not need to break the SSL in order to catagorise the application for the security policy, simply put, if you cannot see it you cannot defend against it.

Challenges of traditional SSL decryption

SSL Inspection / SSL Decryption is not a unique concept among the NGFW vendors on the market today, originally the sole arena of SSL proxies and devices like Bluecoat, the technology was at best flaky, Issues stemmed mainly from the lack of understanding when implementing the technology but also it was very easy to underspec a box based on miscalculating the processing power required to decrypt inspect and then re-encrypt traffic on a busy firewall, this lead to latency (which instantly kills off any POC in my experience) and ultimately as root certificates cannot be forged the certificate of the proxy had to be trusted to avoid any major issues with browsers, and then, even worse there was early certificate pinning and applications just simply would not work with the inspection in place.

Scale of the problem

OK so we have considered that although SSL inspection sounds good it does have it’s teething troubles, and this has ultimately caused a lack of uptake of what we will see is really a must have if you are serious about security in your network.

81%

of the top 100 websites are now encrypted

87%

of time spent on the web is spent on pages using HTTPS

The Answer

Scary statistics I am sure anybody would agree, the fact is that in todays world where compromises are on the rise and as we are seeing in the news the cost of these breaches to companies is rising exponentially SSL inspection is a necessity we just have to make it work so it is also practical, by combining the power of URL filtering and SSL inspection you will maximise the visibility into potentially dangerous traffic and at the same time retain the user experience that is so vital to todays fast paced business world.

Use case example

Let’s say that a user requires access to one of the many social networking sites for legitimate business purposes, it is our opinion that the vast majority of companies are now utilising social media as an integral part of their overall advertising strategy and in fact due to the popularity of such sites a great number of companies now conduct their business in this way, if the particular site that is being used has been associated with malware in the past and has at some time been blacklisted, and let’s be honest I can’t think of a single one that hasn’t had some kind of compromise at one time or another, traditional wisdom would leave you with two options. Block the site completely, not allowing anybody to it just in case there is any residual issues. Turn on SSL inspection as the site is needed to facilitate business and then fight issues with other sites that for one reason or another are not compatible with SSL Inspection. However with Palo Alto Networks, the cohesive security policies and profiles allow you to turn on SSL Inspection for a specific group of applications or for unknown applications only or as in this case specifically for the application or domain in question.

Why you should implement SSL Inspection

The harsh reality of all this is that you could have the biggest most powerful firewall in the world eating through your electric bill and never see the traffic that makes up 87% of all time spent on the web, remember if you can’t see it you cannot stop it, SSL decryption is paramount to protect you from the threats that are unseen without it.
We are happy to talk through the steps required to either migrate or implement Palo Alto Networks in your network so you can start to benefit from an industry leading security infrastructure.

Always updating our clients
Follow Mode44

ARE YOU READY?

We are ready for your queries, please get in touch with any enquiries or issues you may have with your existing or not-present cyber security services.
Mode44 is able to discuss any projects, issues or concerns you may have with either Palo Alto Networks or with your current vendor if they are not Palo Alto Network specialists.