Sunteți pe pagina 1din 4
Application Note SSL Decryption Introduction SSL encryption is the cornerstone technology that makes the Internet

Application Note

Application Note SSL Decryption Introduction SSL encryption is the cornerstone technology that makes the Internet secure.

SSL Decryption

Application Note SSL Decryption Introduction SSL encryption is the cornerstone technology that makes the Internet secure.

Introduction

SSL encryption is the cornerstone technology that makes the Internet secure. Email, e-commerce, voice-over-IP, online banking, remote health, and countless other services are kept secure with SSL. Unfortunately, most of that traffic goes uninspected because many security and performance monitoring tools lack the ability to see inside the encrypted sessions. Monitoring application performance and network usage patterns becomes impossible if you cannot determine which applications are running over the network. Even worse, malware can create SSL sessions to hide its activity, confident that security tools will neither inspect nor block the traffic. The very technology that makes the Web secure can become a threat vector.

Decrypting SSL traffic requires knowledge of the keys used for encryption. The public keys are clearly visible at the start of the transaction, but access to the private keys is controlled by the administrator.

Key Customer Applications SSL Decryption is required for a variety of applications:

Malware Detection: Once malware exploits a host, it can complete the kill chain using SSL transactions

Data Loss Prevention: Whether initiated by malware or a user from inside the corporate firewall, confidential data and files can be encrypted and leaked using SSL connections

Application Performance Monitoring: Key business applications use SSL to ensure authentication, but this obscures data required for proper monitoring

Cloud Services Monitoring: Secure services running in the cloud, including Web applications, all look the same at the TCP/IP layer and it is not until the SSL sessions are decrypted that they can be differentiated and monitored

Existing Solutions SSL decryption is available directly on some monitoring tools. However, those solutions tend to cause a severe performance degradation and are also very expensive. Offloading SSL decryption not only allows the tool to return to full performance, but also eliminates the need to have multiple decryption licenses for multiple tools. Furthermore, SSL decryption on a specific security appliance, for example, does not help with other tools, such as application performance monitoring; Gigamon can supply decrypted traffic to both simultaneously. Clearly, by delivering SSL decryption as a common service to the connected monitoring and security tools, the overall efficiency, security and performance of the infrastructure can be maximized.

Existing inline technologies, such as SSL proxies and application load balancers, provide SSL decryption, but they are not optimized for a visibility architecture. They lack the scalability to handle traffic from multiple TAPs across the network or to filter and replicate decrypted to multiple monitoring tools. With limited modularity or extensibility, increasing SSL throughput often requires new hardware. Lastly, they provide no visibility functionality or traffic intelligence for non-encrypted traffic.

Application Note: SSL Decryption

Gigamon Solution

Given that Gigamon’s Unified Visibility Fabric has access to the bidirectional traffic, it has the ability to observe the exchange of public keys at the start of the transaction. Once the administrator loads the private keys, they are securely stored on the system. The power of the GigaSMART ® traffic intelligence engine can then decrypt the traffic and forward it to tools for analysis. Each GigaSMART module contains high-performance compute engines that have hardware performance accelerators to handle SSL traffic.

SSL Decryption is not limited to specific ingress ports or where the GigaSMART engine is located within the Visibility Fabric. Any traffic received on any network port in the cluster of Gigamon Visibility Fabric nodes can take advantage of SSL Decryption. And that traffic can be sent to any tool ports in the cluster. This is an important attribute because not every node in the cluster needs to have the SSL Decryption capability. Additional Flow Mapping ® technology and/or GigaSMART applications can also be applied to decrypted traffic. Furthermore, additional SSL Decryption throughput can be achieved by adding more GigaSMART modules to the cluster, allowing inspection to grow as SSL processing needs increase.

Because SSL traffic can contain sensitive user data, special care must be taken to ensure that this data remains secure. After decrypting the packets, they can be sliced to remove irrelevant or private payload data. Alternatively, fields within the payload can be masked. In both cases, private data is never stored, read, or analyzed by the monitoring tools. This helps keep networks within regulatory compliance and greatly simplifies the auditing process.

Proper handling of the private keys is vital to maintain security compliance. Gigamon only allows keys to be uploaded, changed, or deleted by users designated by the administrator. Keys are encrypted using a special password which is distinct from the generic system admin password.

Figure 1: The steps to SSL Decryption

1 3 2 Visibility Fabric 4 5
1
3
2
Visibility Fabric
4
5

The Steps to SSL Decryption

1. Tap the network and connect it to Gigamon’s Visibility Fabric.

2. Select which flows to monitor and the GigaSMART engine will identify the exchange of public keys at the start of the transaction.

3. The private keys, which have been uploaded by the administrator, are encrypted and stored under tight password and role-based access controls.

4. GigaSMART then uses the private and public

keys to decrypt the SSL traffic.

