Encryption is a powerful tool for keeping communications private, but it can also put your data at risk. It creates a blind spot in the defenses of a firewall which reduces the effectiveness of malware detection. It also reduces the ability to manage content on a business’s network. SonicWALL created DPI-SSL to stop threats over encrypted channels and unnecessary uses of bandwidth.
There has always been a need to encrypt data to protect it from being read by third parties. Hypertext Transport Protocol (HTTP), the protocol by which all browsers communicate with server hosts was expanded to include HTTPS which is the secure/encrypted version. It is essentially HTTP utilizing one of two encryption methodologies; either SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
When visiting a website utilizing a browser, usually the address begins with either “http://” or “https://”, the latter indicating that the session is encrypted. The process by which the encrypted session takes place is the result of encryption keys that are exchanged between the server (website) and the client (browser). In order to ensure the authenticity of the keys, a digital certificate is awarded to the owner of the server by a recognized Certificate Authority (or CA). The CA must be trusted and go through a certification process to be included in the various browsers such as Chrome, Internet Explorer or Mozilla Firefox. There are about 50 Certificate Authorities recognized by various browsers. Browsers use digital certificates to verify the private keys exchanged at the start of a secure browsing session. Modern encryption mechanisms make it nearly impossible to decrypt data transported using this method without those keys.
It’s also important to know that one of the responsibilities of the issuing CA is to take reasonable steps to ensure the integrity of the entities they are issuing the digital certificates to. The main reason is that not only do you want the session to be encrypted, but you also want to know that the entity that you are having an encrypted session with is trustworthy. The whole concept of trust has been the basis of the widespread use of what is known as Public Key Infrastructure or PKI used by every browser and every secure website.
Encryption is used to keep prying eyes or ears from observing confidential data. Sites like banking, insurance, healthcare, etc. or any site where an exchange of a user ID and password must be kept confidential utilized encryption to protect users’ data. But today, that is no longer the case. It is estimated that by the end of 2016, more than 50% of all Internet traffic will be encrypted. You might wonder who’s doing all this encryption and why they are doing it. The answer to “who?” is Netflix, Google, YouTube, Facebook, and others. Netflix generates the largest amount of encrypted traffic on the Web. You may wonder why it is important to encrypt data that doesn’t seem to have information that would be confidential.
Simply put, as with all other technology shifts like this, it is economics. Over the past several years, advances in technologies have allowed next generation firewalls to identify all types of network traffic by their unique profiles. This allows network administrators to manage bandwidth or block traffic that is not desirable on business networks. Those technologies match the streams of data to known signatures that then allow policies in a firewall to determine what should be done with the traffic. A business might want to restrict the amount of bandwidth taken up by YouTube or Netflix so that critical business applications can function as expected. Or you might even want to block certain traffic altogether. And more importantly, the content providers don’t want you to stop their content from reaching their audience so they figured out how to get their content to end users with encryption.
With encryption, the ability to identify traffic is dramatically reduced or eliminated. When an encrypted session is established, all communications that would allow a firewall to identify the website visited or the data being transported will be encrypted and therefore unidentifiable. So when the data is encrypted, the most popular means for identifying what the traffic is, no longer works. It simply can’t identify the traffic and therefore act on it. What’s more, malicious software (Malware) can also be encrypted making it impossible for signature based firewalls to stop it before it reaches its destination.
So encryption dramatically reduces or eliminates the effectiveness of the best-known defenses against malware along with a business’s ability to manage the type and quantity of content that traverses their network.
There are two major reasons why encrypted traffic can no longer be trusted. To begin with, when you go to a site you probably think you can trust, that may not be the case. For example, if you go to CNN, MSN, Yahoo, etc., much of what is on those sites is ads that are being dished up by ad services such as DoubleClick or Akamai. They, in turn, dish up ads that were paid for by third party advertisers. If you are visiting an encrypted site, the ad content will also be encrypted. It is nearly impossible for the ad servers to monitor every bit of ad content to ensure its integrity. So active ad content may contain malware which is referred to as “malvertising”. In addition, even if that content contains no actual malware, it often has the ability to redirect you to a site that hosts malware.
