The Role of Active SSL Decryption

In Network Monitoring
WHITE PAPER
NEW MONITORING CHALLENGES RESULT FROM
DATA ENCRYPTION
Secure Sockets Layer (SSL) technology significantly impacts the way IT SSL technology
departments monitor their networks. As of the end of 2016, Sandvine Research significantly impacts
estimates that almost 70% of Internet traffic is now encrypted.1 Data that could the way IT departments
once be captured and sent to security and monitoring tools for analysis is now monitor their networks.
completely unreadable by those tools. This creates a major source of blind spots Data that could once
within your network that include hidden sources of security threats operating be captured and sent to
without your knowledge. security and monitoring
tools for analysis is now
While decryption of the data would be the most obvious answer, completely unreadable
most IT organizations struggle with the following problems: by those tools.

• They have multiple, often more than three, tools that need to see
decrypted (clear text) traffic which causes a significant burden
• Decryption (and re-encryption) has a high CPU resource tax making
it inefficient to run this SSL function on multiple security tools
• The serial chaining of multiple security tools together while properly
handling and protecting clear-text traffic is difficult
• Maintaining the isolation of clear-text traffic for regulatory
compliance is often difficult

Technology, like a network packet broker (NPB) with SSL decryption capability,
can be used to correct these problems by decrypting network data, aggregating
and filtering the data, data masking as needed, and then distributing it to the
proper security and monitoring tools for analysis. The data is then re-encrypted
by the NPB without impacting tool performance or causing compliance issues.

1
“2016 Global Internet Phenomena Report,” Sandvine Inc., 2016

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 1
915-8183-01-7071 Rev A
HTTPS - THE SOLUTION FOR ONLINE PRIVACY
HTTPS, which includes both the original SSL standard and the updated version
Transport Layer Security (TLS) standard, is intended to secure Internet-based For security and trouble-
communications. While SSL was developed in 1994 for encrypting Internet shooting purposes,
data, it did not go mainstream until Facebook adopted it in 2013 and Google organizations must
started penalizing business website rankings in 2014 if the protocol wasn’t used. examine the traffic on their
In addition, web applications, Office 365, and cloud-based traffic have also networks. Unfortunately,
accelerated the adoption of SSL encryption. firewalls, intrusion
prevention systems (IPS),
Other huge drivers include regulatory and compliance initiatives. One example monitoring tools, and
is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which other equipment do not
mandates the use of TLS 1.0 or higher. The Payment Card Industry has also understand encrypted
mandated the use of TLS in their PCI-DSS standard. In fact, PCI mandates the traffic.
migration to a more secure version of TLS (TLS 1.1 or higher) by June 30, 2018.

Improvements to SSL technology like the use of ephemeral keys, where new
encryption keys are exchanged between the server and clients for each session,
have increased the security and effectiveness of data encryption and are also
increasing adoption of the technology. In fact, all of these factors have increased
the proliferation of SSL for security of online browsing and data storage. However,
as we shall see, the use of encryption is not without its perils.

THE PROBLEM WITH SSL ENCRYPTION

While the use of SSL has helped to encrypt data from prying eyes, it is now
being used by bad actors to obscure security threats as well. In a May 2016
study, “Hidden Threats in Encrypted Traffic,” the Ponemon Institute found that
40% of cyberattacks leveraged SSL encryption to bypass traditional security
solutions2. And according to Gartner, over 50% of security attacks will use SSL
and TLS by the end of 2017 to cover up malware threats and command and
control (CNC) transmissions.3

For security and troubleshooting purposes, organizations must examine the

traffic on their networks. Unfortunately, firewalls, intrusion prevention systems
(IPS), monitoring tools, and other equipment do not understand encrypted
traffic. So, to actually inspect the traffic, it must first be decrypted before it can
be analyzed. This often extracts a significant performance penalty.4 Depending
upon where and how this decryption takes place, it will create different, some-
times significant, burdens on the network infrastructure to decrypt and process
the data. The key to avoiding the decryption pitfall is to create a visibility
architecture that can be used to effectively decrypt the necessary data and
efficiently deliver it to where it needs to go—without causing a performance
burden or significant time delay.

2
“Uncovering Hidden Threats Within Encrypted Traffic,” Ponemon Institute, 2016.
3
SSL Encryption: Keep Your Head in the Game
4
Rising SSL traffic to degrade firewall performance

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 2
915-8183-01-7071 Rev A
 OVERCOMING THE SSL SECURITY THREAT
To overcome the encryption security threat, businesses need to decrypt the
traffic crossing their network and analyze it. There are two popular methods
to achieve this: active decryption and passive decryption. Here is a review of
both approaches.

