Decrypt SSL and SSH Traffic

USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft
DECRYPT SSL AND SSH TRAFFIC

TO DISRUPT ATTACKER
COMMUNICATIONS AND THEFT
Business Problem
SUMMARY
According to the latest research, 25 to 35 percent of typical enterprise
traffic is SSL-encrypted, and depending on the industry (e.g., financial
Industry services), that number may be as high as 70 percent. The figure tends
Federal Government to be higher on government networks due to regulations, resulting in
multiple blind spots for security monitoring tools. As more internet traffic
Use Case is encrypted using Secure Socket Layer or its successor, Transport Layer
Prevent potentially obfuscated successful cyberattacks Security, more attackers – including state-sponsored actors – are using
against federal agencies using the integrated SSL/ the technology to hide malware and escalate the likelihood of successful
SSH decryption in Palo Alto Networks next-generation attacks. Secure Shell for encrypted tunneling can also be used to hide
security appliances, physical and virtual. malware and botnet-based command-and-control traffic to exfiltrate
data. For example, a recent successful phishing attack against the public
Business Benefits email system of a prominent western defense agency used SSL to encrypt
• Protect government networks and data from malware downloaded by unsuspecting users who clicked on an infected
threats hiding in encrypted traffic. web link. Even organizations with more mature security capabilities can
be breached if they are not monitoring encrypted traffic for malware.
• Comply with government mandates to ensure
encrypted traffic is decrypted and examined for
Business Drivers
threats, unauthorized access or other indicators
of compromise. The number, scale and sophistication of cyberattacks against govern-
ments has increased in recent years. Attackers continue to use SSL/SSH
Operational Benefits encryption to hide their operations and pursue target data. Since SSL
requires a certificate authority and public key infrastructure to create
• Streamlined and more cost-effective approach to
and sign certificates as well as verify certificate validity, government
decryption and security.
agencies must also ensure attackers are not using the PKI to attack the
• Resource improvements spanning time, personnel government network.
and expenditures.
Given this, governments have started to consider or mandate the
• Reduced latency, particularly for time-sensitive decryption of encrypted communications moving into and out of
applications and networks. government networks. In the U.S., the National Institute of Standards
and Technology has issued guidelines and regulations for U.S. govern-
• Higher decryption throughput.
ment agencies, primarily in the form of Federal Information Processing
• Shorter decision loop for swifter prevention. Standards and Special Publications (800-series). FIPS mandates that
encrypted internet traffic, inbound or outbound, be decrypted and
Security Benefits examined for the presence of malware or other unsuitable content,
• Swifter prevention, with visibility to attempted unauthorized access, or other indications of a cyberattack. Other
attacks using encryption to hide. governments have issued top cyber intrusion mitigation strategies
and use ISO standards to ensure the protection of their infrastructure.
• Reduced risk of successful attacks, including exfil-
These have not yet included a recommendation for decryption, but
tration of PII and other sensitive or classified data.
may in the future given the growth of this attack technique.
• Reduced risk of attackers using public key infra-
Governments must consider scrutinizing encrypted communications
structure to attack government networks.
within their networks to address this attack technique. A compre-
• Prevent use of counterfeit, expired and invalid hensive security strategy for federal and other government agencies
certificates to mount attacks. requires in-depth analysis of encrypted traffic to detect and prevent
hidden attacks and data leakage.
Palo Alto Networks | Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft | Use Case 1
Traditional Approach
Traditional approaches to decryption typically comprise a pair of dedicated decryption devices (e.g., an SSL decryption product
or load balancer) with multiple security products deployed in-line. Depending on an organization’s specific requirements, security
products layered between the decryption mechanisms might include a firewall, intrusion prevention system, URL system, URL
filtering, unified threat management or data loss prevention technology. Each of these security functions is traditionally executed
individually once traffic passes through the initial decryption device in the stack.
While this process can be effective in uncovering the identity of encrypted traffic, it poses several issues:
• Added Latency. With numerous security devices, latency increases. This is particularly problematic for applications on the
government network that are sensitive to latency. For example, voice and video are prevalent, and demand low latency
and predictable jitter.
• Increased Time to Resolution. Decryption of SSL traffic can be complex. With the traditional approach, if an organization
needs to resolve a problem or security incident, it can be difficult to troubleshoot issues in the decryption flow and handling.
Individual products are not integrated and do not cross-communicate. There are often separate subject matter experts for
each product, and many logs to review to find the source of an issue and apply timely, appropriate security efforts to
remediate effectively.
• Increased Personnel and Operational Costs. Even without decryption, stand-alone security products and capabilities
require individual, dedicated subject matter experts. This adds to resource and operational expenditures, and can often
result in a separation of minds and misalignment of security goals.
• Cumbersome and Costly SIEM. Each security device deployed in-line can add to Security Incident and Event Management
expenses. The additional personnel and correlation requirements between divided resources can become costly and cum-
bersome over time.
Palo Alto Networks Approach

