Security can be a tough gig. Sometimes there is a bit of user pain to get necessary security gain. SSL Inspection is a good example of this. As we’ll see below, it is essential in protecting a network but it can mean that users are temporarily unable to access that website that they need once every two years while that site is whitelisted or trusted. No pain, no gain.
SSL Inspection entails decrypting the HTTPS, SFTP and any other application using SSL then re-encrypting it once it has been checked. A consequence of this can be extra certificate errors or broken applications whilst fine tuning the configuration.
First, a bit of background. Firewalls have been around a lot longer than the World Wide Web or, as we know it today, the Internet. Firewalls, from a computing standpoint, were used to protect government, education and corporate databases and so on. These firewalls allowed control over the open ports into the database servers and creation of rules restricting access to specific sources. Everything was relatively fine until WWW came along and web servers became some of the protected end points. The very nature of a web server is that it serves up content to the Internet. Restrictions on the source network is no longer viable, and HTTP traffic on port 80 became the most used TCP port on the Internet. Everything was still good as all the other ports could still be locked down. Then some bright spark had the idea of tunnelling non-web traffic in port 80!
Then can early packet-based firewalls. Firewalls with the ability to control ports made way for application aware firewalls that could identify the veracity of traffic entering or exiting a network. This technology was able to allow genuine application traffic and block traffic containing vulnerability exploits, known bad websites, virus and malware, to name a few. Whilst traffic was unencrypted, this level of protection was doing a good job.
Even though Secure Sockets Layer (SSL) was touted as the death knell of firewalls, it has provided secure, trusted communications over the insecure medium of the Internet. Unfortunately, it has also provided obscurity to sources engaged in nefarious acts. SSL, at the same time as it has enabled businesses and individuals to securely pass sensitive information over the Web, has also enabled many more attack vectors for the less savoury side of things.
Consider the situation where encrypted malware has been installed on a computer via an email or visiting a compromised web site. This malware identifies logins and passwords and send them back to an external, remote attacker who could use the online banking details of the infected user to transfer money offshore to an untraceable bank account. Whilst both legitimate and illegitimate users are taking advantage of SSL and HTTPS, this traffic must be decrypted and inspected.
I’m not advocating security for security’s sake. Security must be in line with business requirements and practices, giving maximum protection for minimum disruption. Unfortunately, SSL decryption is not a simple set and forget exercise. The SSL traffic must be decrypted, inspected and then re-encrypted before sending it on its way. Steps need to be taken to minimise any adverse effect on users by distribution of the trusted certificates used by the inspecting firewall, and the configuration of trusted and categorised destinations such as Health, Government and Financial. Expectations of end users need to be set regarding the need to identify uncategorised destinations as they occur. These destinations then need to be rated and/or whitelisted as part of the defence against the dark arts. Along with the above, internal applications utilising SSL must be identified and configurations adjusted to ensure their continued effectiveness.
There is constant change on the Internet and the modern fight against attack and subversion requires everyone’s engagement. There will always be new and unrated web sites turning up and these will need to be dealt with. The network’s firewall needs to see all traffic or there is no point to the firewall. The right firewall with SSL inspection makes all the difference but there will always be ongoing administration. Once again, it is not a set and forget solution. It is currently estimated that approximately 50% of Internet traffic is encrypted and this is rising fast. Encrypting the Internet is a good thing, companies just need to make sure they deal with the bad encrypted traffic as well as the good.
By Paul Turnbull – Director of Security Services