PASSIVE SSL DECRYPTION

Passive SSL relies on static (rather than ephemeral) keys, and forces the IT
department to copy the encryption keys from the target servers onto the
decryption device. This is typically used for decrypting inbound connections
Passive SSL relies on static
from users on the Internet to internal servers. Once the decryption device
(rather than ephemeral)
has the keys, the device can decrypt traffic which can then be passed on to
keys, and forces the IT
security and monitoring tools (like an intrusion detection system (IDS), data
department to copy the
loss prevention (DLP), web application firewall (WAF), etc.) for analysis in clear
encryption keys from the
text format. This mechanism is referred to as “passive” because the decryption
target servers onto the
device is not an active part of the SSL connection, it can decrypt traffic by
decryption device.
merely observing it go past.

As shown in the picture below, passive decryption is for inbound only traffic
monitoring scenarios (i.e. out-of-band monitoring solutions) and not does
allow for the encryption/re-encryption of outbound communications.

Forensic Tool

Figure 1
Passive Decryption IDS DLP
Decrypted Monitoring
Traffic

Plaintext

Network Packet Broker

(NPB)
Decryption
RSA Private
(Static) Key

Encrypted Traffic Decrypted Traffic

Sender Plaintext Encryption Firewall Network Switch Network Tap Recipient Plaintext Decryption

RSA Public Key RSA Private (Static) Key

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 3
915-8183-01-7071 Rev A
 ACTIVE SSL DECRYPTION
Active SSL decryption is a “man in the middle” approach where the off network
sever communicates directly with the decryption device to exchange encryption Some security tools, like
keys. In this scenario, IT personnel do not have to get involved to manually load firewalls and IPS systems,
decryption keys, as ephemeral keys can be supported. can be purchased that
include integrated SSL
Once the clear text data is analyzed for security threats, the good data can be
decryption capability.
re-encrypted and sent on to its destination within the business’ network. In this
Unfortunately, studies
instance, the SSL decryption device digitally signs the keys and negotiates the
have shown that there
decryption keys with the endpoint device on the network, for decryption at the
can be a significant
endpoint and is transparent to the recipient.
performance impacts (up
When using this scenario, decryption/encryption can be supported in both to an 81% drop in CPU
directions, i.e. for inbound and outbound network traffic. This means that both processing capability)
inline or out-of-band security and encryption tools can be used to analyze the for devices that have
network traffic. this decryption feature
turned on.

Figure 2
Active Decryption
Forensic Tool

IPS

Plaintext
Ephemeral Key
Negotiation

DLP
Decryption

NPB
Private Key

Encryption
Encrypted Traffic Decrypted Traffic

Firewall Bypass Switch Network Switch

Sender Plaintext Encryption Recipient Plaintext Decryption

RSA Public Key Private Key

THREE SCENARIOS FOR ACTIVE SSL DECRYPTION

Due to the exchange key simplicity (from an IT personnel perspective) of active
SSL decryption and the ability to be used for both inline and out-of-band
monitoring solutions, active SSL decryption is the most popular decryption
scenario. It is also the only solution applicable to connections using ephemeral
keys. So what are some of your options? As detailed below, there are three
common decryption scenarios.

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 4
915-8183-01-7071 Rev A
PURPOSE BUILT DECRYPTION DEVICE
The first type of solution includes the category of purpose-built decryption
devices. This type of solution excels in high volume transaction scenarios at high
speeds. Typically, these solutions come with a high price tag to match the high
performance. Since these devices are purpose built, once they are added to the
network architecture they can create complexities when it comes to forwarding
the decrypted data to multiple, sequential inspection tools (firewall, IPS, DLP,
etc.), then redirecting the data back to the decryption device for re-encryption,
and then the reintroduction of that data back into network. These solutions
typically have fairly basic capabilities to complement their SSL engines.
Some security tools, like
DECRYPTION INTEGRATED INTO SECURITY TOOLS firewalls and IPS systems,
can be upgraded to
In contrast to the purpose built device, some security tools, like firewalls and
include integrated SSL
IPS systems, can be upgraded to include integrated SSL decryption capability.
decryption capability.
Unfortunately, studies have shown that there can be a significant performance
Unfortunately, studies
impact (up to an 81% drop in CPU processing capability) for devices that have
have shown that there
this decryption feature turned on.5
can be a significant
This creates a significant network performance impact that will result in the performance impacts (up
costly purchase of additional security tools, i.e. additional firewalls in this case, to an 81% drop in CPU
to process the same amount of network traffic. As a result, an IDC survey processing capability)
found that only 25% of the companies surveyed actually use SSL decryption to for devices that have
inspect inbound and outbound communications for potential threats. Also, the this decryption feature
decryption capability was not applied to all traffic, just some of it. 6 turned on.