Palo Alto Networks® Next-Generation Security Platform integrates SSL/SSH decryption with optional hardware security module sup-
port for enhanced performance and security of certificate and key management. Available application, content and user identification
capabilities on the appliances, referred to as App-ID™, Content-ID™ and User-ID™ technology respectively, enable security adminis-
trators to identify the applications, URL categories or content types, and individual users or groups accessing the network. These and
other related features offer government administrators integrated, comprehensive SSL/SSH inspection with their security appliances.
The virtual and physical appliances integrate security mechanisms up through Layer 7 to gain complete control over network activity
at the firewall level. As displayed in Figure 1, administrators can apply decryption to determine the identity and intended activity of
HTTPS traffic. Using SharePoint®, policy can
be applied to control what activity is allowed.
For example, an administrator can allow ac- SharePoint
cess to SharePoint, but deny document shar- Known Protocol Decoder
Decryption
ing. With integrated SSL/SSH decryption, this
Check
Policy
(SSL or SSH) Check
Decode Signatures
can be done without having to go through
Policy Check
Start
HTTPS
SharePoint Docs
multiple locations and devices to determine
Policy Check
Check
Check Application Identified Traffic (No Decoding)
port/protocol, application, signature, etc., and IP/Port
SYN Signatures
Initiator Receiver
then decrypt the communications. Certificate Unknown Protocol Decoder
SYN ACK Web Browser
and key management features can be used to
Check
Policy
ACK Apply Heuristics

block expired certificates, terminate sessions
with untrusted issuers or certificates signed Connection Established
by untrusted CAs, and block unsupported Stateful Firewall

Report and Enforce Policy
certificate versions and ciphers. Stops HERE
Additional benefits include:

Figure 1: Decrypting communications using Palo Alto Networks
• Complete safe enablement of traffic
Next-Generation Security Platform
and applications in the network, in-
cluding encrypted communications.
• Streamlined and more effective approach to decryption and security.
• Resource improvements spanning time, personnel and expenditures.
• Reduced latency, particularly for time-sensitive applications and networks.
• Greater decryption throughput.
• Shorter decision loop for swifter prevention.
The appliances use the previously mentioned identification technologies to analyze network traffic and enforce security policy.
SSL/TLS and SSH decryption policies are integrated with these technologies and allow simple, effective policy enforcement.
Source zone, IP address and User-ID, destination zone and address, as well as URL category (including any custom ones created),
action (to decrypt or not), type (SSL Forward Proxy, SSL Inbound Inspection or SSH Proxy) and decryption profile are
all configurable options (see Figure 2).
Source Destination
Name Zone Address User Zone Address URL Action Type Decryption Profile
Category
1 No Decryp L3-Trust 1 any any L3-Trust 1 any Financial- no-decrypt ssl-forward-proxy DecryptProfile-block
Services
government
health and medi…
shopping
2 Decrypt L3-Trust 1 any any L3-Untrust 1 any alcohol- and- decrypt ssl-forward-proxy DecryptProfile-block
Important toba…entertain-
ment-an…
internet-portals
3 ssh proxy L3-Trust 1 any any L3-Untrust 1 any any decrypt ssl-proxy DecryptProfile-block
4 inbound L3- any any L3-Trust 1 any any decrypt ssl-inbound DecryptProfile-block
policy Untrust 1 inspection PAN-SSL
Decrypt
Figure 2: Example decryption policy on Palo Alto Networks Next-Generation Security Platform
Security and network administrators can apply additional enforcement options to protect agency assets, including the ability to:
• Block expired certificates to stop user “click through” for those users who tend to click “OK” to everything.
• Block sessions with untrusted issuers or certificates signed by untrusted certificate authorities. It sometimes helps to be
able to edit which root certificate administrators want the users to trust.
• Block or bypass unsupported certificate versions and ciphers. Most of the time, unsupported versions and ciphers are
being used to circumvent the security and policy.
• Block or bypass if resources are not available.
The types of decryption an administrator can choose, depending on objectives and network considerations, include SSL Forward
Proxy, SSL Inbound Inspection and SSH Proxy. There are other considerations for how government agencies may approach
decryption on their network to search for attacker communications. More information on these and other details for SSL and SSH
decryption can be found in the following resources:
• Enforcing SSL and SSH Security for Federal Agencies
• PAN-OS® 8.0 Administrator’s Guide: Decrypt Traffic for Full Visibility and Threat Inspection
• LIVE Community: Safely inspecting SSL transactions
Real-World Federal Government Customer Deployment

