6 tips for encrypted
data processing with the advent of TLS 1.3
Written by Scott Register, vice president, product management,
Keysight Technologies
Encryption is the foundation of internet
security, and another layer is being built on top of it. Browsers, security
tools, and service providers are tinkering with their offerings to support a new
encryption standard designed to enhance privacy across the web. The Internet
Engineering Task Force (IETF) released the Transport Layer Security (TLS)
Protocol Version 1.3 just this August. This
version improves security,
performance, and privacy relative to previous encryption standards to help
serve the "modern internet."
For example, perfect forward
secrecy (PFS) was an optional feature in version 1.2. Now it is a requirement
for all sessions in TLS 1.3. PFS uses ephemeral key cryptography in order to
generate a new encryption key for each client/server interaction and make each
new connection secure every time. Previous and future sessions maintain secrecy
because a given key is never re-used. This means that even if a hacker manages
to compromise one session, it does not enable him/her to decrypt other sessions
between that client and server. With previous "static key" versions,
compromising a session yielded the ability to decrypt other sessions between
those entities.
The catch is that
your network must be able to support TLS 1.2 and 1.3 ephemeral ciphers from
both a server capacity (if you are hosting web services) and from a security
and visibility perspective, if you are analyzing traffic for malware. If your
systems are not up to date, you either can't leverage the latest improvements or
they may render you blind to malicious activity. Below are six tips for
monitoring and processing encrypted data on your network as you secure your
network with PFS.
1. Don't bother decrypting bad traffic. By cross-referencing traffic with a database
of known malware sites, a threat intelligence gateway device can block bad
traffic before it undergoes the resource-intensive process of decryption.
Blocking malware prior to decryption enables your tools to work more
efficiently with added protection. The
gateway achieves this by recognizing dangerous IP addresses in a packet's
header and blocking the transmission of that packet's data. Because a packet's
header is plain text, no decryption is necessary. A
threat intelligence solution reduces false positives in threat detection while
blocking a significant number of threats compared to other
security tools. It does not require any manual
rule creation as conditions change.
2. Use Active SSL
decryption. The amount of encrypted
traffic on a given network is growing rapidly,
and this includes both good traffic and encrypted malware. Security deployments should include passive SSL decryption
at a minimum for environments that still use static key encryption and can
leverage that technology. However, transitioning to active SSL decryption can
be even more effective. Actively decrypting data on
your network allows your security system to detect malicious activity in real
time and reduces security risks to your business.
3. Have a
standalone, dedicated device. Introducing
active SSL to your security deployment can be a labor-intensive process, even given the benefits. It often requires a significant re-architecting of network infrastructure. It's important to be
sure to balance security with performance. For example, some external next-generation
firewalls can support active SSL decryption,
but that feature can negatively affect network performance. Solutions
with multipurpose functionality are often less suited to strike the right
balance. Enabling active SSL on your security tools
may reduce overall performance, increase latency, increase congestion, and
require added processing capacity. Instead, security teams should
consider implementing a dedicated active SSL solution
to decrypt/encrypt traffic for all other tools.
This will improve efficiency
during processing and alleviate the burden on your security tools.
4. ******* **** sensitive plaintext data. Plain text is
the typical output of decryption, often being shared with out-of-band monitoring and analysis tools. This poses a
new risk, even inside the network perimeter as
sensitive plain text data could be intercepted in transmission or accessed
through the receiving tool. Security teams
need devices with data masking capabilities in order to provide additional protections for sensitive information such as passwords, credit card
numbers, social security numbers, email addresses, and healthcare data.
Intelligent data masking systems can scan data packets for patterns consistent
with privacy regulations and block all but the last several characters in a
string.
5. Is it working? After the initial setup, it
is important to verify that security devices are
performing as expected. This can be achieved with validation testing on the network. A
test solution that can generate encrypted malware and other IT attacks that help expose any weaknesses in the deployment of your
security system. Furthermore, you can evaluate prospective solutions, refine
configurations, and measure the performance of your existing tools.
6. Get help where you need it. With IT and security
professionals in short supply, outsourcing the logistical planning and
restructuring of your infrastructure may be the most cost-effective way to
implement TLS 1.3. In addition to updating web server software, devices that do
not support the new standard may need to be replaced and traffic rerouted. Allowing
a trusted third party to develop plans, select new vendors, optimize
configurations, and administer changes significantly reduces implementation
time and risks associated with network changeover.
Before you know it, most of the traffic on your network will
be encrypted. With the new standard requiring perfect forward secrecy, your
security deployment must support TLS 1.3 as well as decrypt, process, and
protect your data quickly and efficiently. If you want to build a robust
security architecture for your business and implement TLS 1.3, follow these
suggestions so that hackers don't stand a chance against your network.
##
About the Author
Scott Register has more than 15 years of experience leading
product management operations for global technology companies and is currently
the vice president of product management leading the development of new Ixia
products in the areas of Security, Virtualization and Cloud. Scott also
spearheaded the company's visibility product line prior to his current role.
Scott brings to Ixia a broad experience in managing enviable
growth across a diverse range of environments, from embryonic to VC-backed
startup to multi-hundred-million-dollar product lines. Innovative and
energetic, Scott has a strong history of successful engagements with customers,
channels, and business partners on a global basis.
Prior to Ixia, he led product management at BreakingPoint
Systems where he was responsible for the industry's highest rated network
performance, security, and resiliency testing equipment, before the company was
acquired by Ixia.
Scott previously led product lines for Blue Coat, where he oversaw
the successful launch of a new appliance suite designed specifically for low
touch, rapid sales opportunities. At Check Point Software he managed all
aspects of FireWall-1 product and a suite of supporting products including
software management, load balancing, and intrusion protection systems.
He holds B.S. and M.S. degrees in computer science from
Georgia Institute of Technology and also served as a member of the research faculty.