Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Palo Alto Networks | Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft | Use Case 1
USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft
Traditional Approach
Traditional approaches to decryption typically comprise a pair of dedicated decryption devices (e.g., an SSL decryption product
or load balancer) with multiple security products deployed in-line. Depending on an organization’s specific requirements, security
products layered between the decryption mechanisms might include a firewall, intrusion prevention system, URL system, URL
filtering, unified threat management or data loss prevention technology. Each of these security functions is traditionally executed
individually once traffic passes through the initial decryption device in the stack.
While this process can be effective in uncovering the identity of encrypted traffic, it poses several issues:
• Added Latency. With numerous security devices, latency increases. This is particularly problematic for applications on the
government network that are sensitive to latency. For example, voice and video are prevalent, and demand low latency
and predictable jitter.
• Increased Time to Resolution. Decryption of SSL traffic can be complex. With the traditional approach, if an organization
needs to resolve a problem or security incident, it can be difficult to troubleshoot issues in the decryption flow and handling.
Individual products are not integrated and do not cross-communicate. There are often separate subject matter experts for
each product, and many logs to review to find the source of an issue and apply timely, appropriate security efforts to
remediate effectively.
• Increased Personnel and Operational Costs. Even without decryption, stand-alone security products and capabilities
require individual, dedicated subject matter experts. This adds to resource and operational expenditures, and can often
result in a separation of minds and misalignment of security goals.
• Cumbersome and Costly SIEM. Each security device deployed in-line can add to Security Incident and Event Management
expenses. The additional personnel and correlation requirements between divided resources can become costly and cum-
bersome over time.
Start
HTTPS
SharePoint Docs
multiple locations and devices to determine
Policy Check
Check
Check Application Identified Traffic (No Decoding)
port/protocol, application, signature, etc., and IP/Port
SYN Signatures
Initiator Receiver
then decrypt the communications. Certificate Unknown Protocol Decoder
SYN ACK Web Browser
and key management features can be used to
Check
Policy
Palo Alto Networks | Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft | Use Case 2
USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft
The appliances use the previously mentioned identification technologies to analyze network traffic and enforce security policy.
SSL/TLS and SSH decryption policies are integrated with these technologies and allow simple, effective policy enforcement.
Source zone, IP address and User-ID, destination zone and address, as well as URL category (including any custom ones created),
action (to decrypt or not), type (SSL Forward Proxy, SSL Inbound Inspection or SSH Proxy) and decryption profile are
all configurable options (see Figure 2).
Source Destination
Name Zone Address User Zone Address URL Action Type Decryption Profile
Category
1 No Decryp L3-Trust 1 any any L3-Trust 1 any Financial- no-decrypt ssl-forward-proxy DecryptProfile-block
Services
government
health and medi…
shopping
2 Decrypt L3-Trust 1 any any L3-Untrust 1 any alcohol- and- decrypt ssl-forward-proxy DecryptProfile-block
Important toba…entertain-
ment-an…
internet-portals
3 ssh proxy L3-Trust 1 any any L3-Untrust 1 any any decrypt ssl-proxy DecryptProfile-block
4 inbound L3- any any L3-Trust 1 any any decrypt ssl-inbound DecryptProfile-block
policy Untrust 1 inspection PAN-SSL
Decrypt
Figure 2: Example decryption policy on Palo Alto Networks Next-Generation Security Platform
Security and network administrators can apply additional enforcement options to protect agency assets, including the ability to:
• Block expired certificates to stop user “click through” for those users who tend to click “OK” to everything.
• Block sessions with untrusted issuers or certificates signed by untrusted certificate authorities. It sometimes helps to be
able to edit which root certificate administrators want the users to trust.
• Block or bypass unsupported certificate versions and ciphers. Most of the time, unsupported versions and ciphers are
being used to circumvent the security and policy.
• Block or bypass if resources are not available.
The types of decryption an administrator can choose, depending on objectives and network considerations, include SSL Forward
Proxy, SSL Inbound Inspection and SSH Proxy. There are other considerations for how government agencies may approach
decryption on their network to search for attacker communications. More information on these and other details for SSL and SSH
decryption can be found in the following resources:
• Enforcing SSL and SSH Security for Federal Agencies
• PAN-OS® 8.0 Administrator’s Guide: Decrypt Traffic for Full Visibility and Threat Inspection
• LIVE Community: Safely inspecting SSL transactions
Palo Alto Networks | Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft | Use Case 3
USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft
Implementation Overview
Products deployed:
• Palo Alto Networks PA-7080 next-generation firewalls
• Subscriptions include: URL Filtering, Threat Prevention, WildFire™ cloud-based threat analysis service
Palo Alto Networks | Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft | Use Case 4
USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft
• Operational Benefits:
• Support government agency requirements to selectively decrypt and inspect potentially malicious traffic across primary use
cases (e.g., SSL Forward Proxy, SSL Inbound Inspection, SSH Proxy).
• Flexibility in configurations.
• Hardware security module approach to key management also supported.
• Security Benefits:
• Identify, inspect and control inbound and outbound SSL communication; identify and control SSH tunneling traffic.
• Reduce the likelihood of successful state-sponsored attacks against governments, including preventing the exfiltration of PII and
other sensitive or classified data.
• Detect and prevent threats, hidden attacks and data leakage.
• Ensure attackers are not using public key infrastructure to attack government networks and prevent attackers’ use of
counterfeit, expired and invalid certificates to mount an attack.
Conclusion
As more internet traffic is encrypted using SSL or TLS, along with the continued availability of SSH for remote communications,
increasing numbers of attackers – including state-sponsored actors – are using these technologies to hide their efforts and launch
successful attacks. A comprehensive security strategy for government agencies requires in-depth analysis of encrypted traffic to
detect and prevent hidden attacks and data leakage. Palo Alto Networks Next-Generation Security Platform provides the most
effective approach, with integrated core security capabilities, including SSL/SSH decryption. With a comprehensive encryption
inspection approach that supports different encryption options and multiple use cases for flexibility, the appliances can support
government agencies’ decryption efforts. In addition, open APIs support integration to meet additional requirements. Remember
to follow recommended best practices to meet your network considerations.
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of
Santa Clara, CA 95054 Palo Alto Networks. A list of our trademarks can be found at http://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies. decrypt-ssl-and-ssh-traffic-
Support: +1.866.898.9087 to disrupt-attacker-communications-and-theft-uc-062617
www.paloaltonetworks.com