Вы находитесь на странице: 1из 4

APPlication NOTE // SSL Decryption

SSL Decryption
Introduction
SSL encryption is the cornerstone technology that makes the Internet secure. Email, e-commerce, voice-over-IP, online banking, remote
health, and countless other services are kept secure with SSL. Unfortunately, most of that traffic goes uninspected because many
security and performance monitoring tools lack the ability to see inside the encrypted sessions. Monitoring application performance
and network usage patterns becomes impossible if you cannot determine which applications are running over the network. Even worse,
malware can create SSL sessions to hide its activity, confident that security tools will neither inspect nor block the traffic. The very
technology that makes the Web secure can become a threat vector.
Decrypting SSL traffic requires knowledge of the keys used for encryption. The public keys are clearly visible at the start of the transaction,
but access to the private keys is controlled by the administrator.

Key Customer Applications


SSL Decryption is required for a variety of applications:
Malware Detection: Once malware exploits a host, it can complete the kill chain using SSL transactions
Data Loss Prevention: Whether initiated by malware or a user from inside the corporate firewall, confidential data and files can
be encrypted and leaked using SSL connections
Application Performance Monitoring: Key business applications use SSL to ensure authentication, but this obscures data required
for proper monitoring
Cloud Services Monitoring: Secure services running in the cloud, including Web applications, all look the same at the TCP/IP layer
and it is not until the SSL sessions are decrypted that they can be differentiated and monitored

Existing Solutions
SSL decryption is available directly on some monitoring tools. However, those solutions tend to cause a severe performance degradation
and are also very expensive. Offloading SSL Decryption not only allows the tool to return to full performance, but also eliminates the need
to have multiple decryption licenses for multiple tools. Furthermore, SSL Decryption on a specific security appliance, for example,
does not help with other tools, such as application performance monitoring; Gigamon can supply decrypted traffic to both simultaneously.
Clearly, by delivering SSL Decryption as a common service to the connected monitoring and security tools, the overall efficiency, security
and performance of the infrastructure can be maximized.
Existing inline technologies, such as SSL proxies and application load balancers, provide SSL Decryption, but they are not optimized
for a visibility architecture. They lack the scalability to handle traffic from multiple TAPs across the network or to filter and replicate
decrypted to multiple monitoring tools. With limited modularity or extensibility, increasing SSL throughput often requires new hardware.
Lastly, they provide no visibility functionality or traffic intelligence for non-encrypted traffic.

Copyright 2014 Gigamon. All rights reserved.

APPlication NOTE // SSL Decryption

Gigamon Solution
Given that Gigamons Visibility Fabric has access to the bidirectional traffic, it has the ability to observe the exchange of public keys
at the start of the transaction. Once the administrator loads the private keys, they are securely stored on the system. The power
of the GigaSMART traffic intelligence engine can then decrypt the traffic and forward it to tools for analysis. Each GigaSMART module
contains high-performance compute engines that have hardware performance accelerators to handle SSL traffic.
SSL Decryption is not limited to specific ingress ports or where the GigaSMART engine is located within the Visibility Fabric. Any traffic
received on any network port in the cluster of Gigamon visibility nodes can take advantage of SSL decryption. And that traffic can
be sent to any tool ports in the cluster. This is an important attribute because not every node in the cluster needs to have the
SSL Decryption capability. Additional Flow Mapping and/or GigaSMART applications can also be applied to decrypted traffic.
Furthermore, additional SSL Decryption throughput can be achieved by adding more GigaSMART modules to the cluster, allowing
inspection to grow as SSL processing needs increase.
Because SSL traffic can contain sensitive user data, special care must be taken to ensure that this data remains secure. After decrypting
the packets, they can be sliced to remove irrelevant or private payload data. Alternatively, fields within the payload can be masked.
In both cases, private data is never stored, read, or analyzed by the monitoring tools. This helps keep networks within regulatory
compliance and greatly simplifies the auditing process.
Proper handling of the private keys is vital to maintain security compliance. Gigamon only allows keys to be uploaded, changed,
or deleted by users designated by the administrator. Keys are encrypted using a special password which is distinct from the generic
system admin password.

