SSL Encryption and Decryption
The implementation of Secure Socket Layer (SSL) decryption and encryption has become very common in the enterprise environment nowadays. SSL certificates provide a secure channel between the browser of the end-user and the destination (web)server. Most of the time, the decryption technique is therefore based on the interception of the communication between the two systems, also called the ‘man-in-the-middle attack’. In this blogpost, I want to elaborate on the widely-used SLL encryption, but also on the decryption because the need has never been so high.
The advantages of SSL encryption
As a security consultant, I want to convince people of the importance of encryption. SSL certificates contain a pair of keys: a public, and a private one. These keys collaborate to enable an encrypted connection. As the word suggests, the public key will be made publicly available and will be used to encrypt the data. The private key on the other hand, can again be decrypted. Therefore, it is of utmost importance that it is guarded and only accessible by the owner.
Another advantage of SSL certificates besides encryption, is authentication. The SSL certificates verify the identity of the server or user. This is done through a field ‘subject’ that shows visible information to the end-user regarding the identity. End-users and system administrators should know what to do in case a browser message shows up:
It is advisable not to ‘click’ to continue when you are not familiar with the page that uses an invalid certificate. In my experience, the certificates were improperly used by the network/system administrator in most cases. But, the certificate might also be revoked because of a severe security risk. It goes without saying that you should never exchange personal information when the browser indicates ‘the connection is untrusted’.
5 conditions a valid SSL certificate must meet:
- License period
The SSL certificate is only valid for a certain period. In a X.509 certificate, there are only 2 time-values: valid from and valid until, specifying the maximum certificate validity.
- Public certificate authority
The SSL certificate needs to be issued by a trusted public certificate authority. The browser usually has a list of certificates of the most well-known public certificate authorities. This is used to verity the issuer of the certificate.
- The private key
Certificates contain a public key. This key is always accompanied by a private key which is stored on the server.
- Specific domain- or hostname
The X.509 certificate is generated for a specific domain or hostname. This is specified through the values CN (Common Name) and/or SAN (Subject Alternative Name). This means you can’t reuse the same certificate for another domain- or hostname.
- Online Certificate Status Protocol (OCSP)
It must be possible to revoke a certificate when, for instance, the private-key has been compromised or when the public certificate authority has issued a certificate improperly.
All revoked certificates that were issued by a specific public certificate authority are gathered in the Certificate Revocation List (CRL) and can be consulted.
An alternative to CRLs, is the certificate validation protocol known as Online Certificate Status Protocol (OCSP). It is preferred over CRL because it has the primary benefit of requiring less network bandwidth. This enables real-time checks for high volume or high-value operations. It only queries the necessary data whereas CRL will download a complete list.
SSL Encryption – The Cons
Of course, there is no advantage without a disadvantage. Encrypting all the time is expensive! When information is constantly decrypted and encrypted, it has an impact on the performance, especially when dealing with large volumes of data. To ensure a good performance, additional hardware is required.
Furthermore, an SSL certificate can only be purchased from a public trusted authority. It validates your identity and the certificate is only valid for a specific amount of time and needs to be renewed regularly. You could state maintenance is a con here.
So, you need to find the right balance between the required security and costs. Using a load balancer in front of the web server farm could be a solution. It divides the traffic that needs to be encrypted and the traffic that does not need to be.
When to use SSL decryption?
On the one hand, encryption provides a high level of protection, but on the other hand, it brings more concerns to the network administrator. The amount of encrypted SSL websites increases year by year, as well as the lack of visibility to analyze this type of network traffic. It is very easy for a potential attacker to use an encrypted connection to hide his malicious actions, but how can you tackle this?
SSL interception or decryption on network devices for outbound connections to the internet can definitely be a solution. There are already vendors like Symantec (BlueCoat) who provide dedicated SSL services. Earlier in this blogpost, I mentioned the ‘man-in-the-middle attack’. Well, these devices could identify this encrypted traffic as a man-in-the-middle attack that breaks the encryption into two separate encrypted streams.
The end users will still experience the protection of an encrypted connection while security analysts and devices can properly monitor and alert in case of unwanted or malicious activity. What do I mean by malicious activity? Well, these actions could be anything, for instance, the downloading of infected email attachments using the web-based email service Gmail. The firewall can apply security policies to the decrypted traffic in order to detect malicious content and to control applications running on this secure channel.
This way of working is completely transparent to the end user. The webserver thinks it is communicating with the end user and in the meanwhile, there is an encrypted connection between the server and the firewall or the dedicated SSL appliance, which, in its turn, will set up a new encrypted connection with the end user.
In most organizations, this SSL decryption is deployed for outbound connections to the internet using Palo Alto Networks. I have worked with Palo Alto Networks for a long time. My experience has taught me that it easily enables SSL decryption based on different parameters such as the URL category and user group.
A similar solution is offered by Symantec. The difference is that this solution can handle much more traffic to decrypt because the hardware is dedicated to this specific security feature.
Back to Palo Alto Networks: their SSL inbound inspection feature allows the administrator to monitor and control the inbound connections for every server of which you own the SSL certificate (including the private key). This means all the encrypted connections to your webservers in the DMZ can be tracked as well.
Most customers prefer to SSL offload the inbound connections on a web load balancer like F5 LTM because it is one of the key features of this appliance, together with a better overall performance.
Palo Alto Networks works fine too for customers who prefer an all-in-one solution appliance.
SSL decryption – The cons
The administrator needs to inform the end users about their encrypted sessions which can be intercepted for security reasons. This can be done by a disclaimer which gives the end user the choice not to continue if he doesn’t agree with the decryption. Next to the internal policies of an organization, there are some legal restraints, depending on the country. Some websites, such as banking sites, may not be decrypted because the data is too sensitive.
Other cons are similar to the ones of the encryption technique: hardware cost, a potential decrease in performance and maintenance.
In summary, if you are responsible for the protection of your network, you should definitely consider the pros and cons of using the encryption and decryption technology. The ability to decrypt the outbound traffic to the internet is a real pro and I recommend it to all my customers. Don’t forget that every year, you will lose visibility and control on your network traffic if you ignore to set up the decryption feature. SecureLink has a lot of experience with these security technologies and can provide you with a suitable solution of Palo Alto Networks, Symantec and F5.