What's Lurking in Your Network? Find Out by Decrypting SSL
Organizations have spent vast sums of money on security systems and, when deployed and operated correctly, they play a key role in safeguarding the organization. However, most systems have one critical dependency: The traffic flowing through must be readable. If the traffic is encrypted, many systems are almost completely useless, giving the system owner a false sense of security.
Fri, January 18, 2013
Network World — Organizations have spent vast sums of money on security systems and, when deployed and operated correctly, they play a key role in safeguarding the organization. However, most systems have one critical dependency: The traffic flowing through must be readable. If the traffic is encrypted, many systems are almost completely useless, giving the system owner a false sense of security.
Exactly how much of a problem is this? A recent report published by Palo Alto Networks sheds some light. According to the company's Application and Usage Risk Report, 7th Edition, 36% bandwidth on corporate networks is encrypted. That's a 36 in 100 chance your network-based information security systems will miss the bad stuff. And in reality, the chance is greater than 36%, because the bad guys know where to hide the bad stuff so your tools can't see it. Furthermore, the percentage of traffic that is encrypted is increasing as more applications and websites use encrypt-by-default policies.
CLEAR CHOICE TEST: SonicWall stands tall in SSL decryption testing
So what can be done? Clearly, blocking all encrypted traffic at the enterprise edge is not feasible. The answer lies with a technological capability that allows us to peek inside the encrypted traffic: on-the-fly decryption. The remainder of this article is dedicated to explaining how this can be done. I won't be referring to any one vendor's implementation, but rather will attempt to stick to the basics and explain how the technology works.
Contrary to what you may be thinking, you do not need a team of mathematicians or NSA-grade supercomputers for the task. On the contrary, it's actually quite simple once you understand the basics.
When you open the browser on your computer (or smartphone or tablet) and go to a secure website such as your bank, you notice the URL begins with HTTPS (notice the "S"). This indicates that all data being exchanged with the remote Web server is being encrypted by an encryption scheme called PKI (public key infrastructure). It works like this:
- The Web server has a secret encryption key called a private key, which is just a long, seemingly random string of characters stored in a computer file. Only the Web server has access to the private key. It also has a public certificate (which is also just a computer file) that contains another encryption key, called the public key, that is different from the secret key.
- The private key and the public key are mathematically related such that anything encrypted by the public key can only be decrypted by the private key. In other words, the encryption operation cannot be reversed using the public key. (Exactly how the mind-bending math works is beyond both the scope of this article and, frankly, my intelligence).