For enterprises who have adopted the industry best practice of “defense in
depth,” relying on encryption built into multiple security devices has additional
penalties. Forcing multiple inline devices to each decrypt and re-encrypt data
has obvious performance and latency impacts.

DECRYPTION INTEGRATED INTO AN NPB

The third approach is to deploy a network packet broker. In contrast to the purpose
built device, an NPB can essentially deliver one stop shopping. Data can be
aggregated from multiple sources, decrypted by the NPB itself, and then distributed
to the proper security and monitoring for analysis. Data can also be filtered and load
balanced, if needed, at the same time and data decryption can be performed at line
rate. Since the NPB decryption scenario does not place any decryption responsibility
on the security and monitoring tools, those tools continue to function at optimum
capability. If the decryption function needs to be disengaged, the feature is simply
turned off. There is no need to take the network down or reroute data. For inline
monitoring scenarios, the NPB can then effortlessly reintroduce the analyzed traffic
back into the network for further propagation downstream.

5
NSS Labs Analyst Brief “SSL Performance Problems,” Pirc, John W., 2013.
6
“The Blind State of Rising SSL/TLS Traffic: Are Your Cyber Threats Visible?,” IDC, Robert
Westervelt, July 2016.

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 5
915-8183-01-7071 Rev A
With this decryption scenario, the NPB offers a cost effective alternative to both
the purpose-built and the security plus decryption tool scenarios discussed
previously. While performance at large scale can be less than the purpose built
scenario, the NPB filtering, masking, and distribution capabilities of the data is
far superior to purpose-built solutions. In addition, network traffic performance
delays caused by the introduction of multiple, serially connected devices for SSL
decryption is eliminated. These multi-component delays can add up and create
noticeable delays for real-time traffic like voice and video. Thus, the integrated
NPB approach provides excellent value across all decryption performance ranges.

OPTIMIZING THE MONITORING ARCHITECTURE FOR SSL Since the NPB

It is important to pick the right decryption scenario for your network. The decryption scenario does
solution needs to be flexible as well as easy to deploy. A clear set of objectives not place any decryption
are required as well. For instance, which of the following capabilities are required responsibility on the
for your deployment? security and monitoring
tools, those tools
• Extremely high or medium to high data throughput for SSL decryption continue to function at
• Applications that require minimal data delay optimum capability.
• A cost effective solution
• Easy installation and maintenance
• Minimal impact to the network service to disengage SSL decryption
• Additional features like data aggregation, data distribution, packet filtering,
load balancing, and deduplication of decrypted data
• Encryption details and application data reported over NetFlow

Once you know these answers, you can select one of the three decryption methods
above that gives you the right solution at the right price for your network.

SUMMARY
Most enterprise applications are now encrypted and the use of SSL encryption is
here to stay. While SSL provides some protection of network data and improves
security and compliance initiatives, it does have its drawbacks. Encryption itself
can introduce hidden security risks. For instance, the use of encryption to hide
malware is growing rapidly. In addition, encryption makes the analysis of trouble
shooting and performance monitoring data much more difficult.

Decryption of network at the enterprise is one of the newest capabilities to

counteract this danger. Network packet brokers are a key piece of functionality
to help enterprises and service providers optimize their visibility architecture
and maximize the return on their investment for the following reasons:

• Integrated SSL decryption within an NPB is simpler and easier than

other alternatives
• NPBs have no performance impacts for decryption and re-encryption
• The NPB easily connects dozens of security tools to the traffic they
need to inspect

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 6
915-8183-01-7071 Rev A
• Isolation of clear-text traffic can be maintained by the NPB
• The NPB solution delivers highly resilient security processing with
load-balancing of tools and fail-open behavior

One of the dangers with SSL decryption is that it makes sensitive data available
to anyone with access to network monitoring tools. This is a common problem
for monitoring data stored in DLPs, logs, and other databases, as it often violates
regulatory compliance mandates. Network packet brokers can be used to mask
data that doesn’t need to be exposed, to ensure regulatory compliance at all times.

The combination of these feature sets allows the NPB to deliver a broad set of
value-added features at a very cost effective price point.

IXIA WORLDWIDE IXIA EUROPE IXIA ASIA PACIFIC

26601 W. Agoura Road Clarion House, Norreys Drive 101 Thomson Road,
Calabasas, CA 91302 Maidenhead SL64FL #29-04/05 United Square,
United Kingdom Singapore 307591
(Toll Free North America)
1.877.367.4942 Sales +44.1628.408750 Sales +65.6332.0125
(Fax) +44.1628.639916 (Fax) +65.6332.0127
(Outside North America)
+1.818.871.1800

(Fax) 1.818.871.1805

www.ixiacom.com

26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 7
915-8183-01-7071 Rev A I © Keysight Technologies, 2017