SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. You might be familiar with SSL without realising it, for example, when you see the padlock in the URL bar of your internet banking site.
SSL inspection is the process of decrypting traffic as it travels through a firewall to allow that traffic to be inspected and correctly evaluated. This feature is often not configured and is typically disabled initially leaving organisations with a much lower level of protection. Essentially the key issue is that as more and more applications and malware make use of SSL, by not employing SSL inspection, network security services essentially just wave suspect traffic through as it was not inspected in the first place.
This is only combined as many service providers do not properly understand the technology and leave it unconfigured for fear of how it will impact normal use.
Palo Alto Networks, and many other leading vendors, encourage the use of SSL inspection in production networks because of the security aspect, we do not need to break the SSL in order to categorise the application for the security policy, simply put, if you cannot see it you cannot defend against it.
Challenges of traditional SSL decryption
SSL Inspection / SSL Decryption is not a unique concept among the NGFW vendors on the market today, originally the sole arena of SSL proxies and devices like Bluecoat, the technology was at best flaky, Issues stemmed mainly from the lack of understanding when implementing the technology but also it was very easy to underspec a box based on miscalculating the processing power required to decrypt inspect and then re-encrypt traffic on a busy firewall, this lead to latency (which instantly kills off any POC in my experience) and ultimately as root certificates cannot be forged the certificate of the proxy had to be trusted to avoid any major issues with browsers, and then, even worse there was early certificate pinning and applications just simply would not work with the inspection in place.
Scale of the problem
OK so we have considered that although SSL inspection sounds good it does have it’s teething troubles, and this has ultimately caused a lack of uptake of what we will see is really a must have if you are serious about security in your network.
81% of the top 100 websites are now encrypted.
87% of time spent on the web is spent on pages using HTTPS
Scary statistics I am sure anybody would agree, the fact is that in todays world where compromises are on the rise and as we are seeing in the news the cost of these breaches to companies is rising exponentially SSL inspection is a necessity we just have to make it work so it is also practical, by combining the power of URL filtering and SSL inspection you will maximise the visibility into potentially dangerous traffic and at the same time retain the user experience that is so vital to todays fast paced business world.
Use case example
Let’s say that a user requires access to one of the many social networking sites for legitimate business purposes, it is our opinion that the vast majority of companies are now utilising social media as an integral part of their overall advertising strategy and in fact due to the popularity of such sites a great number of companies now conduct their business in this way, if the particular site that is being used has been associated with malware in the past and has at some time been blacklisted, and let’s be honest I can’t think of a single one that hasn’t had some kind of compromise at one time or another, traditional wisdom would leave you with two options.
- Block the site completely, not allowing anybody to it just in case there is any residual issues.
- Turn on SSL inspection as the site is needed to facilitate business and then fight issues with other sites that for one reason or another are not compatible with SSL Inspection.
However with Palo Alto Networks, the cohesive security policies and profiles allow you to turn on SSL Inspection for a specific group of applications or for unknown applications only or as in this case specifically for the application or domain in question.
Why you should implement SSL Inspection
The harsh reality of all this is that you could have the biggest most powerful firewall in the world supposedly protecting your network, however if this isn’t properly configured it would never inspect the traffic that makes up 87% of all time spent on the web, remember if you can’t see it, you cannot stop it, SSL decryption is paramount to protect you from the threats that are unseen without it.
We are happy to talk through the steps required to either migrate or implement Palo Alto Networks in your network so you can start to benefit from an industry leading security infrastructure.
Book a meeting to discuss how Palo Alto could help you