5. The clear packets can be sent directly to your monitoring tools or additional Flow Mapping and GigaSMART operations can be applied.

Key Features

Application Note: SSL Decryption

First in the Industry to Integrate SSL Decryption into a Unified Visibility Fabric

Decrypt traffic from anywhere within the Visibility Fabric and send to any connected tools

With Flow Mapping technology, direct any user-defined flows, not just those on port 443, for decryption

SSL3, TLS 1.0, 1.1 and 1.2 Support

Public key: RSA

Symmetric key algorithms: AES, 3DES, DES, RC4, CAMELLIA, SEED, IDEA

Hashing algorithms: MD5, SHA1, SHA2

Supported applications: HTTPS, FTPS and SMTP, IMAP, POP3 with StartTLS

Supported key sizes: 128, 256, 512, 1024, 2048, and 4096

SSL Decryption Statistics

Idle sessions and reusable keys

Session-level Stats: packets, discards, errored packets, resumptions

Secure Storage of Private Keys

Encryption with independent password

Restricted key access based on role-based access controls

Key Benefits

Obtain Visibility to Encrypted Traffic

Enable malware detection, intrusion detection, data loss prevention, network forensics

Send clear traffic to application performance management, network performance monitoring, customer experience management tools

Integrate SSL Inspection into a Multi-Tiered Security Solution

Prevent malware from hiding within uninspected SSL sessions

Forward any traffic that does not match known flows to GigaSMART for decryption

Decrypt traffic from the cloud and/or remote sites

Improve Tool Performance

Offload SSL Decryption to the Visibility Fabric, freeing tool resources for packet analysis

Apply decryption once for all tools rather than separately on each tool

Chain Multiple GigaSMART Applications Together

Terminate tunnels sent from GigaVUE-VM, remote sites, and/or ERSPAN

Apply Flow Mapping and SSL Decryption

Use Adaptive Packet Filtering for L7-based packet forwarding

Obscure private data with packet slicing or masking

GigaVUE-VM GigaVUE-VM PhysicalVirtual
GigaVUE-VM
GigaVUE-VM
PhysicalVirtual
GigaVUE-VM GigaVUE-VM PhysicalVirtual Tunnel Termination Flow Mapping ® SSL Decryption Adaptive Packet Filtering
GigaVUE-VM GigaVUE-VM PhysicalVirtual Tunnel Termination Flow Mapping ® SSL Decryption Adaptive Packet Filtering
GigaVUE-VM GigaVUE-VM PhysicalVirtual Tunnel Termination Flow Mapping ® SSL Decryption Adaptive Packet Filtering
Tunnel Termination

Tunnel

Termination

Tunnel Termination
Flow Mapping ®

Flow Mapping ®

Flow Mapping ®
SSL Decryption

SSL Decryption

SSL Decryption
Adaptive Packet Filtering
Adaptive Packet
Filtering

Visibility Fabric

Feature Brief: SSL Decryption

Web server connect requests to NPM/CEMFiltering Visibility Fabric Feature Brief: SSL Decryption Remote site traffic to DLP East-West traffic between virtual

Remote site traffic to DLPBrief: SSL Decryption Web server connect requests to NPM/CEM East-West traffic between virtual workloads to IPS

East-West traffic between virtual workloads to IPSconnect requests to NPM/CEM Remote site traffic to DLP Figure 2: Combine SSL Decryption with GigaSMART

Figure 2: Combine SSL Decryption with GigaSMART services such as tunnel de-encapsulation and Adaptive Packet Filtering

Summary

SSL is a vital Internet technology upon which more and more applications will rely. However, it severely limits visibility for both performance and security monitoring. The growing security threat posed by uninspected SSL sessions increases the urgency for inspecting SSL traffic. By decrypting SSL traffic for out-of-band monitoring Gigamon provides visibility where none existed. Rather than turning a blind eye to SSL traffic, the full capabilities of Flow Mapping technology and GigaSMART traffic intelligence can be applied.

Decrypting SSL is a tremendous processing burden for monitoring tools that do it themselves; this greatly inhibits tool performance and increases the cost of monitoring. By supplying clear, decrypted traffic to multiple tools, Gigamon can be implemented to provide immediate value and return on investment in capital expenditure, licensing fees, and management costs.

About Gigamon

Gigamon provides an intelligent Unified Visibility Fabric to enable the management of increasingly complex networks. Gigamon technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both physical and virtual environments without affecting the performance or stability of the production network. Through patented technologies, centralized management and a portfolio of high availability and high density fabric nodes, network traffic is intelligently delivered to management, monitoring and security systems. Gigamon solutions have been deployed globally across enterprise, data centers and service providers, including over half of the Fortune 100 and dozens of government and state and local agencies.

For more information about the Gigamon Unified Visibility Fabric visit: www.gigamon.com