In this real-world example, a large federal institution with more than 400,000 users throughout the continental U.S. needed to
protect its network from malware and threats hiding in encrypted traffic. Already a long-time Palo Alto Networks customer, the
institution saw a 40 percent increase in encrypted traffic. With the original specifications for the network, however, security was
only able to secure 50 percent of all traffic coming out of the network perimeter, and they were seeing a significant spike in CPU
utilization. Meanwhile, with significant investments in security practitioners, operations and products, the security team was
faced with a vexing question: “How does it feel that after all your security processes, procedures and money spent, you are only
protecting about a quarter of your internet traffic?”
To offset disruption and continue to enforce maximum security and operational efficiency, the team discussed the institution’s
networking needs, accounting for the full level of SSL decryption required for their security. Ultimately, they chose to meet these
needs with Palo Alto Networks PA-7000 Series appliances and on-board SSL decryption. With SSL decryption in operation, the
customer can safely enable traffic and applications in their network, including the vast increase in encrypted communications.
Implementation Overview
Products deployed:
• Palo Alto Networks PA-7080 next-generation firewalls
• Subscriptions include: URL Filtering, Threat Prevention, WildFire™ cloud-based threat analysis service
How customer implemented (high level):

• Deployed a pair of highly available Palo Alto Networks firewalls at each trusted perimeter gateway.
• Each gateway, or TIC, averages 450,000 sustained sessions with more than 5 Gbps of throughput.
• Based on App-ID deployment, the customer became able to accurately, confidently identify encrypted traffic traversing
the network, ultimately deciding to implement SSL decryption as a result.
• Security methodically enables SSL decryption on a subset of URL Filtering categories in PAN-DB while monitoring device
performance impact and user impact. Simultaneously, they are monitoring both device performance and user impact.
• Although deployment is in the preliminary stages, the customer has gained insight into more than 100 million SSL sessions
per day to which they were previously blind, applying advanced threat protection to mitigate risk.
How customer’s SSL decryption works (high level):

• Using policy-based decryption, PA-7080
appliances decrypt, inspect and control Internal
External
Server
inbound as well as outbound SSL and SSH User
connections to: Request SSL

connecion
◦◦ Prevent malware concealed as encrypted
traffic. PA-5
260
Firewall generates Server sends

◦◦ Prevent sensitive information from moving and sends certificate certificate to
to the user firewall
◦◦ Ensure only whitelisted applications are
running on the secure network.
Client verifies certificate from the firewall
• To account for security risks introduced by Session Key 1 Session Key 2

the end user community, SSL Forward Proxy
capability (see Figure 3) is used to decrypt PA-5
internet traffic sourced from internal users.

260
• Hardware security module integration with

third-party solution to manage, process and
store c ryptographic keys required for SSL
Figure 3: Palo Alto Networks SSL Forward Proxy capability
decryption.
• Future security capabilities to include
Decryption Port Mirroring, as shown in
Figure 4, on PA-7080 appliances for
analysis of traffic on Box.com.
SSL/TLS SSL/TLS
Benefits of Using Palo Alto Networks for

Decryption
• Business Benefits:
• Prevent undesired applications and GOOGLE.COM
malicious content from impacting govern-

ment networks. PLAINTEXT
• Block unauthorized attempts to access

vital government IT and computers.
• Maintain compliance with government DATA LEAKAGE
PREVENTION
mandates to ensure SSL/SSH traffic is
decrypted and examined for malware,
unauthorized access, or other indicators
of a cyberattack. Figure 4: Palo Alto Networks Decryption Port Mirroring
• Operational Benefits:
• Support government agency requirements to selectively decrypt and inspect potentially malicious traffic across primary use
cases (e.g., SSL Forward Proxy, SSL Inbound Inspection, SSH Proxy).
• Flexibility in configurations.
• Hardware security module approach to key management also supported.
• Security Benefits:
• Identify, inspect and control inbound and outbound SSL communication; identify and control SSH tunneling traffic.
• Reduce the likelihood of successful state-sponsored attacks against governments, including preventing the exfiltration of PII and
other sensitive or classified data.
• Detect and prevent threats, hidden attacks and data leakage.
• Ensure attackers are not using public key infrastructure to attack government networks and prevent attackers’ use of
counterfeit, expired and invalid certificates to mount an attack.
Conclusion
As more internet traffic is encrypted using SSL or TLS, along with the continued availability of SSH for remote communications,
increasing numbers of attackers – including state-sponsored actors – are using these technologies to hide their efforts and launch
successful attacks. A comprehensive security strategy for government agencies requires in-depth analysis of encrypted traffic to
detect and prevent hidden attacks and data leakage. Palo Alto Networks Next-Generation Security Platform provides the most
effective approach, with integrated core security capabilities, including SSL/SSH decryption. With a comprehensive encryption
inspection approach that supports different encryption options and multiple use cases for flexibility, the appliances can support
government agencies’ decryption efforts. In addition, open APIs support integration to meet additional requirements. Remember
to follow recommended best practices to meet your network considerations.
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of
Santa Clara, CA 95054 Palo Alto Networks. A list of our trademarks can be found at http://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies. decrypt-ssl-and-ssh-traffic-
Support: +1.866.898.9087 to disrupt-attacker-communications-and-theft-uc-062617
www.paloaltonetworks.com

Decrypt SSL and SSH Traffic

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Decrypt SSL and SSH Traffic

Caricato da

Copyright:

Formati disponibili

USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft