Now, more than ever, organizations are focused on securing their IT infrastructure against cyberattacks. It should be common knowledge that no single security control is enough to adequately defend against threat actors. Instead, a defense-in-depth strategy must be leveraged to provide multiple layers of security controls within an administrative domain. One of the core components of this strategy is a next-generation firewall to protect your trusted endpoints from the public internet. Next-generation firewalls provide much more than simple packet filtering. They can also protect against advanced cyber threats by inspecting traffic for malware signatures, command-and-control (C2) communication, and malicious URLs, to name a few. Sounds great, right? But there is a problem – encryption.
Data Encryption with SSL & TLS Protocols
Most everyone today is familiar with the difference between the HTTP and HTTPS protocols. Both are used by clients to communicate with web servers; however, HTTPS provides confidentiality by encrypting data while in transit using the SSL or TLS protocols. This encryption is very important to protect sensitive information when accessing web resources on the public internet. On the other hand, though, this same encryption can be used against us. Attackers often will utilize encryption to hide malicious data as it passes through our security controls. Consequently, the advanced inspection engines in our next-generation firewalls have limited visibility into this traffic and will often allow it to pass even if malicious. This is where SSL inspection can help.
Check out Jon Kraft’s Webinar on Fortinet Accelerated SSL Inspection
The SSL Inspection Handshake
To understand how SSL inspection works, it’s important to first understand, at a high level, how an SSL session is established. SSL sessions are created using a handshake procedure. During an SSL handshake, multiple messages are sent back and forth between the client and server, and session parameters are established such as what cryptographic algorithms will be used and what the symmetric encryption key will be. These SSL handshake messages typically rely on the TCP protocol for the underlying communication channel and, in most scenarios, are forwarded through an on-premise firewall. Once the SSL handshake is complete, the client and server are able to send and receive encrypted data. The example below illustrates SSL encrypted traffic between a client and server flowing through a firewall.
The Role that Firewalls Play with SSL Inspection
Now that we have covered the basics of an SSL handshake, let’s talk about how our next-generation firewalls can help increase visibility into encrypted traffic. When SSL inspection is enabled, the firewall begins performing what could be considered a man-in-the-middle attack against encrypted traffic. This starts by the firewall intercepting the SSL handshake messages sent from the client to the server and responding directly as if it were the original destination. The firewall then initiates its own SSL handshake with the destination server as if it were the original client. This ultimately results in two SSL sessions being established as illustrated below. The firewall no longer simply passes encrypted traffic back and forth. It is now actively involved in decrypting and encrypting packets as they traverse the network, which provides the content inspection engines with full visibility into the data.
Things to Note when Enabling SSL Inspection
In most cases, the process of enabling SSL inspection is very simple and requires only a few clicks. However, there are some caveats to be aware of.
During the handshake process, the client receives a copy of the server’s digital certificate and determines whether or not to trust the connection. If it does not trust the connection, the user is presented with a warning message. By default, most firewall will send their own self-signed certificate to the client when performing SSL inspection. If the client does not trust this certificate, the user will be presented with many warning messages. It is important that the client trust whatever certificate it being used by the firewall for SSL inspection. There are a variety of methods for deploying certificates to clients including Microsoft Group Policy.
Implementing SSL inspection can significantly increase the workload of a firewall as it now has to encrypt and decrypt all SSL traffic. It is important to ensure a firewall can support this increased workload prior to enabling. It is also recommended to gradually implement SSL inspection rather than turning on for all devices at once.
Cloud-Hosted SSL Solutions for Supporting Your Remote Workforce
While this article has focused on inspecting SSL traffic from on-premise clients, the same type of inspection is possible for your remote workforce as well. Many security vendors offer cloud-hosted solutions that provide the same next-generation firewall features no matter where a device is physically located. This is especially useful for organizations that have implemented work from home policies due to the COVID-19 pandemic but struggle to maintain consistent security policies while devices are connected to untrusted and unmanaged networks.
If you would like to learn more about how you can improve your security defenses by leveraging SSL inspection, please reach out to your Candoris account representative or contact us. We have a team of engineers available who can assist with not only SSL inspection but all aspects of network and infrastructure security.