By Erik Hjelmstad
As the internet has grown from a simple way for a few scientists to communicate and exchange data to a ubiquitous communication and commerce tool for billions of people, the need to secure the privacy of those communications has grown as well. As such, encryption has become crucial to safely sending and receiving data over the internet. Even on internal networks, communications are often encrypted to secure data against a potential compromise. So why would someone want to decrypt traffic on an internal network when this would obviously reduce the privacy and security of that information? The main reasons are to increase the visibility of specific protocols, and to be able to view and analyze malicious traffic. In other words, sometimes reducing the security of certain information can actually increase the safety of the network as a whole.
Increasing protocol visibility
Application monitoring appliances are designed to let the end user troubleshoot problems on the network. These tools allow the user to see all of the different types of transactions that are taking place, when communications are first established with clients, and the sequence of commands that are sent between the client and the server. A lot of information can be obtained with products like nGeniusONE, but if the data is encrypted, the appliances are not able to provide as much visibility as when the data is decrypted. HTTP v. HTTPS is a great example. With HTTP, an application monitor can report on all of the GET, PUT, POST and DELETE requests that are sent to the server, and the server’s response to these requests. In HTTPS, all these requests are hidden, and the appliance can only report the setup of the encrypted tunnel and volume statistics.
Spotting malicious traffic
Checking for malicious activity is another situation where it is important to inspect and decrypt encrypted traffic. Many security appliances can detect reverse shells, injection code and Command and Control (CC) bots. This traffic can only be identified and analyzed if the traffic is unencrypted. Most IDS and IPS appliances and other tools that are designed to detect malicious traffic are much less useful, if not useless, when the traffic is encrypted. This makes it essential to decrypt traffic that is being sent to and from unknown Internet servers.
For example, some vendors will use the Sequence of Packet Lengths and Times (SPLT), combined with information about which protocols and cipher suites are being used, to infer that malware is being used. To be clear, this is a valid approach for detecting many types of malware, but these methods simply cannot detect many other attack-chain behaviors.
Ultimately, you must decrypt network communications to confidently detect and respond to many common threats. True network traffic analysis for the enterprise requires the ability to decrypt approved traffic for analysis. Fundamentally, what's the point of investing in advanced detections, machine learning, and behavioral analysis if they only operate on parts of the conversion and not truly on all the rich packet data?
When not to decrypt
Although there are many other good reasons for decrypting traffic, there are also situations where traffic should probably not be decrypted. No organization is immune to the threat of security breaches, and implementing data encryption is a major safeguard in gaining visibility in order to protect confidential information such as patient data, credit cardholder data, and most of all, your organization’s reputation. There are also reasons to not decrypt certain traffic. If it contains PII or any of the following traffic types;
- Credit card data, bank account information, and most financial transactions.
- Health and human services information.
- Online shopping from reputable (known) shopping sites.
- Some government and legal communications.
Finally, most companies allow their employees to access the internet for personal use if it does not interfere with normal work activities, and some may conduct personal financial transactions across the network. It would be inappropriate to decrypt private communications such as email or financial transactions without letting employees know that this is happening. Even if employees are made aware that their communication out to the internet was being decrypted, it is probably not acceptable to decrypt their financial transactions.
As you can see, while there are situations where it is essential or even required to decrypt network traffic, there are also scenarios where the opposite is true. Deploying dedicated decryption technology that decrypts only the traffic that needs to be decrypted is crucial for both securing your network and protecting the privacy of your users. Although many next-generation firewalls (NGFWs) are capable of decryption, they fail to decrypt nearly as effectively or efficiently as a dedicated decryption product.
View the BrightTalk webinar: Monitoring Encrypted Traffic to Ensure Efficiency and Availability.
Erik Hjelmstad is senior technical marketing engineer at NETSCOUT.