Академический Документы
Профессиональный Документы
Культура Документы
PRACTICES
INSPECTING ENCRYPTED TRAFFIC
Visibility and Attack Surface Reduction
15 percent of malware is
delivered over SSL, and
that number is growing.
SSL encryption is intended to make communication over the Internet between two
systems private from third-party eavesdropping. Many websites use SSL to maintain
compliance with certain privacy and security regulations, like the Health Insurance
Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security
Standard (PCI DSS), or as a proactive precautionary service for their users. A large
percentage of all network traffic is encrypted with SSL.
Because its often used and meant to be private between the sender and recipient,
encrypted traffic represents an opportunity for attackers to deliver threats into target
organizations without being inspected. For example, an attacker may use a Web
application like Gmail, which uses SSL encryption, to email an exploit or malware to
employees accessing that application via the corporate network or via a company-issued
device. Likewise, an attacker may compromise a website that uses SSL encryption to
silently download an exploit or malware to the sites visitors.
If youre not decrypting traffic like the kind described in the examples above, youre
leaving a large hole in your network where your next-generation firewall cannot protect
against threats coming in or sensitive data going out. In addition to ensuring users comply
with corporate policy, visibility into encrypted traffic is crucial to confirming that its clear
of cyberthreats.
Its understandable, however, that you may not be able to decrypt all traffic because of
the private nature of transactions to and from banking institutions, healthcare providers,
government and military organizations, and the payment card industry, for example.
However, you can use your next-generation firewall to selectively decrypt incoming and
outgoing traffic that falls outside of personal or confidential traffic parameters set by
company policies or government regulations.
PKIs typically include certificate revocation lists (CRLs), which list certificates that have
been revoked for reasons that include improper issuance by the certificate authority (CA)
and private keys that have been compromised. PAN-OS can check for certificate status
through CRL servers, as well as through Online Certificate Status Protocol (OCSP). Enable
certificate checking within the decryption settings on the firewall to check for revoked
certificates and block access to applications that use them.
NGFW
SSL Forward Proxy
Internal Asset
Internet
NGFW
SSL Inbound Inspection
Internal Asset
Internet
SSL Inbound Inspection decrypts and inspects inbound trac, then sends
it to its destination inside the network.
No PKI Environment:
Youll need to use a self-signed certificate and deploy the trust side of this certificate
across all laptops and servers. This method of establishing trust can be difficult to
manage, especially if you have a large number of employees in remote locations,
because the certificates on those endpoints must also be maintained.
Administrators Guide:
Keys and Certificates for Decryption Policies
Certificate Management
Choose a category you want to start with and apply a decryption profile to it. Once
youve worked through any associated issues, choose the next category you want to
decrypt. Remember to try new decryption policies through a test group first before
extending them to the rest of your organization, considering both specific users and
destinations (URLs or IPs) that will need to bypass the decryption rule.
The following is a list of sensitive categories that should be bypassed for decryption:
financial-services
government
military
health-and-medicine
shopping
Eventually, an ideal decryption rule set should have a decrypt-all policy with specific
exceptions for sensitive categories and websites with decryption breakages.
Not all encrypted traffic can be decrypted by your firewall, such as traffic using unsupported
ciphers or client-side certificates, or applications where the certificate is embedded in the
source code, so its important to figure out how youre going to handle these applications.
After youve set up your test group, come up with a process for traffic that you currently
cannot decrypt. Make it a habit to review this process on a regular basis.
Administrators Guide:
Configure Decryption Exceptions
Join Palo Alto Networks Fuel User Group community to connect with like-minded
professionals around the globe who are ready to discuss their hard-won best practices
and trade insights. You can also get exclusive access to subject matter experts to answer
your most challenging, security-related questions through online events, such as webinars
and Q&A sessions, and in-person events, as well.
2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
pan-wp-best-practices-decryption-112315