Application Note

SSL Decryption

Introduction
SSL encryption is the cornerstone technology that makes the Internet secure. Email, e-commerce, voice-over-IP, online banking, remote
health, and countless other services are kept secure with SSL. Unfortunately, most of that traffic goes uninspected because many
security and performance monitoring tools lack the ability to see inside the encrypted sessions. Monitoring application performance
and network usage patterns becomes impossible if you cannot determine which applications are running over the network. Even worse,
malware can create SSL sessions to hide its activity, confident that security tools will neither inspect nor block the traffic. The very
technology that makes the Web secure can become a threat vector.
Decrypting SSL traffic requires knowledge of the keys used for encryption. The public keys are clearly visible at the start of the
transaction, but access to the private keys is controlled by the administrator.
Key Customer Applications
SSL Decryption is required for a variety of applications:
Malware Detection: Once malware exploits a host, it can complete the kill chain using SSL transactions
Data Loss Prevention: Whether initiated by malware or a user from inside the corporate firewall, confidential data and files can be
encrypted and leaked using SSL connections
Application Performance Monitoring: Key business applications use SSL to ensure authentication, but this obscures data required
for proper monitoring
Cloud Services Monitoring: Secure services running in the cloud, including Web applications, all look the same at the TCP/IP layer
and it is not until the SSL sessions are decrypted that they can be differentiated and monitored
Existing Solutions
SSL decryption is available directly on some monitoring tools. However, those solutions tend to cause a severe performance degradation
and are also very expensive. Offloading SSL decryption not only allows the tool to return to full performance, but also eliminates
the need to have multiple decryption licenses for multiple tools. Furthermore, SSL decryption on a specific security appliance, for
example, does not help with other tools, such as application performance monitoring; Gigamon can supply decrypted traffic to both
simultaneously. Clearly, by delivering SSL decryption as a common service to the connected monitoring and security tools, the overall
efficiency, security and performance of the infrastructure can be maximized.
Existing inline technologies, such as SSL proxies and application load balancers, provide SSL decryption, but they are not optimized for a
visibility architecture. They lack the scalability to handle traffic from multiple TAPs across the network or to filter and replicate decrypted
to multiple monitoring tools. With limited modularity or extensibility, increasing SSL throughput often requires new hardware. Lastly,
they provide no visibility functionality or traffic intelligence for non-encrypted traffic.

2014-2015 Gigamon. All rights reserved.

Application Note: SSL Decryption

Gigamon Solution
Given that Gigamons Unified Visibility Fabric has access to the bidirectional traffic, it has the ability to observe the exchange of public
keys at the start of the transaction. Once the administrator loads the private keys, they are securely stored on the system. The power
of the GigaSMART traffic intelligence engine can then decrypt the traffic and forward it to tools for analysis. Each GigaSMART module
contains high-performance compute engines that have hardware performance accelerators to handle SSL traffic.
SSL Decryption is not limited to specific ingress ports or where the GigaSMART engine is located within the Visibility Fabric. Any traffic
received on any network port in the cluster of Gigamon Visibility Fabric nodes can take advantage of SSL Decryption. And that traffic
can be sent to any tool ports in the cluster. This is an important attribute because not every node in the cluster needs to have the SSL
Decryption capability. Additional Flow Mapping technology and/or GigaSMART applications can also be applied to decrypted traffic.
Furthermore, additional SSL Decryption throughput can be achieved by adding more GigaSMART modules to the cluster, allowing
inspection to grow as SSL processing needs increase.
Because SSL traffic can contain sensitive user data, special care must be taken to ensure that this data remains secure. After decrypting
the packets, they can be sliced to remove irrelevant or private payload data. Alternatively, fields within the payload can be masked.
In both cases, private data is never stored, read, or analyzed by the monitoring tools. This helps keep networks within regulatory
compliance and greatly simplifies the auditing process.
Proper handling of the private keys is vital to maintain security compliance. Gigamon only allows keys to be uploaded, changed,
or deleted by users designated by the administrator. Keys are encrypted using a special password which is distinct from the generic
system admin password.

