How SSL Decryption Provides Increased Network Visibility
Nowadays, everyone is concerned about security. This is no surprise with all of the breaches and stolen data that we hear about. The most common way to provide a secure connection is with SSL encryption. This is being expanded on with the rise of TLS encryption as well. What this technology essentially does is establishes a secure connection between your workstation and a remote device, such as a web server. That’s great for the end user, but as a network administrator, if that traffic is encrypted, how are you going to see what the traffic is, where it is destined for, or if it’s malicious? SSL Decryption, that’s how. Companies such as Gigamon provide a way to use a network appliance to perform a sanctioned man in the middle (MITM) capture of the traffic on your network and gain the visibility you require.
Sanctioned man in the middle capture?
A sanctioned man in the middle capture is similar to a technique a hacker may use in that you can intercept secure traffic and analyze it in plain text. Using this method in a sanctioned manner allows you as the network administrator to keep a steady eye on the traffic traversing your network. I recently had the privilege of attending Network Field Day 15 to see a company that specializes in this area, called Gigamon. There was one slide on their presentation that really explained how this process works. I am going to focus on their solution as a prime example of a good method of SSL decryption.
Gigamon Appliance Solution
Gigamon uses an appliance on your network to facilitate the SSL \ TLS decryption. Instead of each computer establishing a secure connection to the remote web servers, the secure connection is made with the Gigamon appliance. The appliance then makes a secure connection to the web server on its own to complete the end to end security. This allows the Gigamon appliance to receive the traffic, process it in an un-encrypted state, and then re-encrypt for delivery to the remote server. There is one MAJOR point that needs to be understood. Users will need to accept and trust an SSL certificate from the Gigamon appliance, otherwise they will receive an untrusted certificate error. This is because they will be making a secure connection with the Gigamon device now instead of directly to the remote server. The Gigamon appliance root certificate can easily be pushed with a group policy to those devices capable of accepting a GPO update. But just keep that whole process in mind (I’ll cover that later).
So, about that diagram from Gigamon I was talking about, here is what it looks like:
That diagram breaks down the connection process. Step 1. Client creates a connection to a secure website. This request is intercepted by the Gigamon device which replies for a secure connection. The client sends the secure data to the Gigamon device. Step 2. This data is decrypted by the Gigamon device (since it provided the certificate) and then is shared with other network analysis tools you may have such as an IPS system or NGFW. Step 3. Once analyzed, if permitted, the traffic is re-encrypted with a certificate from the remote server and the connection is completed like normal. Step 2 is the key point where your network analysis tools are now able to view and analyze secure network traffic in an un-encrypted state.
Obviously that is a very high level overview, but I will share the Network Field Day 15 videos below, so you can watch the same presentation I was a part of and learn for yourself. The first video specifically explains the process of traffic interception and how the Gigamon appliance hands outs the certificates.
Thoughts on the Tech
I think Gigamon has a great product that works very well from the demos we received. There’s no doubt the end to end connection process they demonstrated works. When I mentioned though that each device much trust the certificate from the Gigamon appliance, I wanted that point to sink in. You may have devices in your environment you can’t push a certificate to. In those cases, those users would receive an untrusted certificate error every time they go to a secure site unless this certificate is manually added and trusted. An example when this would apply would be a guest environment. That being said, you may choose to not do this on your guest environment since it would be segmented from the rest of your network.
That whole issue about needing to trust and accept the certificate is the only real issue I have with the Gigamon solution. I know in the network I manage, there definitely are devices that can’t handle a GPO push of a certificate. It would be a VERY manual process to get the certificate to all of these devices. It’s just something else that needs to be considered. You could easily plan ahead and put these types of “special” devices on an un-monitored subnet for instance. You just need to be aware, and plan it out.
Network security is all about visibility. Having the ability to gain insights into SSL traffic is taking your network security to the next level. Allowing the tools such as IPS systems or a NGFW to filter this traffic would increase your security by great numbers since the amount of SSL \ TLS encrypted traffic is ever growing.
That’s my review of the process of SSL Decryption and specifically, Gigamon’s appliance solution and how it works. I think there is great value in this type of tech and it will only become more common in the future as more and more devices work to more to a secure state. With that said, I will leave you one key stat from Gartner (gartner.com Predicts 2017). They are estimating by the year 2019, 80% of enterprise network traffic will be encrypted. Can you afford not to have visibility to 80% of your environments traffic? If not, you might want to check out technology from a company like Gigamon.
To learn more about Gigamon specifically, view the presentation videos from Network Field Day 15 below.
Disclaimer: Gestalt IT, organizers of Network Field Day was responsible for my travel expenses to attend Network Field Day. I do not receive any cash compensation as a delegate from either Gestalt It or any of the mentioned vendors. All opinions are my own.