This brings us to the other reason encrypted traffic can no longer be trusted. In the early days of digital certificates, the issuing Certificate Authorities took significant steps to ensure the entity that a certificate was being issued to was trustworthy. That is no longer the case. The market for certificates has become commoditized and when that happens, generally prices go down – which they have. The result for a CA is that in order to offset the loss of profits, you have to issue more certificates. The end result is that it is no longer difficult to obtain a coveted digital certificate. To that point, the world’s largest issuer of digital certificates (Comodo), has had many high profile cases of their certificates being used to mask malware with encryption.
The term DPI-SSL simply means “Deep Packet Inspection” of SSL traffic. It’s a bit of a misnomer since most encrypted traffic today uses TLS for encryption instead of SSL, but the concept and results are exactly the same. The technology decrypts the traffic, determines what is to be done with it (let it pass, block it or manage the associated bandwidth) and sends it on its way if that’s the desired outcome. But to do this requires a bit of technological wizardry. First of all, when your browser exchanges the keys with a website, it has to validate who owns the site and whether to trust it. To do that, it validates the certificate against the root certificate of the issuing Certificate Authority. In order to convince your browser that it’s okay to proceed, the site needs to convince your browser that it has a valid certificate representing the site you’re trying to visit.
In order to decrypt the traffic, the technology has to convince both sides that it’s okay to talk and no one can hear them.
DPI-SSL utilizes a hacker’s concept called a “man-in-the-middle attack”. Essentially someone steps in the middle of the conversation and begins collecting the packets going back and forth, examining them and sending them on their way. In order to do that with encrypted traffic, two things have to happen. First of all, if I’m that guy in the middle, I have to have a valid certificate myself to exchange with the person using the browser. In order to convince your browser that it’s okay to talk to me, you need to recognize my certificate and trust it in place of the certificate I was expecting from the website.
Every browser has the ability to import a certificate for traffic that is known to be trusted, thereby making the other side of the conversation a trusted source regardless of who it is. Once that happens, the conversation will be allowed by your browser.
To demonstrate how this technology works, let’s use the example of a banking website. Let’s suppose I want to go to my account on the Chase banking website. I might type www.chase.com in my browser and I’ll be transported to the site where I will see the little padlock with “https://” next to it. But what really happens is that when the firewall recognizes that an encrypted session is being set up, it steps in the middle and mimics Chase in the exchange of keys with your browser and also begins an encrypted session with Chase as though it were the browser communicating with the website.
As data is passed either direction, the firewall decrypts the data, examines it and makes a determination of what to do with it and then re-encrypts it and sends it on its way. It thereby solves both of the problems of traffic management and identification of malware. It also solves one issue that has existed for years. People who want to get past content filtering often use what are called “proxy sites”. These are sites that act as an encryption mechanism so that it makes it impossible for content filters to read the TCP header information that contains the name of the site being visited. As an example, if you’re an employee and you want to visit an adult site, you can do so by first going through a proxy site that will encrypt the data and then transport the session on to the site you wanted to visit.
With DPI-SSL that traffic can now be examined and the classification of a website can be determined for the purpose of allowing or blocking that site.
The first requirement for implementing DPI-SSL is a firewall with those capabilities. Almost all SonicWALL firewalls manufactured today can do that. However, there are other important considerations. Encryption and decryption require processor power. Just as Netflix has spent millions of dollars on implementing encryption, you will likely have to purchase a firewall with more processor power than what you would have needed without DPI-SSL. How much power is required is easily determined by an examination of your network traffic. A member of the Cerdant engineering team can help you with that.
In addition, you will need to generate a digital certificate from the firewall. You will also have to install that certificate in each of the versions of browsers that your users are using. That may sound difficult and time-consuming but for most businesses, it’s easier than you think. A feature of Microsoft’s Active Directory allows you to push out certificates to the browsers that are being supported. Most businesses use AD to control access and privileges on their networks now so implementing a certificate takes just a few minutes.
Once the process is complete, your firewall can examine all of the traffic passing to and from the Internet and keep you safe from most malware as well as help you manage non-malicious content. But without DPI-SSL your firewall cannot protect you from many of the threats from the Internet.
DPI-SSL is now clearly an essential tool for maintaining the security of networks.