Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.
With the growing popularity of the cloud and SaaS apps, it’s become more likely that a given file or string of data will traverse the internet at some point. If that data is confidential or sensitive, it could be a target. Encryption, therefore, is essential to keeping people and data safe. That’s why most browsers, websites, and cloud apps today encrypt outgoing data as well as exchange that data over encrypted connections.
Of course, it works both ways—if sensitive data can use encryption to hide, then threats can, too. This makes effective SSL decryption equally essential as it enables an organization to fully inspect the contents of decrypted traffic before either blocking it or re-encrypting it so that it can continue on its way.
Time for a disambiguation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols that govern encryption and transmission of data between two points. So, what’s the difference?
The now-defunct Netscape developed SSL in the 1990s, releasing SSL 3.0 in late 1996. TLS 1.0, based on an improved version of SSL 3.0, came about in 1999. TLS 1.3, released by the Internet Engineering Task Force (IETF) in 2018, is the most recent and secure version as of this writing. Today, SSL is no longer developed or supported—by 2015, the IETF had declared all versions of SSL deprecated due to vulnerabilities (e.g., to man in the middle attacks) and lack of critical security features.
Despite this and decades of change, outside of a strictly technical sense, most people still say “SSL” as a catch-all for cryptographic protocols. In other words, when you see SSL, TLS, SSL/TLS, HTTPS, and so on, they all mean the same thing most of the time. For the purposes of this article, we’ll clarify as needed.
Implementing SSL decryption and inspection helps today’s organizations keep their end users, customers, and data safe, with the ability to:
ThreatLabz: The State of Encrypted Attacks, 2021
Despite increased encryption usage, many organizations still inspect only some of their SSL/TLS traffic, allowing traffic from content delivery networks (CDNs) and certain “trusted” sites to go uninspected. This can be risky because:
So, why doesn’t everybody do it? Simply, it takes a lot of computation to decrypt, inspect, and re-encrypt SSL traffic, and without the right technology, it can devastate your network’s performance. Most companies can’t afford to grind business and workflows to a halt, so they have no choice but to bypass inspection by appliances that can’t keep up with the processing demands.
There are a few different approaches to SSL decryption and inspection. Let’s look at the most common ones and key considerations for each.
Terminal Access Point (TAP) mode
A simple hardware device copies all network traffic for offline analysis, including SSL inspection.
Next-Generation Firewall (NGFW)
Network connections stream through an NGFW with only packet-level visibility, which limits threat detection.
Proxy
Two separate connections are created between client and server, with full inspection across network flow and sessions.
Terminal Access Point (TAP) mode
Expensive hardware (e.g., 10G network TAPs) is required to ensure all traffic is copied at full line rate without data loss.
Next-Generation Firewall (NGFW)
NGFWs only see a fraction of malware, allowing it to be delivered in pieces. They require bolt-on proxy functionality and tend to underperform when key features like threat prevention are enabled.
Proxy
Entire objects can be reassembled and scanned, allowing for scanning by additional threat detection engines, such as sandbox and DLP.
Terminal Access Point (TAP) mode
Retrospective SSL inspection no longer works due to “perfect forward secrecy,” which requires new keys for every SSL session.
Next-Generation Firewall (NGFW)
Performance drops notably due to the higher performance and scale requirements of TLS 1.3 ciphers, requiring a hardware upgrade to overcome.
Proxy
In the case of a cloud proxy delivered as a service, no appliance refresh is required on the customer side to meet TLS 1.3 performance and scale needs.
The need to implement an SSL decryption and inspection function to protect your organization has become too great to ignore. Even so, there are important things to consider—some more technical than others—as you deploy SSL inspection:
SSL decryption and inspection can drastically improve your security hygiene, but it might not be as simple as decrypting everything. Depending on your industry, region, and the laws and regulations you’re subject to, you may deal with certain traffic that shouldn’t be decrypted, such as medical or financial data. In this case, you’ll need to configure filters and policies to keep these types of connections private.
Outside of legal and regulatory concerns, your organization should generally inspect as much SSL traffic as possible to reduce risk and keep your users and data safe.
The Zscaler Zero Trust Exchange™ platform enables complete SSL inspection at scale without latency or capacity limitations. By pairing SSL inspection with our complete security stack as a cloud service, you get superior protection without the constraints of appliances.
Inspect all your users’ SSL traffic, on or off network, with a service that elastically scales to meet your traffic demands.
Stop managing certificates individually across all gateways. Certificates uploaded to the Zscaler Cloud are immediately available in 150+ Zscaler data centers worldwide.
Ensure compliance with the flexibility to exclude encrypted user traffic for sensitive website categories such as healthcare or banking.
Stay covered with support for the latest AES/GCM and DHE cipher suites for perfect forward secrecy. User data is never stored in the cloud.
Use our certificates or bring your own. Use our API to easily rotate your certificates as often as needed.
Ready to learn more about how you can inspect encrypted traffic without limitations and costly appliances? See how Zscaler SSL Inspection can help.
Find out What’s Hiding in Your Encrypted Traffic
Read the reportThreatLabz Research: 2021 State of Encrypted Attacks
Read the reportThe politics of TLS/SSL inspection
Read the blog