Figure 1: The steps to SSL Decryption

The Steps to SSL Decryption

3
2

Visibility Fabric
4

1. Tap the network and connect it to Gigamons

Visibility Fabric.
2. Select which flows to monitor and the
GigaSMART engine will identify the exchange
of public keys at the start of the transaction.
3. The private keys, which have been uploaded
by the administrator, are encrypted and stored
under tight password and role-based access controls.
4. GigaSMART then uses the private and public
keys to decrypt the SSL traffic.
5. The clear packets can be sent directly to your
monitoring tools or additional Flow Mapping
and GigaSMART operations can be applied.

2014-2015 Gigamon. All rights reserved.

Application Note: SSL Decryption

Key Features
First in the Industry to Integrate SSL Decryption into a Unified Visibility Fabric

Decrypt traffic from anywhere within the Visibility Fabric and send to any connected tools
With Flow Mapping technology, direct any user-defined flows, not just those on port 443, for decryption
SSL3, TLS 1.0, 1.1 and 1.2 Support

Public key: RSA

Symmetric key algorithms: AES, 3DES, DES, RC4, CAMELLIA, SEED, IDEA
Hashing algorithms: MD5, SHA1, SHA2
Supported applications: HTTPS, FTPS and SMTP, IMAP, POP3 with StartTLS
Supported key sizes: 128, 256, 512, 1024, 2048, and 4096
SSL Decryption Statistics

Idle sessions and reusable keys

Session-level Stats: packets, discards, errored packets, resumptions
Secure Storage of Private Keys

Encryption with independent password

Restricted key access based on role-based access controls
Key Benefits
Obtain Visibility to Encrypted Traffic

Enable malware detection, intrusion detection, data loss prevention, network forensics
Send clear traffic to application performance management, network performance monitoring, customer experience
management tools
Integrate SSL Inspection into a Multi-Tiered Security Solution

Prevent malware from hiding within uninspected SSL sessions

Forward any traffic that does not match known flows to GigaSMART for decryption
Decrypt traffic from the cloud and/or remote sites
Improve Tool Performance

Offload SSL Decryption to the Visibility Fabric, freeing tool resources for packet analysis
Apply decryption once for all tools rather than separately on each tool
Chain Multiple GigaSMART Applications Together

Terminate tunnels sent from GigaVUE-VM, remote sites, and/or ERSPAN

Apply Flow Mapping and SSL Decryption
Use Adaptive Packet Filtering for L7-based packet forwarding
Obscure private data with packet slicing or masking

2014-2015 Gigamon. All rights reserved.

Feature Brief: SSL Decryption

Physical

Web server connect

requests to NPM/CEM

Remote site
traffic to DLP

Virtual

Flow Mapping
GigaVUE-VM

SSL Decryption

Adaptive Packet
Filtering

Tunnel
Termination

GigaVUE-VM

East-West traffic between

virtual workloads to IPS

Visibility Fabric
Figure 2: Combine SSL Decryption with GigaSMART services such as tunnel de-encapsulation and Adaptive
Packet Filtering

Summary
SSL is a vital Internet technology upon which more and more applications will rely. However, it severely limits visibility for both
performance and security monitoring. The growing security threat posed by uninspected SSL sessions increases the urgency for
inspecting SSL traffic. By decrypting SSL traffic for out-of-band monitoring Gigamon provides visibility where none existed. Rather than
turning a blind eye to SSL traffic, the full capabilities of Flow Mapping technology and GigaSMART traffic intelligence can be applied.
Decrypting SSL is a tremendous processing burden for monitoring tools that do it themselves; this greatly inhibits tool performance
and increases the cost of monitoring. By supplying clear, decrypted traffic to multiple tools, Gigamon can be implemented to provide
immediate value and return on investment in capital expenditure, licensing fees, and management costs.

About Gigamon
Gigamon provides an intelligent Unified Visibility Fabric to enable the management of increasingly complex networks. Gigamon
technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both
physical and virtual environments without affecting the performance or stability of the production network. Through patented
technologies, centralized management and a portfolio of high availability and high density fabric nodes, network traffic is intelligently
delivered to management, monitoring and security systems. Gigamon solutions have been deployed globally across enterprise, data
centers and service providers, including over half of the Fortune 100 and dozens of government and state and local agencies.
For more information about the Gigamon Unified Visibility Fabric visit: www.gigamon.com

2014-2015 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or
other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks
of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

3300 Olcott Street, Santa Clara, CA 95054 USA | +1 (408) 831-4000 | www.gigamon.com

4035-03 07/15