Keysight's Inline Decryption
As most traffic becomes encrypted and with ephemeral key on its way to becoming the dominant technology, organizations need a way to retain the benefits of Transport Layer Security (TLS) 1.3, while being able to inspect traffic for threats and malware to protect their networks and users.
Keysight's Inline Decryption capability, an addition to the SecureStack feature set, enables organizations to see inside traffic that uses ephemeral key cryptography through its visibility platform. Keysight's Inline Decryption can be used for both inline and out-of-band tools, for outbound and inbound traffic, and it can be used simultaneously with NetStack, PacketStack and AppStack capabilities. The Inline Decryption capability is available via separate high-performance application modules that are compatible with Vision ONE™ and Vision X, both turnkey network packet brokers that provide high-performance, lossless visibility. With a dedicated cryptographic processor, Inline Decryption provides the best throughput integrated with a visibility solution. Moreover, it includes built-in policy management, Uniform Resource Locator (URL) categorization, support for all leading ciphers, and reporting.
A Security Dilemma
Organizations encrypt internet exchanges to protect themselves and their users — in particular, to protect sensitive information such as credit card numbers, social security numbers, etc. As of 2017, both Firefox and Google have shown that over 75% of sites visited via their browsers encrypt traffic. This encryption helps prevent identity theft, security breaches, and data leaks. However, much like a Trojan horse, encryption can also be the way malware and other threats are inserted into networks. Gartner predicts that by 2020, more than 60% of organizations will fail to decrypt Hypertext Transfer Protocol Secure (HTTPS) efficiently, "missing most targeted web malware". Moreover, hackers are becoming more clever and some forms of encryption are becoming more vulnerable.
The solution to this dilemma is two-fold:
- Use encryption technology that is harder to compromise
- Inspect all encrypted traffic for threats as part organizations' security and monitoring policies
Why Ephemeral Key
Secure Sockets Layer (SSL) and Transport Layer Security (TLS), both of which are commonly referred to as "SSL", are technologies in which data is scrambled or "encoded" to protect communications over a computer network. As pictured to the right, the technology basically works by exchanging information that is coded via a public key (provided by the server) and sent over the internet. The receiving party (server) is able to decode the data because it has the other half of the equation, the private key.
The dominant encryption technology had been Rivest-Shamir-Adleman (RSA), which uses static keys. This means that a server has a given key for its communications. Now, if this key is somehow compromised, any communication from that server is exposed. To address this concern, many organizations and regulatory bodies are shifting to using and mandating ephemeral key encryption, most commonly Elliptic curve Diffie–Hellman ephemeral (ECDHE), in which a new key is generated for each exchange.
Perfect Forward Secrecy and TLS 1.3
Let us consider static keys to be like physical keys — if one is stolen or copied, the person with the key can access all communications locked by that key. In contrast, ephemeral key is like a number generated by a mobile app for a specific exchange. If the number is stolen, it can only be used to unlock that one exchange. All other exchanges are still protected. This perfect forward secrecy is what makes ephemeral key compelling.
Tech industry leaders including Google, Facebook, Mozilla, and more are announcing their shift to using ephemeral key for encryption in order to provide greater security for users. TLS 1.3, the latest TLS protocol standard by the Internet Engineering Task Force (IETF), favors ephemeral key exchange.
Keysight's Inline Decryption
Offload TLS Decryption
Decrypt network traffic once and inspect many times to scale your security and monitoring infrastructure. TLS decryption can take up to 60-80% of a tool's capacity, meaning the majority of time is spent decrypting versus the more critical inspecting of traffic. Moreover, some tools aren't even able to decrypt TLS traffic.
By offloading the TLS decryption, you achieve the following:
- Better ROI for security and monitoring tool investment
- Improved performance of security and monitoring tools
- Ability to scale security and monitoring infrastructure
- Complete visibility into encrypted traffic, even traffic encrypted with ephemeral key
Inline And Out-of-Band (OOB)
Inline Decryption can be used for both inline and out-of-band tool deployments.
- Inline: traffic that is coming into or leaving the network can be inspected enroute. With Inline Decryption, data that comes into a network packet broker is decrypted and then sent to security and monitoring tools. After inspection, tools send the data back to the network packet broker where it is re-encrypted with the Inline Decryption capability. By default, the same cipher is used, but you can apply any policy required. Data is then routed back to the network. For optimal security, this is done with a Bypass switch in an active-active resilient architecture. Re-encrypting the data with an ephemeral key ensures network security, while allowing inspection, the best of both worlds!
- Out-of-band: traffic comes into the network packet broker and is decrypted, copied and sent to out-of-band security and monitoring tools. These tools use the decrypted traffic to generate alerts.
- Simultaneous deployment: With Keysight's Vision ONE and Vision X, both inline and out-of-band modes can be used at the same time. So security and monitoring tools appropriate for each mode can be used in the same deployment.
With Keysight, traffic can be decrypted and then packets trimmed, headers stripped and more, before sending to out-of-band security tools. This increases tool efficiency and operating life. Application Identification can be used to send – or exclude – certain applications to those tools, with or without Data Masking Plus to protect personally identifiable information (PII). Geography, browser type, and application type, and even custom apps can be used to select which traffic to forward to out-of-band tools.
For inline deployments, Inline Decryption is fully transparent, requiring no manual proxy configuration on the clients. The built-in load balancing features and heartbeat detection of failed inline devices can be used to maintain a high-performance, highly resilient security deployment with the Vision ONE or Vision X maintaining the service chain and offloading tasks such as TLS decryption and rich Netflow generation.
Using many features concurrently ensures optimized security policy enforcement while allowing tools to operate efficiently. Improving the life of security and monitoring tools. Adding Keysight's Bypass switches and ThreatARMOR yield an optimal best-practices security deployment with ultimate reliability and efficiency.
The Inline Decryption capability is easy to configure and manage as part of your Vision ONE or Vision X network packet broker setup and deployment.
Vision ONE and Vision X include flexible policy configuration for maximum security and support of multiple concurrent contexts.
Upgrades to higher throughput are easy with a simple license modification. ctive The Vision ONE is offered with 1G, 2G, 4G or 10G licenses. No additional hardware or massive upgrades that require configuration changes are needed to move among licenses. The Vision X offers one license per CPU at up to 25G.
Keysight's Inline Decryption comes with real-time onscreen analytics that includes details on throughput, sessions and crypto data. With the ability to mouse-over and drill down, it ensures you can keep track of all your data. Inline Decryption also includes error and exception logging and the ability to access historical data.
Supports Leading Ciphers
Inline Decryption already supports many leading ciphers indicated in TLS 1.3 and additional ciphers are continuously being added.
“With the TLS 1.3 standard implementing ephemeral keys, organizations will find decrypting and inspecting encrypted traffic to be more complex and resource intensive. Solutions like Inline Decryption will enable organizations to gain visibility into their current network traffic efficiently, with less disruption to their networks, as well as their monitoring tools and security devices.”
DAN CONDE, ANALYST, ESG
Inline Security with Inline Decryption
Inline Decryption seamlessly integrates into Keysight's fail-safe security architecture for inline deployments. Combined with Keysight's threat intelligence gateway, ThreatARMOR™ , Inline Decryption creates an even more robust inline architecture that can block bad Internet Protocols (IPs), handle encrypted traffic, and protect your network with active-active high availability configurations that ensure continuous traffic inspection and near-instant recovery.