Addressing the Peter Parker Principle in TLS Inspection

Jay Kelley Miniatura
Jay Kelley
Published December 09, 2019

“With great power comes great responsibility.” Acknowledging Voltaire and Churchill, the quote is best known from the “Spider-Man” comics, attributed to Peter Parker’s Uncle Ben. Of course, part of the line’s cultural prevalence is that it can be applied to any number of situations and topics, including—as indicated by the title—TLS inspection.

Recently, the United States’ National Security Agency (NSA) published an advisory to address possible risks associated with the deployment of Transport Layer Security Inspection (TLSI). The NSA’s advisory also provided methods to mitigate any potential security weaknesses for organizations deploying and employing TLSI products.

A quick primer on TLSI: TLSI—also known as TLS break and inspect—is a process that enables organizations to decrypt and re-encrypt network traffic that is encrypted with TLS or even Secure Socket Layer (SSL). TLSI is an imperative for organizations, given that most attacks today are cloaked within encrypted traffic today. For instance, according to the latest research, over 90% of page loads are now encrypted with SSL/TLS, and 71% of phishing websites leverage encryption certificates.

Many organizations today are using a dedicated device, such as a proxy device, a firewall, or an intrusion detection system (IDS) or intrusion prevention system (IPS) to decrypt and re-encrypt traffic encrypted with TLS. Others are still running TLS encrypted traffic through a daisy-chain of devices in their security stack, forcing decryption and re-encryption through every security device. The entire TLSI process assists organizations in monitoring for potential threats (such as malware) in incoming encrypted traffic. It also allows organizations to monitor outbound encrypted traffic for data exfiltration and active command-and-control (C2) communications to malicious servers, ready to download additional attack means.

But the method of TLSI being deployed and used, as well as how it is deployed, can also introduce serious risks for an organization, according to the NSA’s advisory.

The NSA, in its advisory, also recommends that TLS traffic be broken and inspected only once within an organization’s network. The advisory clearly states that decrypting, inspecting, and re-encrypting TLS traffic by a forward proxy device, with the traffic then sent to another forward proxy device for the same action should not be performed. This action increases the risk surface while offering no additional benefit.

If an organization is deploying or using a TLSI offering that doesn’t properly validate TLS certificates, TLS encryption can be weakened, leaving an opening for man-in-the-middle (MiTM) attacks to be launched.

An improperly operating forward proxy device being used for TLSI can lead to decrypted traffic being rerouted to an unauthorized third-party device, and the theft or misuse of sensitive data.

Monitoring network traffic flow to the forward proxy can help alleviate any potential for exploit, according to the NSA’s advisory. In addition, to ensure that the TLSI is operating as it should, the advisory suggests employing analytics on logs, which can detect misrouted traffic, as well as aid in detecting abuse or misuse—intentional or unintentional—by administrators.

Also, TLSI products will likely need to chain TLS connections, which could cause a downgrade in encryption protection and could lead to a weaker cipher suite or TLS version being exploited. Some TLSI offerings may allow weaker TLS versions and cipher suites by exception only.

Most TLSI forward proxy devices include their own, internal certificate authority (CA) to create and sign new certs. But, the built-in CA could be used to sign malicious code, bypassing security mechanisms like IDS and IPS, or be used to deploy malevolent services imitating real services. The NSA advisory recommends an organization select products that implement data flow, TLS, and CA properly.

Another attack surface can be where the TLSI device decrypts traffic, right before the traffic is sent to security devices. The traffic is in plaintext and is vulnerable to attack, which could net attackers user credentials and other sensitive data.

F5 SSL Orchestrator ensures encrypted traffic is decrypted, inspected by appropriate security controls, and re-encrypted, delivering visibility into encrypted traffic and mitigating concealed threat risks. SSL Orchestrator also maximizes the effectiveness of existing security investments, dynamically chaining security services and steering decrypted traffic via policy, applying context-based intelligence to encrypted traffic. Moreover, SSL Orchestrator centrally manages and distributes the latest encryption technologies across an organization’s entire security infrastructure, centralizing certificates and key management while providing robust cipher management and control. SSL Orchestrator independently monitors the health of each security services. It also ensures security solutions are operating at peak efficiency and can scale with high availability via F5’s load balancing and scaling capabilities. In addition, it supports the most stringent and robust government and industry standards for security and privacy.

The emphasis behind the NSA advisory is to do TLS decryption and inspection well, and do it once. While it may seem that an all-in-one solution like a next-generation firewall (NGFW) would technically address this concept, in actuality it is quite impractical when trying to address all types of encrypted traffic and throughput requirements. What is really needed—and the best approach to doing TLS decryption and inspection well and once—is a closely-monitored, securely-connected set of multi-vendor products configured in a decrypt / inspect / re-encrypt-once solution, which will prove to be more flexible, more resilient, and practical.

With F5 SSL Orchestrator, an organization doesn’t need to chain forward proxy devices. It doesn’t need to perform independent traffic monitoring, or even added device monitoring. The most secure cipher suite or encryption method is used, because it is a full-proxy architecture. In other words, SSL Orchestrator mitigates all of the risks brought up in the NSA’s advisory, while also helping organizations align with the well-established link between responsibility and power.