SSL
Inspection
SSL inspection (or to give it it’s correct name TLS) is the process of decrypting traffic as it travels through the firewall allowing that traffic to be inspected and correctly evaluated, as a feature it is often switched on when a device has been freshly commissioned but then quickly switched back off as things start to break on an alarmingly rapid basis.
Palo Alto Networks encourages the use of SSL inspection in production networks because of the security aspect, we do not need to break the SSL in order to catagorise the application for the security policy, simply put, if you cannot see it you cannot defend against it.
Challenges of traditional SSL decryption
SSL Inspection / SSL Decryption is not a unique concept among the NGFW vendors on the market today, originally the sole arena of SSL proxies and devices like Bluecoat, the technology was at best flaky, Issues stemmed mainly from the lack of understanding when implementing the technology but also it was very easy to underspec a box based on miscalculating the processing power required to decrypt inspect and then re-encrypt traffic on a busy firewall, this lead to latency (which instantly kills off any POC in my experience) and ultimately as root certificates cannot be forged the certificate of the proxy had to be trusted to avoid any major issues with browsers, and then, even worse there was early certificate pinning and applications just simply would not work with the inspection in place.
Scale of the problem
OK so we have considered that although SSL inspection sounds good it does have it’s teething troubles, and this has ultimately caused a lack of uptake of what we will see is really a must have if you are serious about security in your network.
of the top 100 websites are now encrypted
of time spent on the web is spent on pages using HTTPS
Why you should implement SSL Inspection
The harsh reality of all this is that you could have the biggest most powerful firewall in the world eating through your electric bill and never see the traffic that makes up 87% of all time spent on the web, remember if you can’t see it you cannot stop it, SSL decryption is paramount to protect you from the threats that are unseen without it.
We are happy to talk through the steps required to either migrate or implement Palo Alto Networks in your network so you can start to benefit from an industry leading security infrastructure.
ARE YOU READY?
We are ready for your queries, please get in touch with any enquiries or issues you may have with your existing or not-present cyber security services.
Mode44 is able to discuss any projects, issues or concerns you may have with either Palo Alto Networks or with your current vendor if they are not Palo Alto Network specialists.