6 tips for encrypted data processing with the advent of TLS 1.3

Written by Scott Register, vice president, product management, Keysight Technologies

Encryption is the foundation of internet security, and another layer is being built on top of it. Browsers, security tools, and service providers are tinkering with their offerings to support a new encryption standard designed to enhance privacy across the web. The Internet Engineering Task Force (IETF) released the Transport Layer Security (TLS) Protocol Version 1.3 just this August. This version improves security, performance, and privacy relative to previous encryption standards to help serve the "modern internet."

For example, perfect forward secrecy (PFS) was an optional feature in version 1.2. Now it is a requirement for all sessions in TLS 1.3. PFS uses ephemeral key cryptography in order to generate a new encryption key for each client/server interaction and make each new connection secure every time. Previous and future sessions maintain secrecy because a given key is never re-used. This means that even if a hacker manages to compromise one session, it does not enable him/her to decrypt other sessions between that client and server. With previous "static key" versions, compromising a session yielded the ability to decrypt other sessions between those entities.

The catch is that your network must be able to support TLS 1.2 and 1.3 ephemeral ciphers from both a server capacity (if you are hosting web services) and from a security and visibility perspective, if you are analyzing traffic for malware. If your systems are not up to date, you either can't leverage the latest improvements or they may render you blind to malicious activity. Below are six tips for monitoring and processing encrypted data on your network as you secure your network with PFS.

1.       Don't bother decrypting bad traffic. By cross-referencing traffic with a database of known malware sites, a threat intelligence gateway device can block bad traffic before it undergoes the resource-intensive process of decryption. Blocking malware prior to decryption enables your tools to work more efficiently with added protection. The gateway achieves this by recognizing dangerous IP addresses in a packet's header and blocking the transmission of that packet's data. Because a packet's header is plain text, no decryption is necessary. A threat intelligence solution reduces false positives in threat detection while blocking a significant number of threats compared to other security tools. It does not require any manual rule creation as conditions change.

2.       Use Active SSL decryption. The amount of encrypted traffic on a given network is growing rapidly, and this includes both good traffic and encrypted malware. Security deployments should include passive SSL decryption at a minimum for environments that still use static key encryption and can leverage that technology. However, transitioning to active SSL decryption can be even more effective. Actively decrypting data on your network allows your security system to detect malicious activity in real time and reduces security risks to your business. 

3.       Have a standalone, dedicated device. Introducing active SSL to your security deployment can be a labor-intensive process, even given the benefits. It often requires a significant re-architecting of network infrastructure. It's important to be sure to balance security with performance. For example, some external next-generation firewalls can support active SSL decryption, but that feature can negatively affect network performance. Solutions with multipurpose functionality are often less suited to strike the right balance. Enabling active SSL on your security tools may reduce overall performance, increase latency, increase congestion, and require added processing capacity. Instead, security teams should consider implementing a dedicated active SSL solution to decrypt/encrypt traffic for all other tools. This will improve efficiency during processing and alleviate the burden on your security tools.

4.       ******* ****  sensitive plaintext data. Plain text is the typical output of decryption, often being shared with out-of-band monitoring and analysis tools. This poses a new risk, even inside the network perimeter as sensitive plain text data could be intercepted in transmission or accessed through the receiving tool. Security teams need devices with data masking capabilities in order to provide additional protections for sensitive information such as passwords, credit card numbers, social security numbers, email addresses, and healthcare data. Intelligent data masking systems can scan data packets for patterns consistent with privacy regulations and block all but the last several characters in a string.

5.       Is it working? After the initial setup, it is important to verify that security devices are performing as expected. This can be achieved with validation testing on the network. A test solution that can generate encrypted malware and other IT attacks that help expose any weaknesses in the deployment of your security system. Furthermore, you can evaluate prospective solutions, refine configurations, and measure the performance of your existing tools.

6.       Get help where you need it. With IT and security professionals in short supply, outsourcing the logistical planning and restructuring of your infrastructure may be the most cost-effective way to implement TLS 1.3. In addition to updating web server software, devices that do not support the new standard may need to be replaced and traffic rerouted. Allowing a trusted third party to develop plans, select new vendors, optimize configurations, and administer changes significantly reduces implementation time and risks associated with network changeover.

Before you know it, most of the traffic on your network will be encrypted. With the new standard requiring perfect forward secrecy, your security deployment must support TLS 1.3 as well as decrypt, process, and protect your data quickly and efficiently. If you want to build a robust security architecture for your business and implement TLS 1.3, follow these suggestions so that hackers don't stand a chance against your network.

##

About the Author

 

Scott Register has more than 15 years of experience leading product management operations for global technology companies and is currently the vice president of product management leading the development of new Ixia products in the areas of Security, Virtualization and Cloud. Scott also spearheaded the company's visibility product line prior to his current role.

Scott brings to Ixia a broad experience in managing enviable growth across a diverse range of environments, from embryonic to VC-backed startup to multi-hundred-million-dollar product lines. Innovative and energetic, Scott has a strong history of successful engagements with customers, channels, and business partners on a global basis.

Prior to Ixia, he led product management at BreakingPoint Systems where he was responsible for the industry's highest rated network performance, security, and resiliency testing equipment, before the company was acquired by Ixia.

Scott previously led product lines for Blue Coat, where he oversaw the successful launch of a new appliance suite designed specifically for low touch, rapid sales opportunities. At Check Point Software he managed all aspects of FireWall-1 product and a suite of supporting products including software management, load balancing, and intrusion protection systems.

He holds B.S. and M.S. degrees in computer science from Georgia Institute of Technology and also served as a member of the research faculty.