“With great power comes great responsibility.” Acknowledging Voltaire and Churchill, the quote is best known from the “Spider-Man” comics, attributed to Peter Parker’s Uncle Ben. Of course, part of the line’s cultural prevalence is that it can be applied to any number of situations and topics, including—as indicated by the title—TLS inspection.
Recently, the United States’ National Security Agency (NSA) published an advisory to address possible risks associated with the deployment of Transport Layer Security Inspection (TLSI). The NSA’s advisory also provided methods to mitigate any potential security weaknesses for organizations deploying and employing TLSI products.
A quick primer on TLSI: TLSI—also known as TLS break and inspect—is a process that enables organizations to decrypt and re-encrypt network traffic that is encrypted with TLS or even Secure Socket Layer (SSL). TLSI is an imperative for organizations, given that most attacks today are cloaked within encrypted traffic today. For instance, according to the latest research, over 90% of page loads are now encrypted with SSL/TLS, and 71% of phishing websites leverage encryption certificates.
Many organizations today are using a dedicated device, such as a proxy device, a firewall, or an intrusion detection system (IDS) or intrusion prevention system (IPS) to decrypt and re-encrypt traffic encrypted with TLS. Others are still running TLS encrypted traffic through a daisy-chain of devices in their security stack, forcing decryption and re-encryption through every security device. The entire TLSI process assists organizations in monitoring for potential threats (such as malware) in incoming encrypted traffic. It also allows organizations to monitor outbound encrypted traffic for data exfiltration and active command-and-control (C2) communications to malicious servers, ready to download additional attack means.
But the method of TLSI being deployed and used, as well as how it is deployed, can also introduce serious risks for an organization, according to the NSA’s advisory.
The NSA, in its advisory, also recommends that TLS traffic be broken and inspected only once within an organization’s network. The advisory clearly states that decrypting, inspecting, and re-encrypting TLS traffic by a forward proxy device, with the traffic then sent to another forward proxy device for the same action should not be performed. This action increases the risk surface while offering no additional benefit.
If an organization is deploying or using a TLSI offering that doesn’t properly validate TLS certificates, TLS encryption can be weakened, leaving an opening for man-in-the-middle (MiTM) attacks to be launched.
An improperly operating forward proxy device being used for TLSI can lead to decrypted traffic being rerouted to an unauthorized third-party device, and the theft or misuse of sensitive data.
Monitoring network traffic flow to the forward proxy can help alleviate any potential for exploit, according to the NSA’s advisory. In addition, to ensure that the TLSI is operating as it should, the advisory suggests employing analytics on logs, which can detect misrouted traffic, as well as aid in detecting abuse or misuse—intentional or unintentional—by administrators.
Also, TLSI products will likely need to chain TLS connections, which could cause a downgrade in encryption protection and could lead to a weaker cipher suite or TLS version being exploited. Some TLSI offerings may allow weaker TLS versions and cipher suites by exception only.
Most TLSI forward proxy devices include their own, internal certificate authority (CA) to create and sign new certs. But, the built-in CA could be used to sign malicious code, bypassing security mechanisms like IDS and IPS, or be used to deploy malevolent services imitating real services. The NSA advisory recommends an organization select products that implement data flow, TLS, and CA properly.
Another attack surface can be where the TLSI device decrypts traffic, right before the traffic is sent to security devices. The traffic is in plaintext and is vulnerable to attack, which could net attackers user credentials and other sensitive data.
F5 SSL Orchestrator ensures encrypted traffic is decrypted, inspected by appropriate security controls, and re-encrypted, delivering visibility into encrypted traffic and mitigating concealed threat risks. SSL Orchestrator also maximizes the effectiveness of existing security investments, dynamically chaining security services and steering decrypted traffic via policy, applying context-based intelligence to encrypted traffic. Moreover, SSL Orchestrator centrally manages and distributes the latest encryption technologies across an organization’s entire security infrastructure, centralizing certificates and key management while providing robust cipher management and control. SSL Orchestrator independently monitors the health of each security services. It also ensures security solutions are operating at peak efficiency and can scale with high availability via F5’s load balancing and scaling capabilities. In addition, it supports the most stringent and robust government and industry standards for security and privacy.
The emphasis behind the NSA advisory is to do TLS decryption and inspection well, and do it once. While it may seem that an all-in-one solution like a next-generation firewall (NGFW) would technically address this concept, in actuality it is quite impractical when trying to address all types of encrypted traffic and throughput requirements. What is really needed—and the best approach to doing TLS decryption and inspection well and once—is a closely-monitored, securely-connected set of multi-vendor products configured in a decrypt / inspect / re-encrypt-once solution, which will prove to be more flexible, more resilient, and practical.
With F5 SSL Orchestrator, an organization doesn’t need to chain forward proxy devices. It doesn’t need to perform independent traffic monitoring, or even added device monitoring. The most secure cipher suite or encryption method is used, because it is a full-proxy architecture. In other words, SSL Orchestrator mitigates all of the risks brought up in the NSA’s advisory, while also helping organizations align with the well-established link between responsibility and power.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...