The Steps to SSL Decryption


1. Tap the network and connect it to Gigamons
Visibility Fabric.
2. Select which flows to monitor and the GigaSMART
engine will identify the exchange of public keys at
the start of the transaction.
3. The private keys, which have been uploaded by
the administrator, are encrypted and stored under
tight password and role-based access controls.
4. GigaSMART then uses the private and public keys
to decrypt the SSL traffic.
5. The clear packets can be sent directly to your
monitoring tools or additional Flow Mapping and
GigaSMART operations can be applied.

Figure 1: The steps to SSL Decryption

Copyright 2014 Gigamon. All rights reserved.

APPlication NOTE // SSL Decryption

Key Features
First in the Industry to Integrate SSL Decryption into a Unified Visibility Fabric Architecture
Decrypt traffic from anywhere within the Visibility Fabric and send to any connected tools
Flow Mapping directs any user-defined flows, not just those on port 443, for decryption
Extensible, High-Throughput Solution
GigaVUE-HD4/8: 4M sessions, 5 Mpps per GigaSMART module
GigaVUE-HC2: 2M sessions, 2.5 Mpps per GigaSMART module
GigaVUE-HB1: 500k sessions, 0.6 Mpps per second
SSL3 & TLS 1.0 Support
Public Key: RSA
Symmetric key algorithms: AES, 3DES, DES
Hashing algorithms: MD5, SHA1
SSL Decryption Statistics
Idle sessions and reusable keys
Session-level Stats: packets, discards, errored packets, resumptions
Secure Storage of Private Keys
Encryption with independent password
Restricted key access based on role-based access controls

Key Benefits
Obtain Visibility to Encrypted Traffic
Enable malware detection, intrusion detection, data loss prevention, network forensics
Send clear traffic to application performance management, network performance monitoring, customer experience management tools
Integrate SSL Inspection into a Multi-Tiered Security Solution
Prevent malware from hiding within uninspected SSL sessions
Forward any traffic that does not match known flows to GigaSMART for decryption
Decrypt traffic from the cloud and/or remote sites
Improve Tool Performance
Offload SSL Decryption to the Visibility Fabric, freeing tool resources for packet analysis
Apply decryption once for all tools rather than separately on each tool
Chain Multiple GigaSMART Applications Together
Terminate tunnels sent from GigaVUE-VM, remote sites, and/or ERSPAN
Apply Flow Mapping and SSL Decryption
Use Adaptive Packet Filtering for L7-based packet forwarding
Obscure private data with packet slicing or masking

Copyright 2014 Gigamon. All rights reserved.

APPlication NOTE // SSL Decryption

Figure 2: Combine SSL Decryption with GigaSMART services such as de-tunneling and Adaptive Packet Filtering

Summary
SSL is a vital Internet technology upon which more and more applications will rely. However, it severely limits visibility for both
performance and security monitoring. The growing security threat posed by uninspected SSL sessions increases the urgency for
inspecting SSL traffic. By decrypting SSL traffic for out-of-band monitoring Gigamon provides visibility where none existed. Rather than
turning a blind eye to SSL traffic, the full capabilities of Flow Mapping and GigaSMART traffic intelligence can be applied.
Decrypting SSL is a tremendous processing burden for monitoring tools that do it themselves; this greatly inhibits tool performance
and increases the cost of monitoring. By supplying clear, decrypted traffic to multiple tools, Gigamon provides immediate value and return
on investment in capital expenditure, licensing fees, and management costs.

About Gigamon
Gigamon provides an intelligent Visibility Fabric architecture to enable the management of increasingly complex networks.
Gigamon technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic
across both physical and virtual environments without affecting the performance or stability of the production network.
Through patented technologies, centralized management and a portfolio of high availability and high density fabric nodes, network
traffic is intelligently delivered to management, monitoring and security systems. Gigamon solutions have been deployed globally
across enterprise, data centers and service providers, including over half of the Fortune 100 and dozens of government and state
and local agencies.
For more information about the Gigamon Visibility Fabric architecture visit: www.gigamon.com

Copyright 2014 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at
www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Gigamon | 3300 Olcott Street, Santa Clara, CA 95054 USA | PH +1 (408) 831-4000 | www.gigamon.com

4035-01 10/14

Вам также может понравиться