If not redirected, please click here https://www.thesecuritybuddy.com/data-breaches-prevention/what-is-ssl-inspection/
Encrypted connections are used to
transfer sensitive data between two hosts over the unsecured
internet. Surveys show that 25% - 35% of enterprise traffic is SSL
encrypted. The number can be as high as 70% in some specific
industries. But, can SSL encrypted traffic ensure security ?
Study shows that websites using SSL are
no way more protected than websites that are not encrypted. Attackers
use advanced techniques to conceal their communication in an SSL
connection. And, to detect and prevent those attacks we need to look
through an encrypted SSL connection to find out malicious contents.
SSL Inspection is a technique using which encrypted SSL traffic can
be decrypted and sent to other security appliances, which can analyze
it further to detect harmful contents and prevent possible damages.
How SSL can be used by attackers
If malicious communications are not
encrypted, it can be detected by standard security appliances like
IDS, IPS, firewalls easily. But, these security tools are not able to
decrypt an encrypted connection and look through it. So, many a times
attackers take advantage of that to make attacks. They use SSL
connection to conceal their malicious communication.
- If the initial communication for infection is through an approved port and a seemingly secured browser, it can bypass the firewall/IPS easily. In fact, it is easier to attack an organization using applications that use encryption.
- Many a times attackers infect computers with malware and create a botnet. Then they exploit the computational resources of the infected computers for malicious purposes like making DDoS attacks, spreading malware or for more attacks. For malware families like Zeus, the communication with the Command & Control Server of the botnet is concealed within an SSL connection. The malware first opens an SSL connection and then use that for communication with the Command & Control Server for sending stolen sensitive data of the victims.
- An attacker can use Cross Site Scripting or XSS attack (How do attackers perpetrate a Cross Site Scripting Attack ? ) to steal authentication cookie of a victim stored in his computer and send it to the attacker hiding the communication using SSL.
- Attackers can use SSL for Phishing attacks also. They can send malicious link to employees of an organization via emails and trick them to click on it. On clicking on the link, it may take the victims to an malicious SSL server controlled by the attackers. If the communication is through some approved ports, the firewall/IPS may not detect it. And, the attackers can infect the computers with malware to create a botnet. After that, they can easily exfiltrate sensitive data like financial account data of the organization using an encrypted SSL connection.
What is SSL Inspection ?
Currently, many security devices cannot
inspect encrypted traffic and the few that can decrypt SSL traffic
cause significant performance degradation and are very expensive.
SSL inspectors work with secure network
gateways to monitor inbound and outbound SSL traffic. They decrypt
inbound and outbound SSL traffic, including the web and email
communication and send the suspicious traffic to other security
devices like IDS, IPS, network forensic device, advanced network
gateways etc for further inspection and analysis. If the decrypted
traffic is sent to active security tools like IPS, the suspected
traffic is analyzed and proper actions are taken to prevent possible
damages.
But, there may be cases when SSL
inspectors may not want to decrypt certain SSL traffic, such as
patient data in a hospital. So, it must whitelist and filter SSL
traffic for inspection.
SSL inspectors should be able to
process large amount of data quickly. They usually contain high
performance compute engines that have hardware performance
accelerators to handle SSL traffic, which enables them to monitor SSL
traffic in real time.
An SSL inspection appliance detects
an SSL session and looks at its policy to determine whether the
traffic should be inspected. If the SSL traffic is suspicious, it
decrypts the data and send the decrypted data to other security tools
for further analysis.
SSL inspectors typically share the decrypted
SSL traffic with the following security appliances :
- IDS/IPS, firewalls and network gateways – if malicious traffic is found on further analysis by these devices, the packets are dropped and the SSL session is killed.
- Email filtering devices
- Data Loss Prevention devices – when SSL inspectors send decrypted traffic to these devices, they can do pattern matching to look for sensitive data such as social security numbers, credit card information, bank account and routing data etc to prevent data exfiltration from an organization.
- Forensics and investigative tools
SSL dectyptors can also be used for
cloud services monitoring. All secure services running in the cloud
look same at TCP/IP layer. The traffic can be differentiated only
when they are decrypted.
How does SSL Inspection work
SSL Inspection device typically follow
the steps mentioned below to monitor SSL traffic :
- An SSL Inspection device observes the exchange of public keys at the start of an SSL communication. Administrators can also load the private keys of corporate servers securely in the system.
- It intercepts inbound SSL traffic and looks at its policy to determine whether the traffic should be monitored.
- If the SSL traffic should be monitored, it decrypts the traffic and sends the suspected traffic to other security appliances for further inspection and analysis.
- The allowed decrypted SSL traffic is encrypted again and sent to corporate servers.
- Similarly, it intercepts the outbound SSL traffic and looks at its policies to determine whether it should be monitored.
- It then decrypts the SSL traffic and sends the suspected traffic to other security appliances for further inspection.
- The allowed decrypted SSL traffic is encrypted again and sent across.
So, this was an article to give some
basic information on SSL Inspection. Hope you liked it.