How to Gain Visibility into Encrypted Threats
0 likes79 views
The document discusses SSL/TLS encryption challenges and the need for visibility and control in network security as encryption rates rise. It highlights the importance of SSL orchestration to manage and inspect encrypted traffic effectively, overcoming issues like the 'blind spot' created by encryption. The text also emphasizes the necessity for policy-based traffic steering and risk management to enhance security while maintaining performance.
How to Gain Visibility into Encrypted Threats
- 3. 60% 61% 89% 34% 25% 11% 2015 2016 2017 TLS 1.2 SSL 3.0 80%of sampled page loads use SSL/TLS TLS 1.2 vs. SSL 3.0
- 4. Heavy adoption of Microsoft Office 365 Google Search results rankings Increased focus on user privacy Continuing growth and use of social networks Google Chrome browser warnings GDPR compliance SSL/TLS Encryption Business Drivers
- 6. Complexity burdens IT with inefficiencies Performance can degrade when decrypting at scale Visibility is reduced due to the growth of SSL usage
- 7. You can’t secure what you can’t see of all Internet traffic is encrypted of page loads are now encrypted with SSL/TLS70% 80% Source: TLS Telemetry Report, F5 Labs, April 2018
- 8. Untrusted Networks Security Services SSL/TLS BLIND SPOT Encryption creates a blind spot in your network m
- 9. Exploitation Command & Control Data Exfiltration Data C&C
- 10. RSA, most common Key exchange Diffie-Hellman (Ephemeral) Key agreement
- 11. vs. 1 Client Hello 1 Client Hello Supported Cipher Suites Guesses Key Agreement Protocol Key Share 2 Server Hello Key Agreement Protocol Key Share Server Finished 3 Checks Certificate Generates Keys Client Finished Step Client Direction Message Direction Server 5 Server Hello Done 6 Client Key Exchange 7 Change Cipher Spec 8 Finished 9 Change Cipher Spec 10 Finished 3 Certificate 4 Server Key Exchange 2 Server Hello Step Client Direction Message Direction Server 88% of hosts prefer forward secrecy
- 12. Ephemeral Keys Perfect Forward Secrecy Automatically and frequently changes the keys used to encrypt and decrypt information, exposing only a small portion of sensitive user data if the latest key is compromised Cipher suite Encryption key size Key exchange mechanism ECDHE-RSA-AES128-GCM-SHA256 128 bit ECDH, encryption: AES, MAC: SHA256 ECDHE-RSA-AES128-SHA 128 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-AES256-SHA 256 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-3DES-EDE-SHA 168 bit ECDH, encryption: 3DES, MAC: SHA1 ECDHE-RSA-RC4128-SHA 128 bit ECDH, encryption: RC4, MAC: SHA1 Unique Key to Each Connection
- 13. Untrusted Networks Edge Firewall Switch Apps Network Tap PFS removes ability to do inbound traffic passive inspection
- 14. Firewall performance tests conducted by NSS Labs Response time increased by 672% 60% drop in the average throughput Next-Gen Firewall Web Gateway DLP Anti-Malware IPS Next-Gen Firewall Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Users Internet / Apps
- 15. Security inspection devices are not the right tool for decryption Privacy Performance End-user experience
- 16. Purpose-built solution for orchestration of inbound/outbound SSL/TLS traffic Users Internet / Apps Next-Gen Firewall Next-Gen IPS Malware Protection Secure Web Gateway Data Loss Prevention Other SSL Orchestrator
- 17. Visibility is not enough Still requires manual “daisy-chaining” or tedious configurations across the security stack
- 18. Broad topology and device support Dynamic service chaining Policy-based traffic steering Advanced monitoring, load balancing, and scaling Centralised and simplified management of certificates and keys Proxy-level control over ciphers and protocols SSL Orchestration: More than visibility
- 19. Dynamic grouping of security devices Topology independent Maximised security investments Service insertion, monitoring, scaling Firewall IDS WAF 1 Firewall IPS WAF DLP 2 Firewall IPS WAF DLP Forensics 3
- 20. Source Addr. Dest. Addr. Dest. Port IP Geo Domain Name IPI Cat. URL Cat. Protocol Contextual classification engine Traffic Classifier Engine Service Chain Incoming Traffic Rich set of traffic selectors Decrypt and steer to service chain based on policy match Banks, Healthcare Bypass HTTP/ HTTPS Everything else Bypass, block, inspect actions
- 21. SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Web Application Firewall IDS/IPS Customer Experience Solutions Apps Dynamic Service Chaining chainX chainY bypass reject
- 22. SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Internet Dynamic Service Chaining chainX chainY bypass reject IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention
- 25. Firewall Internet / Apps Firewall NGFW (Pool) IPS (Pool) Anti-Malware (Pool) DLP (Pool) Inline Insertion (L3 Mode) Inline Insertion (L2 Mode) ICAP SIEM Passive Decrypt and Steer Re-Encrypt SSL Orchestrator Users
- 26. Inline Layer 2 Receive Only Inline Layer 3 Inline Layer 3 ICAP ICAP Suspect IP dest. Receive Only Inline Layer3 Inline Layer2 Inline Layer3 Partner domains Inline Layer3 Inline Layer2 Inline Layer3 Requires PCI data privacy Receive Only Create services Risky web sites Receive Only Inline Layer3 Inline Layer2 Inline Layer3 ICAP ICAP Chain services Security inspection devices can be grouped, monitored, scaled, and load balanced independently. Policy-based traffic steering directs traffic through the appropriate service chain based on risk and context.
- 27. Enterprise Key Management Secure Vault Software-based encrypted storage system for securing cryptographic keys with the highest performance Internal HSM Physical hardware designed to generate, store, and protect keys with high performance Network HSM Integration with leading network-based hardware for use with all appliances, chassis, and virtual editions Cloud HSM Integration for high-assurance encryption services fit for the cloud HSM = Hardware Security Module
- 28. Untrusted Networks Security Services ? Source: Technical Alert 17-318A, National Cybersecurity and Communications Integration Center (NCCIC), November 2017
- 29. Full proxy SSL Orchestrator Untrusted Networks ! IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention !
- 30. SSL Orchestrator Key Use Cases SSL/TLS visibility and orchestration Maximised security investments Risk management and privacy
- 31. F5 BIG-IP and Symantec DLP F5 BIG-IP and Palo Alto Networks NGFW F5 BIG-IP and FireEye NX
- 33. Deploy into any environment Offer ease of integration with unique network topologies and security inspection devices Go beyond visibility Provide centralised de- cryption and policy-based traffic steering across multiple security tools Dynamically chain services Remove limitations of daisy-chaining and manual configuration