Encrypted connections are used to transfer sensitive data between two hosts over the unsecured internet. Surveys show that 25% - 35% of enterprise traffic is SSL encrypted. The number can be as high as 70% in some specific industries. But, can SSL encrypted traffic ensure security ?
Study shows that websites using SSL are no way more protected than websites that are not encrypted. Attackers use advanced techniques to conceal their communication in an SSL connection. And, to detect and prevent those attacks we need to look through an encrypted SSL connection to find out malicious contents. SSL Inspection is a technique using which encrypted SSL traffic can be decrypted and sent to other security appliances, which can analyze it further to detect harmful contents and prevent possible damages.
How SSL can be used by attackers
If malicious communications are not encrypted, it can be detected by standard security appliances like IDS, IPS, firewalls easily. But, these security tools are not able to decrypt an encrypted connection and look through it. So, many a times attackers take advantage of that to make attacks. They use SSL connection to conceal their malicious communication.
- If the initial communication for infection is through an approved port and a seemingly secured browser, it can bypass the firewall/IPS easily. In fact, it is easier to attack an organization using applications that use encryption.
- Many a times attackers infect computers with malware and create a botnet. Then they exploit the computational resources of the infected computers for malicious purposes like making DDoS attacks, spreading malware or for more attacks. For malware families like Zeus, the communication with the Command & Control Server of the botnet is concealed within an SSL connection. The malware first opens an SSL connection and then use that for communication with the Command & Control Server for sending stolen sensitive data of the victims.
- An attacker can use Cross Site Scripting or XSS attack (How do attackers perpetrate a Cross Site Scripting Attack ? ) to steal authentication cookie of a victim stored in his computer and send it to the attacker hiding the communication using SSL.
- Attackers can use SSL for Phishing attacks also. They can send malicious link to employees of an organization via emails and trick them to click on it. On clicking on the link, it may take the victims to an malicious SSL server controlled by the attackers. If the communication is through some approved ports, the firewall/IPS may not detect it. And, the attackers can infect the computers with malware to create a botnet. After that, they can easily exfiltrate sensitive data like financial account data of the organization using an encrypted SSL connection.
What is SSL Inspection ?
Currently, many security devices cannot inspect encrypted traffic and the few that can decrypt SSL traffic cause significant performance degradation and are very expensive.
SSL inspectors work with secure network gateways to monitor inbound and outbound SSL traffic. They decrypt inbound and outbound SSL traffic, including the web and email communication and send the suspicious traffic to other security devices like IDS, IPS, network forensic device, advanced network gateways etc for further inspection and analysis. If the decrypted traffic is sent to active security tools like IPS, the suspected traffic is analyzed and proper actions are taken to prevent possible damages.
But, there may be cases when SSL inspectors may not want to decrypt certain SSL traffic, such as patient data in a hospital. So, it must whitelist and filter SSL traffic for inspection.
SSL inspectors should be able to process large amount of data quickly. They usually contain high performance compute engines that have hardware performance accelerators to handle SSL traffic, which enables them to monitor SSL traffic in real time.
An SSL inspection appliance detects an SSL session and looks at its policy to determine whether the traffic should be inspected. If the SSL traffic is suspicious, it decrypts the data and send the decrypted data to other security tools for further analysis.
SSL inspectors typically share the decrypted SSL traffic with the following security appliances :
- IDS/IPS, firewalls and network gateways – if malicious traffic is found on further analysis by these devices, the packets are dropped and the SSL session is killed.
- Email filtering devices
- Data Loss Prevention devices – when SSL inspectors send decrypted traffic to these devices, they can do pattern matching to look for sensitive data such as social security numbers, credit card information, bank account and routing data etc to prevent data exfiltration from an organization.
- Forensics and investigative tools
SSL dectyptors can also be used for cloud services monitoring. All secure services running in the cloud look same at TCP/IP layer. The traffic can be differentiated only when they are decrypted.
How does SSL Inspection work
SSL Inspection device typically follow the steps mentioned below to monitor SSL traffic :
- An SSL Inspection device observes the exchange of public keys at the start of an SSL communication. Administrators can also load the private keys of corporate servers securely in the system.
- It intercepts inbound SSL traffic and looks at its policy to determine whether the traffic should be monitored.
- If the SSL traffic should be monitored, it decrypts the traffic and sends the suspected traffic to other security appliances for further inspection and analysis.
- The allowed decrypted SSL traffic is encrypted again and sent to corporate servers.
- Similarly, it intercepts the outbound SSL traffic and looks at its policies to determine whether it should be monitored.
- It then decrypts the SSL traffic and sends the suspected traffic to other security appliances for further inspection.
- The allowed decrypted SSL traffic is encrypted again and sent across.
So, this was an article to give some basic information on SSL Inspection. Hope you liked it.